14 replies to this topic

[Wanda]

I found out about a week ago that someone from Poland logged into my Yahoo mail account and sent spam messages to all of my online contacts. I have been working through this forum to help clean up my laptop which is my main computer. I had my son scan his computer's full disk drive to see what viruses his had since I occasionally use his computer. He wrote on a piece of paper that the scan found pup.bundleoffers.IIQ and pup.bundleIstaller.BT viruses. I don't know what software he used and he is gone for a week so I cannot aske him to post the log.

I just ran a full disk scan with Malwarebytes and it didn't find any current viruses. The log for it is below:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.05.05
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Wanda :: DELL-DESKTOP [administrator]
7/5/2012 9:18:23 AM
mbam-log-2012-07-05 (09-18-23).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 632954
Time elapsed: 1 hour(s), 54 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

However, I know from trying to clean up all the viruses on my laptop that the clean Malwarebytes report doesn't always mean that their is no rootkit or other deeper viruses. I would like this forum's help to also verify there is no viruses on my son's desktop.

Below is his DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Wanda at 15:05:40 on 2012-07-05
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4050 [GMT -5:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Enabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
FW: ZoneAlarm Extreme Security Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskhost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\System32\GfxUI.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~2\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://verizon.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Verizon Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB: {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mRun: [WinPatrol [FREE Edition]] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MI3DFC~1\OFFICE11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: metlife.com\mybenefits
Trusted Zone: microsoft.com\www.update
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://ra.fanniemae.com/InternalSite/WhlCompMgr.cab
DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v420.cab
DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://rsvpn.raytheon.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9624504E-F0FC-447F-B3B9-E23AF0FF6045} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO-X64: ZoneAlarm Security Engine Registrar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Verizon Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB-X64: {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRun-x64: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mRun-x64: [WinPatrol [FREE Edition]] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
IE-X64: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE-X64: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-07-03 21:07:41 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAC5B21C-37A0-437F-B6E2-D061FE789F26}\mpengine.dll
2012-07-02 19:37:59 -------- d-----w- C:\Users\Wanda\AppData\Local\Sony
2012-07-02 19:30:26 -------- d-----w- C:\Users\Wanda\AppData\Roaming\Roxio Log Files
2012-07-02 17:21:56 -------- d-----w- C:\Users\Wanda\AppData\Roaming\PDAppFlex
2012-07-01 13:05:45 33856 ---ha-w- C:\Windows\System32\hamachi.sys
2012-07-01 13:05:32 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2012-06-26 13:32:17 -------- d-----w- C:\Program Files (x86)\Microsoft XNA
2012-06-25 21:17:28 -------- d-----w- C:\Windows\SysWow64\directx
2012-06-25 16:46:08 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-25 16:45:43 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-25 16:45:19 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-25 16:45:19 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-22 20:18:24 955800 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-06-18 21:29:09 -------- d-----w- C:\Program Files (x86)\The Game Creators
2012-06-14 18:00:22 -------- d-----r- C:\Program Files (x86)\Skype
2012-06-14 01:37:48 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-14 01:37:48 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-14 01:37:48 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-14 01:36:52 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-14 01:36:26 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-14 01:36:25 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-14 01:36:25 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-14 01:35:56 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-14 01:35:29 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-14 01:35:01 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-06-14 01:35:01 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-14 01:34:39 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-14 01:34:39 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-14 01:34:39 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-14 01:34:39 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-14 01:34:38 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-14 01:34:38 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-12 17:13:43 -------- d-----w- C:\Program Files (x86)\Movie Maker 2.6
2012-06-12 15:48:26 -------- d-----w- C:\ProgramData\Verizon
2012-06-12 15:38:25 -------- d-----w- C:\Program Files (x86)\Verizon
2012-06-11 16:03:42 -------- d-----w- C:\Program Files (x86)\Port Forwarding Wizard
2012-06-11 15:06:34 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2012-06-11 14:59:40 -------- d-----w- C:\Program Files (x86)\NCH Software
2012-06-11 14:45:19 -------- d-----w- C:\Program Files (x86)\Adobe Download Assistant
2012-06-09 21:56:44 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
.
==================== Find3M ====================
.
2012-07-02 00:42:17 70344 ------w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-02 00:42:17 426184 ------w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-28 16:33:25 98304 ------w- C:\Windows\SysWow64\CmdLineExt.dll
2012-05-18 03:07:39 772552 ------w- C:\Windows\SysWow64\npDeployJava1.dll
2012-05-18 03:07:39 687560 ------w- C:\Windows\SysWow64\deployJava1.dll
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-05 20:11:11 8769696 ------w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 23:32:56 839056 ----a-w- C:\Windows\System32\deployJava1.dll
.
============= FINISH: 15:11:42.80 ===============

