Disappearing Memory

[johnb35]

Not sure why you are getting no files to show up. Your combofix log shows at least 3 files.

c:\windows\system64\services.exe
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
c:\windows\system32\services.exe

Try this. Upload this file to www.virustotal.com

c:\windows\system64\services.exe

And post the results link in your next reply. I may have to send you my copy of the file so we can replace it.

 

[Greecian]

Analysis

Agnitum 20130422
AhnLab-V3 Trojan/Win64.ZAccess 20130422
AntiVir W32/Patched.UA 20130423
Antiy-AVL Virus/Win64.ZAccess.gen 20130423
Avast Win32atched-AKC [Trj] 20130423
AVG Patched_c.MIS 20130423
BitDefender Trojan.Patched.Sirefef.B 20130423
ByteHero 20130418
CAT-QuickHeal Trojan.Agent.WD.cw6 20130423
ClamAV Trojan.Sirefef-427 20130423
Commtouch W64/Sirefef.SPBP-9389 20130423
Comodo TrojWare.Win32.UMal.~A 20130423
Emsisoft Trojan.Patched.Sirefef.B (B) 20130423
eSafe Win32.Trojan 20130418
ESET-NOD32 Win64/Patched.B.Gen 20130422
F-Prot W64/Sirefef.J 20130423
F-Secure Virus:W64/ZeroAccess.B 20130423
Fortinet W32/ZAccInf.B!tr 20130423
GData Trojan.Patched.Sirefef.B 20130423
Ikarus Virus.Win64 20130423
Jiangmin 20130423
K7AntiVirus Trojan 20130422
K7GW Trojan 20130422
Kingsoft 20130422
Malwarebytes 20130423
Microsoft Virus:Win64/Sirefef.B 20130423
MicroWorld-eScan 20130423
NANO-Antivirus 20130423
Norman ZAccess.KZJ 20130422
nProtect 20130423
Panda W64/SirefefP 20130422
PCTools Trojan.Zeroaccess 20130423
SUPERAntiSpyware 20130423
TheHacker 20130422
TotalDefense Win32/Zaccess.ES 20130422
VBA32 20130422
VIPRE Win32.Malware!Drop 20130423
ViRobot 20130423

Additional Info:

ssdeep
6144:ajUy3rjJE4qxzgv7uWMNS4j7fwLQTha06H0NhsZevKa/2LI+hBm:ajUyhE4q5gD6N56H0A4oI+h
TrID
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ExifTool

SubsystemVersion.........: 6.1
InitializedDataSize......: 77824
ImageVersion.............: 6.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 6.1.7600.16385
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 9.0
OriginalFilename.........: services.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 6.1.7600.16385 (win7_rtm.090713-1255)
TimeStamp................: 2009:07:14 00:19:42+01:00
FileType.................: Win64 EXE
PEType...................: PE32+
InternalName.............: services.exe
FileAccessDate...........: 2013:04:23 07:20:48+01:00
ProductVersion...........: 6.1.7600.16385
FileDescription..........: Services and Controller app
OSVersion................: 6.1
FileCreateDate...........: 2013:04:23 07:20:48+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: AMD AMD64
CompanyName..............: Microsoft Corporation
CodeSize.................: 248832
FileSubtype..............: 0
ProductVersionNumber.....: 6.1.7600.16385
EntryPoint...............: 0x13310
ObjectFileType...........: Executable application

Sigcheck

publisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: services.exe
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: services.exe.mui
file version.............: 6.1.7600.16385 (win7_rtm.090713-1255)
description..............: Services and Controller app

Portable Executable structural information

Compilation timedatestamp.....: 2009-07-13 23:19:42
Target machine................: x64
Entry point address...........: 0x00013310

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 248509 248832 6.38 9688102d77f5085440b6895d56ac8923
.rdata 253952 39440 39936 4.89 05adbd77b1dc4198a8dc69e5b909dca7
.data 294912 5976 6144 1.09 ee199ecce9c7ffa983c0ec034c034627
.pdata 303104 11148 11264 5.60 923588ae2a9953cfbbcc199f09c005d4
.rsrc 315392 19112 19456 3.82 eea5eddea7de3b1ce12b792ea947e2bd
.reloc 335872 544 1024 3.41 dcec1f82237fe07b2e56bf71193670b9

PE Imports....................:

[[API-MS-Win-Security-LSALookup-L1-1-0.dll]]
LsaLookupOpenLocalPolicy, LsaLookupClose, LsaLookupGetDomainInfo, LsaLookupTranslateSids, LsaLookupFreeMemory, LsaLookupManageSidNameMapping, LsaLookupTranslateNames

[[API-MS-Win-Core-ProcessThreads-L1-1-0.dll]]
GetProcessId, OpenThreadToken, DeleteProcThreadAttributeList, GetCurrentProcess, TerminateProcess, ResumeThread, OpenProcessToken, CreateThread, SetThreadPriority, GetCurrentProcessId, CreateProcessW, UpdateProcThreadAttribute, InitializeProcThreadAttributeList, GetProcessTimes, SetProcessShutdownParameters, ExitThread, GetCurrentThreadId, CreateProcessAsUserW, GetCurrentThread

