Jump to content

South Texas Cyber Command/Money Pak Infected

tgnaztee

By tgnaztee
in Resolved Malware Removal Logs

 Share

Recommended Posts

MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, here's how we deal with that malware:

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure you click download buttons that look like this not "sponsored ad links":

    bleep-crop.jpg

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.

    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
      • Startup Repair

        System Restore

        Windows Complete PC Restore

        Windows Memory Diagnostic Tool

        Command Prompt

        Select Command Prompt

        Once in the Command Prompt:

    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC
Link to post
Share on other sites
tgnaztee

tgnaztee

Posted
  • Author
Posted

Here it is:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-10-2013 01
Ran by SYSTEM on MININT-0BCJITH on 26-10-2013 10:36:50
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [smartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [568888 2010-01-18] ()
HKLM\...\Run: [Zune Launcher] - c:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [722256 2008-12-11] (CANON INC.)
HKLM-x32\...\Run: [startCCC] - c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-02-02] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [Carbonite Backup] - C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1061960 2012-08-29] (Carbonite, Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKU\Default\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Default User\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Todd\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\Todd\...\Run: [Google Update] - C:\Users\Todd\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-04-19] (Google Inc.)
HKU\Todd\...\Run: [Akamai NetSession Interface] - C:\Users\Todd\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-04] (Akamai Technologies, Inc.)
HKU\Todd\...\Run: [MusicManager] - C:\Users\Todd\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7331840 2013-04-23] (Google Inc.)
HKU\Todd\...\Run: [GoogleChromeAutoLaunch_074FE521E48D2FD943354AD99FDC5BFB] - C:\Users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe [844752 2013-10-08] (Google Inc.)
HKU\Todd\...\Winlogon: [shell] explorer.exe,C:\Users\Todd\AppData\Roaming\Other.res [153600 2011-11-16] () <==== ATTENTION 
Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk
ShortcutTarget: NexDef Plug-in.lnk ->  (No File)
 