Here is the attach log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/24/2011 5:00:40 PM
System Uptime: 7/5/2012 3:00:15 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0C2KJT
Processor: Intel® Core™ i3 CPU 550 @ 3.20GHz | CPU 1 | 1184/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 918 GiB total, 802.78 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart Premium C309g-m
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart Premium C309g-m
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart Premium C309g-m
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart Premium C309g-m
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Help Manager
Adobe Reader X (10.1.3)
AnswerWorks 5.0 English Runtime
Belkin F6D4050 Enhanced Wireless USB Adapter
BufferChm
C309g-m
Compatibility Pack for the 2007 Office system
Consumer In-Home Service Agreement
CRT-71
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell DataSafe Online
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Stage
Destinations
DeviceDiscovery
DiskCheckup v3.0.1006
eReg
Evernote v. 4.5.4
GPBaseService2
HP Update
HPDiagnosticAlert
HPPhotoGadget
hpPrintProjects
HPProductAssistant
hpWLPGInstaller
HyperCam 2
IBM Installation Manager
InstallIQ Updater
Intel® Graphics Media Accelerator Driver
Internet Explorer
Java Auto Updater
Java™ 6 Update 33
Java™ 7 Update 5
Junk Mail filter update
LogMeIn Hamachi
MailStore Home 4.2.0.5431
Malwarebytes Anti-Malware version 1.61.0.1400
MarketResearch
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Access 2010
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft Forefront UAG endpoint components v4.0.0
Microsoft Home Publishing 2000
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access 2010
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office File Validation Add-In
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Standard Edition 2003
Microsoft Office Starter 2010 - English
Microsoft Office Word MUI (English) 2010
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft XNA Framework Redistributable 4.0
microsoft.vs6
Microsoft_VC80_CRT_x86
Microsoft_VC90_CRT_x86
MSVCRT
MSVCRT Redists
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
msxml4sys32
Multimedia Card Reader
Norton Security Scan
Picasa 3
Portal
PS_AIO_06_C309g-m_SW_Min
RCT3 Soaked
Realtek High Definition Audio Driver
Redist
RollerCoaster Tycoon 3
RummyRoyal.com
Scan
Secunia PSI (2.0.0.3001)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Skype™ 5.10
SmartWebPrinting
SolutionCenter
SpywareBlaster 4.4
sqaote32
Status
Steam
SugarSync Manager
Terraria
Toolbox
TrayApp
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
VC 9.0 Runtime
Ventrilo Client
Verizon Media Manager
Verizon Yahoo! Applications
VideoPad Video Editor
VLC media player 2.0.1
WavePad Sound Editor
WeatherBug
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Movie Maker 2.6
Windows SDK IntellisenseNFX
WinRAR 4.11 (32-bit)
ZoneAlarm Antivirus
ZoneAlarm DataLock
ZoneAlarm Extreme Security
ZoneAlarm Firewall
ZoneAlarm Security
.
==== Event Viewer Messages From Past Week ========
.
7/5/2012 3:11:53 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
7/5/2012 3:04:19 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/4/2012 1:00:23 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/4/2012 1:00:21 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Virtualization Client service to connect.
7/4/2012 1:00:21 PM, Error: Service Control Manager [7000] - The Application Virtualization Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2012 4:02:54 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.129.902.0).
7/3/2012 3:52:42 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
7/3/2012 3:52:02 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
7/2/2012 6:57:27 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.5. The computer with the IP address 192.168.1.8 did not allow the name to be claimed by this computer.
7/2/2012 1:41:06 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/1/2012 8:06:19 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LogMeIn Hamachi Tunneling Engine service to connect.
7/1/2012 8:06:19 AM, Error: Service Control Manager [7000] - The LogMeIn Hamachi Tunneling Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2012 8:05:46 AM, Error: Service Control Manager [7030] - The LogMeIn Hamachi Tunneling Engine service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
7/1/2012 8:02:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IBM Rational ClearQuest Mail Service service to connect.
7/1/2012 8:02:25 AM, Error: Service Control Manager [7000] - The IBM Rational ClearQuest Mail Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2012 7:38:17 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SQL Server (SQLEXPRESS) service to connect.
7/1/2012 7:38:17 PM, Error: Service Control Manager [7000] - The SQL Server (SQLEXPRESS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2012 3:37:08 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer TOSHIBALAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9624504E-F0FC-447F-B3B9-E23AF0FF6045}. The master browser is stopping or an election is being forced.
6/29/2012 2:28:15 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Client Virtualization Handler service to connect.
6/29/2012 2:28:15 PM, Error: Service Control Manager [7000] - The Client Virtualization Handler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

My son has been complaining the computer has been slower than normal the past few weeks but I don't have any details.