[[msvcrt.dll]]
_ultow_s, wcstoul, memset, wcschr, _wcslwr, _ultow, _fmode, _vsnwprintf, _cexit, ?terminate@@YAXXZ, __C_specific_handler, _ltow_s, _wtol, exit, _XcptFilter, _commode, __setusermatherr, wcsrchr, _amsg_exit, _wcsicmp, _exit, wcscspn, wcsncmp, __getmainargs, memcpy, _wcsnicmp, time, wcsstr, _initterm, _ltow, __set_app_type

[[CRYPTBASE.dll]]
SystemFunction005, SystemFunction029

[[RPCRT4.dll]]
UuidFromStringW, RpcRevertToSelf, RpcServerSubscribeForNotification, RpcStringBindingParseW, RpcBindingToStringBindingW, RpcImpersonateClient, RpcServerRegisterAuthInfoW, RpcAsyncAbortCall, RpcEpRegisterW, I_RpcMapWin32Status, RpcBindingFree, RpcServerInqBindings, I_RpcSessionStrictContextHandle, UuidEqual, RpcStringFreeW, RpcServerUnsubscribeForNotification, NdrServerCall2, I_RpcBindingIsClientLocal, RpcServerInqBindingHandle, RpcServerUseProtseqEpW, UuidCreateNil, RpcServerInqDefaultPrincNameW, RpcServerUseProtseqW, RpcAsyncCompleteCall, RpcServerInqCallAttributesW, RpcServerRegisterIfEx, NdrAsyncServerCall, RpcServerInqCallAttributesA, I_RpcBindingInqLocalClientPID, UuidCreate, RpcBindingVectorFree

[[ntdll.dll]]
RtlConvertSharedToExclusive, DbgPrintEx, RtlUnicodeStringToInteger, RtlAppendUnicodeStringToString, NtUnloadDriver, RtlCreateSecurityDescriptor, NtQuerySymbolicLinkObject, RtlSetGroupSecurityDescriptor, NtOpenThreadToken, NtInitializeRegistry, RtlInitializeCriticalSection, RtlValidSecurityDescriptor, NtOpenSymbolicLinkObject, RtlLengthRequiredSid, RtlConvertExclusiveToShared, RtlQuerySecurityObject, RtlAllocateHeap, NtDeleteValueKey, NtSetInformationProcess, RtlNtStatusToDosError, NtWaitForSingleObject, NtLoadDriver, RtlFreeUnicodeString, EtwRegisterTraceGuidsW, RtlAppendUnicodeToString, RtlInitializeSid, NtDuplicateToken, RtlLengthSecurityDescriptor, RtlAcquireSRWLockExclusive, RtlSetControlSecurityDescriptor, RtlAreAllAccessesGranted, EtwTraceMessage, NtSetEvent, NtQueryDirectoryObject, RtlAcquireResourceExclusive, EtwGetTraceEnableFlags, NtQueryValueKey, RtlCreateServiceSid, RtlEqualUnicodeString, NtFlushKey, NtSetSystemEnvironmentValue, RtlUnicodeStringToAnsiString, RtlDeregisterWait, RtlVirtualUnwind, RtlCopySid, RtlInitializeSRWLock, NtQuerySystemInformation, NtSetValueKey, RtlRegisterWait, RtlCreateAcl, EtwEventRegister, RtlSubAuthorityCountSid, NtQueryInformationFile, RtlSetDaclSecurityDescriptor, NtOpenThread, NtEnumerateKey, NtFilterToken, RtlAddAce, RtlInitUnicodeString, RtlSubAuthoritySid, NtSetInformationFile, NtCreateKey, EtwGetTraceEnableLevel, RtlAcquireResourceShared, RtlSetEnvironmentVariable, RtlSetProcessIsCritical, NtQueryKey, NtQueueApcThread, RtlUnhandledExceptionFilter, NtDeleteFile, RtlAnsiStringToUnicodeString, NtPrivilegeCheck, RtlNtStatusToDosErrorNoTeb, RtlExpandEnvironmentStrings_U, RtlReleaseSRWLockExclusive, NtTraceControl, RtlQueueApcWow64Thread, RtlDosPathNameToNtPathName_U, RtlLengthSid, RtlGetNtProductType, RtlInitAnsiString, NtOpenProcessToken, WinSqmAddToStream, RtlCopyLuid, RtlDeleteSecurityObject, RtlNewSecurityObject, NtShutdownSystem, RtlInitializeResource, NtAccessCheck, RtlValidRelativeSecurityDescriptor, NtClose, NtQueryInformationToken, RtlCopyUnicodeString, NtSetInformationThread, NtPrivilegeObjectAuditAlarm, NtOpenDirectoryObject, NtAccessCheckAndAuditAlarm, RtlSetSecurityObject, RtlSetSaclSecurityDescriptor, EvtIntReportEventAndSourceAsync, NtDeleteObjectAuditAlarm, RtlQueueWorkItem, RtlAcquireSRWLockShared, NtCloseObjectAuditAlarm, RtlAdjustPrivilege, NtOpenFile, EtwGetTraceLoggerHandle, RtlMapGenericMask, NtQueryDirectoryFile, NtDeleteKey, RtlCaptureContext, RtlFreeHeap, RtlSetLastWin32Error, EtwEventWrite, RtlCompareUnicodeString, RtlReleaseSRWLockShared, NtOpenKey, RtlLookupFunctionEntry, RtlReleaseResource, NtAdjustPrivilegesToken, RtlSetOwnerSecurityDescriptor