==================== Services (Whitelisted) =================
 
S2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [350792 2013-09-13] (Verizon)
S2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [107912 2008-10-09] ()
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20131022.001\BHDrvx64.sys [1524824 2013-10-22] (Symantec Corporation)
S1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-26] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-26] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20131025.001\IDSvia64.sys [521816 2013-10-16] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20131025.009\ENG64.SYS [126040 2013-08-28] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20131025.009\EX64.SYS [2099288 2013-08-28] (Symantec Corporation)
S3 Spyder3; C:\Windows\System32\DRIVERS\Spyder3.sys [15360 2008-09-08] ()
S3 SRTSP; C:\Windows\system32\drivers\NISx64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NISx64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-07-27] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\NISx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
S0 TfFsMon; system32\drivers\TfFsMon.sys [x]
S3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [x]
S0 TfSysMon; system32\drivers\TfSysMon.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-26 10:36 - 2013-10-26 10:36 - 00000000 ____D C:\FRST
2013-10-26 06:34 - 2013-10-26 06:34 - 00000000 _____ C:\Windows\SysWOW64\sho8E0C.tmp
2013-10-26 06:11 - 2013-10-26 06:11 - 00270472 _____ C:\Windows\Minidump\102613-115159-01.dmp
2013-10-26 05:55 - 2013-10-26 05:55 - 00270472 _____ C:\Windows\Minidump\102613-51761-01.dmp
2013-10-26 01:05 - 2013-10-26 01:05 - 00000000 _____ C:\Windows\SysWOW64\shoB323.tmp
2013-10-25 20:01 - 2013-10-25 20:07 - 00000000 ____D C:\Users\Todd\Desktop\10-25-13 Photo Dump
2013-10-24 01:12 - 2013-10-24 01:12 - 00000000 _____ C:\Windows\SysWOW64\shoFEA8.tmp
2013-10-24 01:07 - 2013-10-24 01:07 - 00000000 _____ C:\Windows\SysWOW64\sho5B34.tmp
2013-10-23 01:08 - 2013-10-23 01:08 - 00000000 _____ C:\Windows\SysWOW64\sho9D38.tmp
2013-10-22 01:33 - 2013-10-22 01:33 - 00000000 _____ C:\Windows\SysWOW64\sho4DFB.tmp
2013-10-21 01:24 - 2013-10-21 01:24 - 00000000 _____ C:\Windows\SysWOW64\sho87FF.tmp
2013-10-20 13:40 - 2013-10-20 13:41 - 00000286 _____ C:\Users\Todd\AppData\Roaming\wklnhst.dat
2013-10-20 13:40 - 2013-10-20 13:40 - 00000000 ____D C:\Users\Todd\AppData\Roaming\Template
2013-10-20 13:28 - 2013-10-20 13:45 - 00000000 ____D C:\Users\Todd\Downloads\Student papers
2013-10-20 07:44 - 2013-10-20 08:03 - 00000000 ____D C:\Users\Todd\AppData\Roaming\vlc
2013-10-19 00:54 - 2013-10-19 00:54 - 00000000 _____ C:\Windows\SysWOW64\shoF2C.tmp
2013-10-18 00:47 - 2013-10-18 00:47 - 00000000 _____ C:\Windows\SysWOW64\shoEB71.tmp
2013-10-17 00:54 - 2013-10-17 00:54 - 00000000 _____ C:\Windows\SysWOW64\shoFDCE.tmp
2013-10-17 00:49 - 2013-10-17 00:49 - 00000000 _____ C:\Windows\SysWOW64\shoFA8E.tmp
2013-10-15 00:53 - 2013-10-15 00:53 - 00000000 _____ C:\Windows\SysWOW64\sho7B75.tmp
2013-10-14 15:49 - 2013-10-14 15:49 - 00020957 _____ C:\Users\Todd\Downloads\Teacher Assignments for PSAT.xlsx
2013-10-14 00:51 - 2013-10-14 00:51 - 00000000 _____ C:\Windows\SysWOW64\shoDB3C.tmp
2013-10-13 00:40 - 2013-10-13 00:40 - 00000000 _____ C:\Windows\SysWOW64\shoF41E.tmp
2013-10-12 00:40 - 2013-10-12 00:40 - 00000000 _____ C:\Windows\SysWOW64\sho20D3.tmp
2013-10-10 00:57 - 2013-10-10 00:57 - 00000000 _____ C:\Windows\SysWOW64\shoD553.tmp
2013-10-09 00:38 - 2013-10-09 00:38 - 00000017 _____ C:\Windows\SysWOW64\shortcut_ex.dat
2013-10-09 00:32 - 2013-10-09 00:32 - 00000000 _____ C:\Windows\SysWOW64\shoF235.tmp
2013-10-08 00:58 - 2013-10-08 00:58 - 00000000 _____ C:\Windows\SysWOW64\sho6E4D.tmp
2013-10-08 00:53 - 2013-10-08 00:53 - 00000000 _____ C:\Windows\SysWOW64\sho37AD.tmp
2013-10-06 00:31 - 2013-10-06 00:31 - 00000000 _____ C:\Windows\SysWOW64\sho34EF.tmp
2013-10-04 01:11 - 2013-10-04 01:11 - 00000000 _____ C:\Windows\SysWOW64\shoCAC8.tmp
2013-10-03 01:08 - 2013-10-03 01:08 - 00000000 _____ C:\Windows\SysWOW64\shoB598.tmp
2013-10-02 01:08 - 2013-10-02 01:08 - 00000000 _____ C:\Windows\SysWOW64\shoEC80.tmp
2013-10-02 01:02 - 2013-10-02 01:02 - 00000000 _____ C:\Windows\SysWOW64\shoC700.tmp
2013-10-01 01:12 - 2013-10-01 01:12 - 00000000 _____ C:\Windows\SysWOW64\shoBA69.tmp
2013-10-01 01:07 - 2013-10-01 01:07 - 00000000 _____ C:\Windows\SysWOW64\sho1B29.tmp
2013-09-29 19:07 - 2013-09-29 19:07 - 00239776 _____ C:\Users\Todd\Downloads\Chaucer’s_Characterization (1).pptx
2013-09-29 00:46 - 2013-09-29 00:46 - 00000000 _____ C:\Windows\SysWOW64\sho4EEB.tmp
2013-09-28 00:51 - 2013-09-28 00:51 - 00000000 _____ C:\Windows\SysWOW64\shoC467.tmp
2013-09-28 00:46 - 2013-09-28 00:46 - 00000000 _____ C:\Windows\SysWOW64\sho99D9.tmp
2013-09-27 00:49 - 2013-09-27 00:49 - 00000000 _____ C:\Windows\SysWOW64\shoD53.tmp
 