Thank you for your time in helping me,
Wanda

[LDTate]

Please do not attach the scan results from Combofx. Use copy/paste.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[Wanda]

The link above is for a different computer than the ones I posted logs for in this link. We have two computers. The first forum posting was for my laptop that I primarily use. The second posting is for my son's computer that I used occasionally. I still need help in cleaning up this desktop since I don' want to run tools without direction from knowledgeable people in this forum.

[LDTate]

Is this the second one?
If so, run combfix.
If not, give me the link to your other computer.

[Wanda]

Yes this is a post for the second computer, my son's, and the not the one you already help me clean up.

I ran the ComboFix scan on this computer this morning. It ran much faster than my first laptop scan. Below is the log from the scan:


ComboFix 12-07-07.04 - Zachary 07/07/2012 10:46:35.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.3957 [GMT -5:00]
Running from: c:\users\Zachary\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Wanda\Documents\~WRL2629.tmp
c:\users\Zachary\AppData\Local\Temp\IswTmp\WH\0
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 15:58 . 2012-07-07 15:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-02 19:37 . 2012-07-02 19:37 -------- d-----w- c:\users\Wanda\AppData\Roaming\Sony
2012-07-02 19:37 . 2012-07-02 19:37 -------- d-----w- c:\users\Wanda\AppData\Local\Sony
2012-07-02 19:30 . 2012-07-02 19:30 -------- d-----w- c:\users\Wanda\AppData\Roaming\Roxio Log Files
2012-07-02 17:21 . 2012-07-02 17:21 -------- d-----w- c:\users\Wanda\AppData\Roaming\PDAppFlex
2012-07-01 13:05 . 2009-03-18 22:35 33856 ---ha-w- c:\windows\system32\hamachi.sys
2012-07-01 13:05 . 2012-07-01 13:05 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2012-06-28 20:25 . 2012-06-28 20:25 -------- d-----w- c:\users\Zachary\AppData\Roaming\Malwarebytes
2012-06-26 13:32 . 2012-06-26 13:32 -------- d-----w- c:\program files (x86)\Microsoft XNA
2012-06-25 16:46 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-25 16:46 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-25 16:46 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-25 16:46 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 16:45 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-25 16:45 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-25 16:45 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 16:45 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-25 16:45 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 20:18 . 2012-05-04 23:33 955800 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-19 15:05 . 2012-06-26 23:52 -------- d-----w- c:\users\Zachary\AppData\Local\Eclipse
2012-06-19 15:04 . 2012-06-22 20:31 -------- d-----w- c:\users\Zachary\workspace
2012-06-18 21:38 . 2012-06-18 21:38 -------- d-----w- c:\users\Zachary\AppData\Roaming\CodeBlocks
2012-06-18 21:29 . 2012-06-19 00:54 -------- d-----w- c:\program files (x86)\The Game Creators
2012-06-14 18:00 . 2012-07-07 15:31 -------- d-----w- c:\users\Zachary\AppData\Roaming\Skype
2012-06-14 18:00 . 2012-07-07 15:30 -------- d-----r- c:\program files (x86)\Skype
2012-06-14 18:00 . 2012-06-14 18:00 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-06-14 01:37 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 01:37 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 01:37 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 01:36 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 01:36 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-14 01:36 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-06-14 01:36 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-06-14 01:35 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 01:35 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 01:35 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-06-14 01:35 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-06-14 01:34 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 01:34 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-14 01:34 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 01:34 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-14 01:34 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-06-14 01:34 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-12 17:28 . 2012-06-22 15:52 -------- d-----w- c:\users\Zachary\AppData\Local\WMTools Downloaded Files
2012-06-12 17:13 . 2012-06-12 17:13 -------- d-----w- c:\program files (x86)\Movie Maker 2.6
2012-06-12 15:48 . 2012-06-12 15:48 -------- d-----w- c:\users\Zachary\AppData\Roaming\Verizon
2012-06-12 15:48 . 2012-06-12 15:48 -------- d-----w- c:\programdata\Verizon
2012-06-12 15:38 . 2012-06-12 15:38 -------- d-----w- c:\program files (x86)\Verizon
2012-06-11 20:27 . 2012-06-11 20:48 -------- d-----w- c:\users\Zachary\AppData\Local\Roblox
2012-06-11 16:20 . 2012-06-11 16:20 -------- d-----w- c:\users\Zachary\AppData\Local\APN
2012-06-11 16:03 . 2012-07-02 19:30 -------- d-----w- c:\program files (x86)\Port Forwarding Wizard
2012-06-11 15:06 . 2012-06-11 15:06 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2012-06-11 15:02 . 2012-06-18 15:04 -------- d-----w- c:\programdata\NCH Software
2012-06-11 14:59 . 2012-06-19 00:56 -------- d-----w- c:\program files (x86)\NCH Software
2012-06-11 14:59 . 2012-06-18 15:04 -------- d-----w- c:\users\Zachary\AppData\Roaming\NCH Software
2012-06-11 14:46 . 2012-06-11 14:55 -------- d-----w- c:\users\Zachary\Adobe Premiere Pro CS6
2012-06-11 14:45 . 2012-06-11 14:45 -------- d-----w- c:\users\Zachary\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-06-11 14:45 . 2012-06-11 14:45 -------- d-----w- c:\program files (x86)\Adobe Download Assistant