[[API-MS-Win-Core-IO-L1-1-0.dll]]
DeviceIoControl

[[API-MS-Win-Core-Handle-L1-1-0.dll]]
DuplicateHandle, CloseHandle

[[API-MS-Win-Security-Base-L1-1-0.dll]]
SetSecurityDescriptorOwner, GetTokenInformation, RevertToSelf, SetTokenInformation, GetKernelObjectSecurity, FreeSid, CopySid, SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, AddAccessAllowedAce, AllocateAndInitializeSid, InitializeSecurityDescriptor, AdjustTokenPrivileges, InitializeAcl, EqualSid, GetLengthSid, ImpersonateLoggedOnUser, CheckTokenMembership, AddAce, AllocateLocallyUniqueId, SetKernelObjectSecurity

[[API-MS-Win-Core-LocalRegistry-L1-1-0.dll]]
RegGetKeySecurity, RegLoadMUIStringW, RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegSetKeySecurity, RegNotifyChangeKeyValue, RegQueryValueExW

[[SspiCli.dll]]
LogonUserExExW

[[API-MS-Win-Core-SysInfo-L1-1-0.dll]]
GetSystemTime, GetSystemTimeAsFileTime, GetSystemDirectoryW, GetVersionExW, GetTickCount, GetComputerNameExW

[[API-MS-Win-Security-SDDL-L1-1-0.dll]]
ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW

[[API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll]]
ExpandEnvironmentStringsW, GetEnvironmentVariableW

[[API-MS-Win-Core-Synch-L1-1-0.dll]]
WaitForMultipleObjectsEx, EnterCriticalSection, CreateEventW, InitializeCriticalSection, OpenProcess, OpenEventW, WaitForSingleObject, SetEvent, ResetEvent, LeaveCriticalSection

[[API-MS-Win-Core-Misc-L1-1-0.dll]]
IsWow64Process, LocalAlloc, Sleep, LocalFree, lstrlenW

[[profapi.dll]]
Ord(101), Ord(106), Ord(105), Ord(102)

[[API-MS-Win-Core-Heap-L1-1-0.dll]]
HeapFree, HeapSetInformation, HeapAlloc, HeapCreate

[[API-MS-Win-Core-ErrorHandling-L1-1-0.dll]]
SetUnhandledExceptionFilter, GetLastError, SetErrorMode, UnhandledExceptionFilter, SetLastError

[[API-MS-Win-Core-String-L1-1-0.dll]]
CompareStringW

[[API-MS-Win-Core-File-L1-1-0.dll]]
FindNextFileW, FindFirstFileW, FindClose, CreateFileW, CreateDirectoryW, SetFileInformationByHandle

[[API-MS-Win-Core-Profile-L1-1-0.dll]]
QueryPerformanceCounter

[[API-MS-Win-Core-LibraryLoader-L1-1-0.dll]]
FreeLibrary, LoadStringW, GetProcAddress, LoadLibraryExW, GetModuleHandleW

PE Resources..................:

Resource type Number of resources
RT_MANIFEST 1
WEVT_TEMPLATE 1
MUI 1
RT_VERSION 1

Resource language Number of resources
ENGLISH US 4

Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2012-06-02 15:43:34 UTC ( 10 months, 3 weeks ago )
Last seen by VirusTotal
2013-03-10 13:11:35 UTC ( 1 month, 2 weeks ago )
File names (max. 25)

services_exe.vir
services.exe1
services.virus
ser
test.exe
services.exe
services.exevr
services_virus.txt
services.exe.vir
services.exe
services.exe.mui
services.exe
services.dll
ZA_services.exe
services.exevr
file-4053669_exe
tsk0000.dta
services.exe.old
backup.exe
$$DeleteMe.services.exe.01cd74e7fe156ea5.0000
services.exe
services(2).exe_
services-ThisIsMalware.exe.RenameMe
services.exe
2.exe

 

[Greecian]

not sure what you wanted so i copied everything from the analysis tab and the additional info tab

 

[Greecian]

here's the web address:

https://www.virustotal.com/en/file/...d2efe3b77801c43246bde45eae908b940b8/analysis/

pretty sure it will take you to the results

 

[johnb35]

Ok. That file is infected it seems. I'm gonna have you download my copy of the file so we can replace it.

http://www.mediafire.com/?q9957n7q81uh6pt

Click on that link and download it. Save it to c drive so it would be c:\services.exe

Then do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Killall::

Fcopy::

c:\services.exe | c:\windows\system32\services.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[Greecian]

i went through the process. before i started the process...i had over 12 gigs of space on my hdd, and now that its finished...i have less than 5 gigs. and now i can't open anything (firefox, ie, chrome, itunes). the error message when i attempt to open itunes is

"c:\Program Files (x86)\iTunes\iTunes.exe
Illegal operation attempted on a registry key that has been marked for deletion"

 

[johnb35]

Just reboot the pc and you will be able to open programs.

 

[Greecian]

ComboFix 13-05-15.01 - Gerry 05/15/2013 12:44:26.2.3 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8190.4127 [GMT -4:00]
Running from: c:\users\Gerry\Desktop\ComboFix.exe
Command switches used :: c:\users\Gerry\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\services.exe
c:\users\Gerry\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk
c:\users\Gerry\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
c:\users\gzap\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk
c:\users\gzap\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
c:\users\Test\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk
c:\users\Test\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\SysWow64\frapsvid.dll
c:\windows\TEMP\{29957E12-C8BB-4A3B-B682-A952F5598DC7}\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\DSETUP.dll
c:\windows\TEMP\{29957E12-C8BB-4A3B-B682-A952F5598DC7}\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\dsetup32.dll
c:\windows\TEMP\{29957E12-C8BB-4A3B-B682-A952F5598DC7}\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\DXSETUP.exe
c:\windows\TEMP\{2BE806A2-2C38-497C-9D15-97246A9E795D}\fpb.tmp
c:\windows\TEMP\{D8D8A044-9D9B-4B79-A565-9B21C0C72BD4}\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\_isres_0x0409.dll
c:\windows\TEMP\{D8D8A044-9D9B-4B79-A565-9B21C0C72BD4}\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\_isuser_0x0409.dll
c:\windows\TEMP\{D8D8A044-9D9B-4B79-A565-9B21C0C72BD4}\{92606477-9366-4D3B-8AE3-6BE4B29727AB}\isrt.dll
c:\windows\TEMP\{D8D8A044-9D9B-4B79-A565-9B21C0C72BD4}\dotnetinstaller.exe
c:\windows\TEMP\{D8D8A044-9D9B-4B79-A565-9B21C0C72BD4}\ISBEW64.exe
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\GoogleCrashHandler.exe
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\GoogleCrashHandler64.exe
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\GoogleUpdate.exe
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\GoogleUpdateBroker.exe
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\GoogleUpdateOnDemand.exe
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\GoogleUpdateSetup.exe
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdate.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_am.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ar.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_bg.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_bn.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ca.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_cs.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_da.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_de.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_el.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_en-GB.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_en.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_es-419.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_es.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_et.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_fa.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_fi.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_fil.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_fr.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_gu.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_hi.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_hr.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_hu.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_id.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_is.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_it.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_iw.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ja.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_kn.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ko.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_lt.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_lv.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ml.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_mr.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ms.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_nl.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_no.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_pl.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_pt-BR.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_pt-PT.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ro.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ru.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_sk.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_sl.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_sr.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_sv.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_sw.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ta.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_te.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_th.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_tr.dll
c:\windows\Temp\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_uk.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_ur.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_vi.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_zh-CN.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\goopdateres_zh-TW.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\npGoogleUpdate3.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\psmachine.dll
c:\windows\TEMP\{DE752AEC-AAB4-4695-8249-695FABC6FFBB}\psuser.dll
c:\windows\wininit.ini
.
.
--------------- FCopy ---------------
.
c:\services.exe --> c:\windows\system32\services.exe
.
((((((((((((((((((((((((( Files Created from 2013-04-15 to 2013-05-15 )))))))))))))))))))))))))))))))
.
.
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\Test\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\gzap\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\Guild Wars\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\Gerry\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\djs\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-15 16:59 . 2013-05-15 16:59 -------- d-----w- c:\users\BFBC2\AppData\Local\temp
2013-05-15 14:26 . 2013-05-15 14:26 -------- d-----w- c:\windows\system32\MpEngineStore
2013-05-15 07:03 . 2013-04-05 06:50 19231232 ----a-w- c:\windows\system32\mshtml.dll
2013-05-15 07:03 . 2013-04-05 06:50 15404032 ----a-w- c:\windows\system32\ieframe.dll
2013-05-14 21:44 . 2013-05-14 21:44 -------- d-----w- c:\users\Gerry\AppData\Local\Facebook
2013-05-12 19:59 . 2013-05-12 19:59 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-05-12 19:58 . 2013-05-12 19:57 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-11 18:00 . 2013-05-11 18:00 -------- d-----w- C:\Need for Speed World