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-02 19:11 . 2011-06-03 22:19 540896 ----a-w- c:\programdata\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2012-07-02 00:42 . 2012-03-28 12:40 426184 ------w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-02 00:42 . 2011-06-07 16:40 70344 ------w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 12:58 . 2011-02-25 16:34 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-06-10 12:58 . 2011-02-25 15:30 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-06-09 21:56 . 2012-06-09 21:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-05-31 17:25 . 2011-09-22 17:57 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-31 04:04 . 2012-07-06 19:25 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{53AB1619-7578-47E4-8F8E-985F66686DF8}\mpengine.dll
2012-05-28 16:33 . 2012-05-28 16:33 98304 ------w- c:\windows\SysWow64\CmdLineExt.dll
2012-05-18 03:07 . 2012-05-18 03:09 772552 ------w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-18 03:07 . 2011-02-22 17:40 687560 ------w- c:\windows\SysWow64\deployJava1.dll
2012-05-05 20:11 . 2012-04-14 11:11 8769696 ------w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 23:32 . 2011-02-22 17:40 839056 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-05-27 1242448]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]
"Verizon Media Manager"="c:\program files (x86)\Verizon\Verizon Media Manager\Release\Verizon Media Manager.exe" [2012-05-09 1523712]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-03 17417392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2011-02-13 325000]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2011-10-26 73360]
"WinPatrol [FREE Edition]"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2011-02-13 20:20 325000]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-10-20 1118040]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0047471314372254mcinstcleanup;McAfee Application Installer Cleanup (0047471314372254);c:\windows\TEMP\004747~1.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-02 257224]
R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x64.sys [x]
R3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe [2011-11-28 487312]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2011-10-19 45448]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 17976]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-01-10 993848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-25 1255736]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-10-14 11864]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-11-01 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-06-27 2369960]
S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-10-19 33672]
S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-10-19 827520]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-01-10 399416]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [2010-11-25 150928]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 271872]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-10-16 321064]
S3 netr28ux;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2009-08-06 987648]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 00:42]
.
2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1003Core.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 00:06]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1003UA.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 00:06]
.
2012-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1004Core.job
- c:\users\Zachary\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 23:21]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1004UA.job
- c:\users\Zachary\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 23:21]
.
2012-03-07 c:\windows\Tasks\Norton Security Scan for Ben.job
- c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-14 03:43]
.
2012-07-02 c:\windows\Tasks\Norton Security Scan for Wanda.job
- c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-14 03:43]
.
2012-07-02 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]
.
2012-07-07 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2011-02-13 325000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2012-02-01 2195824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bakugan.com/home.html
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v420.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Toolbar-Locked - (no file)
WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)
HKLM-Run-ISW - (no file)
AddRemove-{90140000-0015-0409-0000-0000000FF1CE}_Office14.AccessR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-001F-0409-0000-0000000FF1CE}_Office14.AccessR_{17E7B9AB-2DD2-457D-8D8E-CD14ACA973FE} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-001F-0409-0000-0000000FF1CE}_Office14.AccessR_{99ACCA38-6DD3-48A8-96AE-A283C9759279} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-001F-040C-0000-0000000FF1CE}_Office14.AccessR_{15058154-469F-4794-ACD5-94F8420F9B80} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-001F-040C-0000-0000000FF1CE}_Office14.AccessR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.AccessR_{995A7832-B512-46D5-87C9-2D71FB541435} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.AccessR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-002A-0409-1000-0000000FF1CE}_Office14.AccessR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-002C-0409-0000-0000000FF1CE}_Office14.AccessR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-006E-0409-0000-0000000FF1CE}_Office14.AccessR_{4560037C-E356-444A-A015-D21F487D809E} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-006E-0409-0000-0000000FF1CE}_Office14.AccessR_{73E67A3A-8D61-44EF-90C2-1697C3DBE668} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-0115-0409-0000-0000000FF1CE}_Office14.AccessR_{4560037C-E356-444A-A015-D21F487D809E} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-0116-0409-1000-0000000FF1CE}_Office14.AccessR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
AddRemove-{90140000-0117-0409-0000-0000000FF1CE}_Office14.AccessR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2012-07-07 11:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 16:14
.
Pre-Run: 861,820,968,960 bytes free
Post-Run: 862,948,364,288 bytes free
.
- - End Of File - - C1DA00B5EAC5775589239CF55BC01764