2013-05-11 17:48 . 2013-05-11 17:48 -------- d-----w- c:\users\Gerry\AppData\Local\Electronic_Arts_Inc
2013-05-01 14:52 . 2013-05-01 14:52 -------- d-----w- C:\Riot Games
2013-04-28 19:32 . 2013-04-28 19:44 -------- d-----w- c:\users\Gerry\AppData\Roaming\DigitalDJ17
2013-04-28 19:31 . 2013-04-28 19:31 -------- d-----w- c:\program files (x86)\MAGIX
2013-04-24 01:36 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-18 17:53 . 2013-04-18 17:53 -------- d-----w- C:\Yahoo!
2013-04-16 19:07 . 2013-04-16 19:07 -------- d-----w- c:\programdata\Citrix
2013-04-16 19:06 . 2013-04-16 19:06 -------- d-----w- c:\program files (x86)\Citrix
2013-04-16 13:51 . 2013-04-16 13:53 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center
2013-04-15 20:44 . 2013-04-15 20:45 -------- d-----w- c:\users\Gerry\dwhelper
2013-04-15 19:04 . 2013-04-15 19:05 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-04-15 19:04 . 2013-04-15 19:05 -------- d-----w- c:\program files\iTunes
2013-04-15 19:04 . 2013-04-15 19:05 -------- d-----w- c:\program files (x86)\iTunes
2013-04-15 19:04 . 2013-04-15 19:04 -------- d-----w- c:\program files\iPod
2013-04-15 18:59 . 2013-04-10 06:58 26520 ----a-w- c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 14:24 . 2012-07-21 17:25 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-15 07:15 . 2012-05-29 19:50 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-12 20:03 . 2012-04-04 18:10 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-12 20:03 . 2011-11-06 02:08 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-12 19:57 . 2013-01-20 19:42 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-05-12 19:57 . 2012-04-27 20:01 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-04-24 20:00 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2013-04-19 00:15 . 2011-11-06 03:33 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2013-04-19 00:15 . 2011-11-06 00:41 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2013-04-16 03:07 . 2011-11-06 00:41 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2013-04-13 05:49 . 2013-05-15 02:42 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-15 02:42 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-15 02:42 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-15 02:42 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-15 02:42 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 02:42 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-10 07:04 . 2013-04-10 07:04 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-04-10 07:04 . 2013-04-10 07:04 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-04-10 07:04 . 2013-04-10 07:04 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-04-10 07:04 . 2013-04-10 07:04 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-04-10 07:04 . 2013-04-10 07:04 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-10 07:04 . 2013-04-10 07:04 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-04-10 07:04 . 2013-04-10 07:04 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-04-10 07:04 . 2013-04-10 07:04 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-04-10 07:04 . 2013-04-10 07:04 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-04-10 07:04 . 2013-04-10 07:04 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-04-10 07:04 . 2013-04-10 07:04 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-04-10 07:04 . 2013-04-10 07:04 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-04-10 07:04 . 2013-04-10 07:04 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-04-10 07:04 . 2013-04-10 07:04 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-04-10 07:04 . 2013-04-10 07:04 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-04-10 07:04 . 2013-04-10 07:04 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-04-10 07:04 . 2013-04-10 07:04 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-04-10 07:04 . 2013-04-10 07:04 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-04-10 07:04 . 2013-04-10 07:04 81408 ----a-w- c:\windows\system32\icardie.dll
2013-04-10 07:04 . 2013-04-10 07:04 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-04-10 07:04 . 2013-04-10 07:04 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-04-10 07:04 . 2013-04-10 07:04 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-04-10 07:04 . 2013-04-10 07:04 441856 ----a-w- c:\windows\system32\html.iec
2013-04-10 07:04 . 2013-04-10 07:04 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-04-10 07:04 . 2013-04-10 07:04 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-10 07:04 . 2013-04-10 07:04 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-04-10 07:04 . 2013-04-10 07:04 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-04-10 07:04 . 2013-04-10 07:04 235008 ----a-w- c:\windows\system32\url.dll
2013-04-10 07:04 . 2013-04-10 07:04 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-04-10 07:04 . 2013-04-10 07:04 216064 ----a-w- c:\windows\system32\msls31.dll
2013-04-10 07:04 . 2013-04-10 07:04 197120 ----a-w- c:\windows\system32\msrating.dll
2013-04-10 07:04 . 2013-04-10 07:04 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-04-10 07:04 . 2013-04-10 07:04 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-10 07:04 . 2013-04-10 07:04 144896 ----a-w- c:\windows\system32\wextract.exe
2013-04-10 07:04 . 2013-04-10 07:04 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-04-10 07:04 . 2013-04-10 07:04 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-04-10 07:04 . 2013-04-10 07:04 102912 ----a-w- c:\windows\system32\inseng.dll
2013-04-10 07:04 . 2013-04-10 07:04 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-04-10 07:04 . 2013-04-10 07:04 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-04-10 07:04 . 2013-04-10 07:04 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-04-10 07:04 . 2013-04-10 07:04 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-04-10 07:04 . 2013-04-10 07:04 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-04-10 07:04 . 2013-04-10 07:04 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-04-10 07:04 . 2013-04-10 07:04 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-10 07:04 . 2013-04-10 07:04 149504 ----a-w- c:\windows\system32\occache.dll
2013-04-10 07:04 . 2013-04-10 07:04 13824 ----a-w- c:\windows\system32\mshta.exe
2013-04-10 07:04 . 2013-04-10 07:04 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-04-10 07:04 . 2013-04-10 07:04 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-04-10 07:04 . 2013-04-10 07:04 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-04-10 07:03 . 2013-04-10 07:03 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2013-04-10 07:03 . 2013-04-10 07:03 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2013-04-10 07:03 . 2013-04-10 07:03 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-04-10 07:03 . 2013-04-10 07:03 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-04-10 07:03 . 2013-04-10 07:03 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-04-10 07:03 . 2013-04-10 07:03 3928064 ----a-w- c:\windows\system32\d2d1.dll
2013-04-10 07:03 . 2013-04-10 07:03 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-04-10 07:03 . 2013-04-10 07:03 363008 ----a-w- c:\windows\system32\dxgi.dll
2013-04-10 07:03 . 2013-04-10 07:03 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-04-10 07:03 . 2013-04-10 07:03 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-04-10 07:03 . 2013-04-10 07:03 296960 ----a-w- c:\windows\system32\d3d10core.dll
2013-04-10 07:03 . 2013-04-10 07:03 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2013-04-10 07:03 . 2013-04-10 07:03 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-04-10 07:03 . 2013-04-10 07:03 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-04-10 07:03 . 2013-04-10 07:03 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2013-04-10 07:03 . 2013-04-10 07:03 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-04-10 07:03 . 2013-04-10 07:03 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-04-10 07:03 . 2013-04-10 07:03 221184 ----a-w- c:\windows\system32\UIAnimation.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-02-18 15:48 1929392 ----a-w- c:\program files (x86)\AVG SafeGuard toolbar\14.2.0.1\AVG SafeGuard toolbar_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG SafeGuard toolbar\14.2.0.1\AVG SafeGuard toolbar_toolbar.dll" [2013-02-18 1929392]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Facebook Update"="c:\users\Gerry\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2013-05-14 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-12-18 39136]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-12-18 825560]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"vProt"="c:\program files (x86)\AVG SafeGuard toolbar\vprot.exe" [2013-02-18 1151152]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\Gerry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Gerry\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe [2013-3-7 248240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R1 ktaoxttj;ktaoxttj;c:\windows\system32\drivers\ktaoxttj.sys [x]
R1 mnxlhkqa;mnxlhkqa;c:\windows\system32\drivers\mnxlhkqa.sys [x]
R1 wndmrrlp;wndmrrlp;c:\windows\system32\drivers\wndmrrlp.sys [x]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2013-01-22 75888]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-07 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-05-24 55952]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 SysCow;SysCow;c:\windows\system32\drivers\syscowad64v.sys [2010-05-23 164848]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-11-08 307040]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2013-02-18 39768]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-10-05 87600]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-08-09 283200]
S2 aksdf;aksdf;c:\windows\system32\drivers\aksdf.sys [2009-09-21 71040]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 204288]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-10 361984]
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-24 55424]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2011-09-10 18432]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [2010-07-23 296808]
S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-05-30 3048136]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-02-18 968880]
S3 ALSysIO;ALSysIO;c:\windows\TEMP\ALSysIO64.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-10-17 93712]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-11-19 181248]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-12 21:22 1642448 ----a-w- c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3193541919-1851860048-2350394640-1000Core.job
- c:\users\Gerry\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-05-14 21:44]
.
2013-05-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3193541919-1851860048-2350394640-1000UA.job
- c:\users\Gerry\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-05-14 21:44]
.
2013-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-20 05:10]
.
2013-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-20 05:10]
.
2013-05-14 c:\windows\Tasks\ReclaimerUpdateFiles_Gerry.job
- c:\users\Gerry\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-07 16:42]
.
2013-05-14 c:\windows\Tasks\ReclaimerUpdateXML_Gerry.job
- c:\users\Gerry\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-07 16:42]
.
2013-05-15 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Gerry.job
- c:\users\Gerry\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-07 16:42]
.
2013-02-21 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-22 21:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\vodc4n5h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com/?cid={F188E03D-69A9-4DE0-AA9E-CFDE75AA3E5C}&mid=98969aadeca147d087b6cd2623702e8f-b21c05754cf0e21fa2ce6fc4679931cb587581ce&lang=en&ds=AVG&pr=fr&d=2013-01-23 21:32&v=14.2.0.1&pid=safeguard&sg=1&sap=hp
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-04-15 16:28; [email protected]; c:\users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\vodc4n5h.default\extensions\[email protected]
FF - ExtSQL: 2013-04-15 16:41; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\vodc4n5h.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);FF - user.js: extentions.y2layers.installId - 474bac5b-138c-4c5a-8553-67a090da8808
FF - user.js: extentions.y2layers.defaultEnableAppsList - twittube,ezLooker,pagerage,buzzdock,toprelatedtopics,YontooNewOffers
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-DDA23392-9C73-4909-A221-BC12C6D2664D - c:\program files (x86)\GmoteServer\uninstall.exe
AddRemove-GRemoteServer - c:\program files (x86)\GBM\GRemote Pro\uninst.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a*Àèº{]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a*Àèº{\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*íöä%]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*íöä%\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\hasplms.exe
c:\xampp\mysql\bin\mysqld.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2013-05-15 13:12:02 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-15 17:11
.
Pre-Run: 13,107,249,152 bytes free
Post-Run: 5,456,039,936 bytes free
.
- - End Of File - - FA18261E9B81C84B613A9FB4BA38B102