After the scan I let my son play on the computer a bit. He said it was about the same with his Java based games occasionally lagging a bit. I don't know if this is due to malware or not.

Thank you for your help again,
Wanda and son Zachary

[LDTate]

I'm not seeing anything bad in that scan.
Uninstall Combofix and run a online scan

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Next:

http://www.eset.eu/online-scanner
Go here to run an online scannner from ESET.
Click the green ESET Online Scanner button.
Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
Click on the Start button next to it.
You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
A new window will appear asking "Do you want to install this software?"".
Answer Yes to download and install the ActiveX controls that allows the scan to run.
Click Start.
Make sure that the option "Remove found threats" is Unchecked
Click Scan to begin.
If offered the option to get information or buy software. Just close the window.
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.

[Wanda]

Sorry for the delay in getting back with you. We have been dealing with my stepfather-in-laws hospitalization and then passing this weekend. I will try and get my son to do the scan tomorrow.

[LDTate]

No problem.

[Wanda]

Ok, the Eset Online Scan is not running correctly like on the other machine. My son did the first scan under his ID and then I did it again under my ID but we both were not able to get a full scan log to write. Once the scan downloaded the virus file updates and started, I even turned off our wireless internet access and then all firewalls and antivirus programs to make sure none of them were stopping the writing of the log.

It looked like the initial part of the log was written. Here it is below:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

We also saved the reported found items displayed at the end of the scan:

C:\Users\Ben\Desktop\Training\Oracle PeopleSoft\speedupmypc.exe Win32/SpeedUpMyPC application
C:\Users\Big Disk Backup\Laptop SyncBack\Wanda\Local Settings\Apps\2.0\712G7RZB.1KW\VGQKYAMZ.VQJ\inst..tion_d0587fc617210d12_0000.0001_fd40a442e685358f\installiqexe.exe probably a variant of Win32/InstallIQ application

I am sure that I followed your directions and did it the same as the laptop scan. Any ideas on why a full log is not writing?

Wanda

[LDTate]

It might be a issue with Eset.
We can try another scanner.


Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
  
• press start
  
• Allow the program to run the initial express scan
  
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
  
• Once the scan is complete, the results will be displayed
  
  
• on the menu bar, click file and choose report list.
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  
• Close Dr.Web Cureit.
  
• Please post the Dr.Web.txt report in your next reply

Reboot the computer in Normal Mode,
Post the Cure-it report

[Wanda]

Sorry for the delay. I ran the Dr. Web Cure-It express scan under my son's account and it didn't find anything that needed to be cured. There was no scan report in the Menu bar's File report list. I did find the detailed scan log in a DoctorWeb folder under my son's C:/Users account. It is too large to paste into one post since it lists every file checked. Below is the summary results at the end:

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 26049
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 1287 Kb/s
Scan time: 0:19:22
-----------------------------------------------------------------------------
=============================================================================
Total session statistics
=============================================================================
Scanned: 26050
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 1294 Kb/s
Scan time: 0:19:22
=============================================================================

Thank you for your time.

[LDTate]

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

[Wanda]

Yes I planned to change all of our accounts passwords once both machines were as clean as possible. That appears to be now the case with all of your assistance. Thank you again for all your help and assistance.

[LDTate]

You're more than welcome.
Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.