 

[Greecian]

i just posted the log and i gained 4 gigs on the reboot...but still missing over 250 gigs

 

[johnb35]

You have some added issues since you last ran combofix. We need to do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Killall::

Driver::

ktaoxttj
mnxlhkqa
wndmrrlp



File::

c:\windows\system32\drivers\ktaoxttj.sys
c:\windows\system32\drivers\mnxlhkqa.sys
c:\windows\system32\drivers\wndmrrlp.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[Greecian]

ComboFix 13-05-18.02 - Gerry 05/18/2013 12:02:44.3.3 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8190.1802 [GMT -4:00]
Running from: c:\users\Gerry\Desktop\ComboFix.exe
Command switches used :: c:\users\Gerry\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\ktaoxttj.sys"
"c:\windows\system32\drivers\mnxlhkqa.sys"
"c:\windows\system32\drivers\wndmrrlp.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ktaoxttj
-------\Service_mnxlhkqa
-------\Service_wndmrrlp
.
.
((((((((((((((((((((((((( Files Created from 2013-04-18 to 2013-05-18 )))))))))))))))))))))))))))))))
.
.
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\Test\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\gzap\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\Guild Wars\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\Gerry\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\djs\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-18 16:20 . 2013-05-18 16:20 -------- d-----w- c:\users\BFBC2\AppData\Local\temp
2013-05-15 14:26 . 2013-05-15 14:26 -------- d-----w- c:\windows\system32\MpEngineStore
2013-05-15 07:03 . 2013-04-05 06:50 19231232 ----a-w- c:\windows\system32\mshtml.dll
2013-05-15 07:03 . 2013-04-05 06:50 15404032 ----a-w- c:\windows\system32\ieframe.dll
2013-05-14 21:44 . 2013-05-14 21:44 -------- d-----w- c:\users\Gerry\AppData\Local\Facebook
2013-05-12 19:59 . 2013-05-12 19:59 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-05-12 19:58 . 2013-05-12 19:57 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-11 18:00 . 2013-05-11 18:00 -------- d-----w- C:\Need for Speed World
2013-05-11 17:48 . 2013-05-11 17:48 -------- d-----w- c:\users\Gerry\AppData\Local\Electronic_Arts_Inc
2013-05-01 14:52 . 2013-05-01 14:52 -------- d-----w- C:\Riot Games
2013-04-28 19:32 . 2013-04-28 19:44 -------- d-----w- c:\users\Gerry\AppData\Roaming\DigitalDJ17
2013-04-28 19:31 . 2013-04-28 19:31 -------- d-----w- c:\program files (x86)\MAGIX
2013-04-24 01:36 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-18 17:53 . 2013-04-18 17:53 -------- d-----w- C:\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 22:37 . 2011-11-06 03:33 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2013-05-17 22:37 . 2011-11-06 00:41 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2013-05-17 21:54 . 2011-11-06 00:41 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2013-05-15 14:24 . 2012-07-21 17:25 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-15 07:15 . 2012-05-29 19:50 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-12 20:03 . 2012-04-04 18:10 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-12 20:03 . 2011-11-06 02:08 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-12 19:57 . 2013-01-20 19:42 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-05-12 19:57 . 2012-04-27 20:01 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-04-24 20:00 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2013-04-13 05:49 . 2013-05-15 02:42 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-15 02:42 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-15 02:42 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-15 02:42 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-15 02:42 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 02:42 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-10 07:04 . 2013-04-10 07:04 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-04-10 07:04 . 2013-04-10 07:04 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-04-10 07:04 . 2013-04-10 07:04 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-04-10 07:04 . 2013-04-10 07:04 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-04-10 07:04 . 2013-04-10 07:04 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-10 07:04 . 2013-04-10 07:04 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-04-10 07:04 . 2013-04-10 07:04 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-04-10 07:04 . 2013-04-10 07:04 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-04-10 07:04 . 2013-04-10 07:04 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-04-10 07:04 . 2013-04-10 07:04 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-04-10 07:04 . 2013-04-10 07:04 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-04-10 07:04 . 2013-04-10 07:04 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-04-10 07:04 . 2013-04-10 07:04 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-04-10 07:04 . 2013-04-10 07:04 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-04-10 07:04 . 2013-04-10 07:04 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-04-10 07:04 . 2013-04-10 07:04 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-04-10 07:04 . 2013-04-10 07:04 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-04-10 07:04 . 2013-04-10 07:04 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-04-10 07:04 . 2013-04-10 07:04 81408 ----a-w- c:\windows\system32\icardie.dll
2013-04-10 07:04 . 2013-04-10 07:04 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-04-10 07:04 . 2013-04-10 07:04 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-04-10 07:04 . 2013-04-10 07:04 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-04-10 07:04 . 2013-04-10 07:04 441856 ----a-w- c:\windows\system32\html.iec
2013-04-10 07:04 . 2013-04-10 07:04 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-04-10 07:04 . 2013-04-10 07:04 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-10 07:04 . 2013-04-10 07:04 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-04-10 07:04 . 2013-04-10 07:04 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-04-10 07:04 . 2013-04-10 07:04 235008 ----a-w- c:\windows\system32\url.dll
2013-04-10 07:04 . 2013-04-10 07:04 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-04-10 07:04 . 2013-04-10 07:04 216064 ----a-w- c:\windows\system32\msls31.dll
2013-04-10 07:04 . 2013-04-10 07:04 197120 ----a-w- c:\windows\system32\msrating.dll
2013-04-10 07:04 . 2013-04-10 07:04 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-04-10 07:04 . 2013-04-10 07:04 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-10 07:04 . 2013-04-10 07:04 144896 ----a-w- c:\windows\system32\wextract.exe
2013-04-10 07:04 . 2013-04-10 07:04 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-04-10 07:04 . 2013-04-10 07:04 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-04-10 07:04 . 2013-04-10 07:04 102912 ----a-w- c:\windows\system32\inseng.dll
2013-04-10 07:04 . 2013-04-10 07:04 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-04-10 07:04 . 2013-04-10 07:04 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-04-10 07:04 . 2013-04-10 07:04 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-04-10 07:04 . 2013-04-10 07:04 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-04-10 07:04 . 2013-04-10 07:04 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-04-10 07:04 . 2013-04-10 07:04 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-04-10 07:04 . 2013-04-10 07:04 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-10 07:04 . 2013-04-10 07:04 149504 ----a-w- c:\windows\system32\occache.dll
2013-04-10 07:04 . 2013-04-10 07:04 13824 ----a-w- c:\windows\system32\mshta.exe
2013-04-10 07:04 . 2013-04-10 07:04 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-04-10 07:04 . 2013-04-10 07:04 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-04-10 07:04 . 2013-04-10 07:04 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-04-10 07:03 . 2013-04-10 07:03 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-10 07:03 . 2013-04-10 07:03 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2013-04-10 07:03 . 2013-04-10 07:03 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2013-04-10 07:03 . 2013-04-10 07:03 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-04-10 07:03 . 2013-04-10 07:03 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-04-10 07:03 . 2013-04-10 07:03 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-04-10 07:03 . 2013-04-10 07:03 3928064 ----a-w- c:\windows\system32\d2d1.dll
2013-04-10 07:03 . 2013-04-10 07:03 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-04-10 07:03 . 2013-04-10 07:03 363008 ----a-w- c:\windows\system32\dxgi.dll
2013-04-10 07:03 . 2013-04-10 07:03 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-04-10 07:03 . 2013-04-10 07:03 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-04-10 07:03 . 2013-04-10 07:03 296960 ----a-w- c:\windows\system32\d3d10core.dll
2013-04-10 07:03 . 2013-04-10 07:03 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2013-04-10 07:03 . 2013-04-10 07:03 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-04-10 07:03 . 2013-04-10 07:03 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-04-10 07:03 . 2013-04-10 07:03 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2013-04-10 07:03 . 2013-04-10 07:03 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-04-10 07:03 . 2013-04-10 07:03 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-04-10 07:03 . 2013-04-10 07:03 221184 ----a-w- c:\windows\system32\UIAnimation.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-02-18 15:48 1929392 ----a-w- c:\program files (x86)\AVG SafeGuard toolbar\14.2.0.1\AVG SafeGuard toolbar_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG SafeGuard toolbar\14.2.0.1\AVG SafeGuard toolbar_toolbar.dll" [2013-02-18 1929392]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"Facebook Update"="c:\users\Gerry\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2013-05-14 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-12-18 39136]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-12-18 825560]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"vProt"="c:\program files (x86)\AVG SafeGuard toolbar\vprot.exe" [2013-02-18 1151152]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\Gerry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Facebook Messenger.lnk - c:\users\Gerry\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe [2013-3-7 248240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2013-01-22 75888]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-07 1255736]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-05-24 55952]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 SysCow;SysCow;c:\windows\system32\drivers\syscowad64v.sys [2010-05-23 164848]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-11-08 307040]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2013-02-18 39768]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-10-05 87600]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-08-09 283200]
S2 aksdf;aksdf;c:\windows\system32\drivers\aksdf.sys [2009-09-21 71040]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 204288]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-10 361984]
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-24 55424]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2011-09-10 18432]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [2010-07-23 296808]
S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-05-30 3048136]
S2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe [2013-02-18 968880]
S3 ALSysIO;ALSysIO;c:\windows\TEMP\ALSysIO64.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-10-17 93712]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-11-19 181248]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-12 21:22 1642448 ----a-w- c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3193541919-1851860048-2350394640-1000Core.job
- c:\users\Gerry\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-05-14 21:44]
.
2013-05-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3193541919-1851860048-2350394640-1000UA.job
- c:\users\Gerry\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-05-14 21:44]
.
2013-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-20 05:10]
.
2013-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-20 05:10]
.
2013-05-17 c:\windows\Tasks\ReclaimerUpdateFiles_Gerry.job
- c:\users\Gerry\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-07 16:42]
.
2013-05-17 c:\windows\Tasks\ReclaimerUpdateXML_Gerry.job
- c:\users\Gerry\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-07 16:42]
.
2013-05-18 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Gerry.job
- c:\users\Gerry\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-07 16:42]
.
2013-02-21 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-22 21:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\vodc4n5h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.startup.homepage - hxxp://mysearch.avg.com/?cid={F188E03D-69A9-4DE0-AA9E-CFDE75AA3E5C}&mid=98969aadeca147d087b6cd2623702e8f-b21c05754cf0e21fa2ce6fc4679931cb587581ce&lang=en&ds=AVG&pr=fr&d=2013-01-23 21:32&v=14.2.0.1&pid=safeguard&sg=1&sap=hp
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-04-15 16:28; [email protected]; c:\users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\vodc4n5h.default\extensions\[email protected]
FF - ExtSQL: 2013-04-15 16:41; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\Gerry\AppData\Roaming\Mozilla\Firefox\Profiles\vodc4n5h.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);FF - user.js: extentions.y2layers.installId - 474bac5b-138c-4c5a-8553-67a090da8808
FF - user.js: extentions.y2layers.defaultEnableAppsList - twittube,ezLooker,pagerage,buzzdock,toprelatedtopics,YontooNewOffers
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-DDA23392-9C73-4909-A221-BC12C6D2664D - c:\program files (x86)\GmoteServer\uninstall.exe
AddRemove-GRemoteServer - c:\program files (x86)\GBM\GRemote Pro\uninst.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a*Àèº{]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*a*Àèº{\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*íöä%]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3193541919-1851860048-2350394640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*íöä%\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\hasplms.exe
c:\xampp\mysql\bin\mysqld.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2013-05-18 13:04:00 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-18 17:03
ComboFix2.txt 2013-05-15 17:12
.
Pre-Run: 14,440,726,528 bytes free
Post-Run: 10,957,447,168 bytes free
.
- - End Of File - - 7D1FCBBB55EB370010904502569A54FA

 

[Greecian]

still not there. i'm still missing the hdd space. i'm sorry that this is taking forever and not making much progress

 

[johnb35]

I would suggest downloading and running Ccleaner, maybe this will give you your space back.

http://www.filehippo.com/download_ccleaner/

Click on where it says download latest version up top right. Install the program, open it and click on run cleaner. don't change any settings.

If this doesn't bring the space back, not sure what to tell you.