==================== One Month Modified Files and Folders =======
 
2013-10-26 10:36 - 2013-10-26 10:36 - 00000000 ____D C:\FRST
2013-10-26 06:34 - 2013-10-26 06:34 - 00000000 _____ C:\Windows\SysWOW64\sho8E0C.tmp
2013-10-26 06:34 - 2010-07-12 22:09 - 01772640 _____ C:\Windows\WindowsUpdate.log
2013-10-26 06:34 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-26 06:34 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-26 06:25 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-26 06:24 - 2009-07-13 20:51 - 00116826 _____ C:\Windows\setupact.log
2013-10-26 06:16 - 2012-02-27 20:49 - 00000000 ___RD C:\Users\Todd\Dropbox
2013-10-26 06:16 - 2012-02-27 20:45 - 00000000 ____D C:\Users\Todd\AppData\Roaming\Dropbox
2013-10-26 06:13 - 2012-04-06 07:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-26 06:11 - 2013-10-26 06:11 - 00270472 _____ C:\Windows\Minidump\102613-115159-01.dmp
2013-10-26 06:11 - 2011-02-18 14:34 - 00000000 ____D C:\Windows\Minidump
2013-10-26 06:10 - 2011-02-18 14:34 - 388554885 _____ C:\Windows\MEMORY.DMP
2013-10-26 05:55 - 2013-10-26 05:55 - 00270472 _____ C:\Windows\Minidump\102613-51761-01.dmp
2013-10-26 05:47 - 2011-04-19 17:05 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3002832799-4013716802-3893733787-1000UA.job
2013-10-26 01:05 - 2013-10-26 01:05 - 00000000 _____ C:\Windows\SysWOW64\shoB323.tmp
2013-10-26 00:39 - 2013-07-03 00:09 - 01026304 _____ C:\Windows\IE10_main.log
2013-10-25 20:07 - 2013-10-25 20:01 - 00000000 ____D C:\Users\Todd\Desktop\10-25-13 Photo Dump
2013-10-25 19:51 - 2011-11-22 21:46 - 00059280 _____ C:\Users\Todd\Documents\PerfectMaskConduit.log
2013-10-25 19:51 - 2011-10-30 13:15 - 00055855 _____ C:\Users\Todd\Documents\DxO Logging Name.log
2013-10-25 19:51 - 2010-12-17 07:31 - 00089869 _____ C:\Users\Todd\Documents\FocalPointConduit.log
2013-10-25 18:47 - 2011-04-19 17:05 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3002832799-4013716802-3893733787-1000Core.job
2013-10-25 17:58 - 2013-01-30 12:17 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForTodd.job
2013-10-25 17:58 - 2010-12-10 15:22 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForTodd
2013-10-24 01:12 - 2013-10-24 01:12 - 00000000 _____ C:\Windows\SysWOW64\shoFEA8.tmp
2013-10-24 01:07 - 2013-10-24 01:07 - 00000000 _____ C:\Windows\SysWOW64\sho5B34.tmp
2013-10-23 01:08 - 2013-10-23 01:08 - 00000000 _____ C:\Windows\SysWOW64\sho9D38.tmp
2013-10-22 01:33 - 2013-10-22 01:33 - 00000000 _____ C:\Windows\SysWOW64\sho4DFB.tmp
2013-10-21 01:24 - 2013-10-21 01:24 - 00000000 _____ C:\Windows\SysWOW64\sho87FF.tmp
2013-10-20 13:45 - 2013-10-20 13:28 - 00000000 ____D C:\Users\Todd\Downloads\Student papers
2013-10-20 13:41 - 2013-10-20 13:40 - 00000286 _____ C:\Users\Todd\AppData\Roaming\wklnhst.dat
2013-10-20 13:40 - 2013-10-20 13:40 - 00000000 ____D C:\Users\Todd\AppData\Roaming\Template
2013-10-20 13:40 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-10-20 08:03 - 2013-10-20 07:44 - 00000000 ____D C:\Users\Todd\AppData\Roaming\vlc
2013-10-19 00:54 - 2013-10-19 00:54 - 00000000 _____ C:\Windows\SysWOW64\shoF2C.tmp
2013-10-18 00:47 - 2013-10-18 00:47 - 00000000 _____ C:\Windows\SysWOW64\shoEB71.tmp
2013-10-17 00:54 - 2013-10-17 00:54 - 00000000 _____ C:\Windows\SysWOW64\shoFDCE.tmp
2013-10-17 00:49 - 2013-10-17 00:49 - 00000000 _____ C:\Windows\SysWOW64\shoFA8E.tmp
2013-10-16 15:21 - 2011-04-19 17:06 - 00002370 _____ C:\Users\Todd\Desktop\Google Chrome.lnk
2013-10-15 00:53 - 2013-10-15 00:53 - 00000000 _____ C:\Windows\SysWOW64\sho7B75.tmp
2013-10-14 15:49 - 2013-10-14 15:49 - 00020957 _____ C:\Users\Todd\Downloads\Teacher Assignments for PSAT.xlsx
2013-10-14 00:51 - 2013-10-14 00:51 - 00000000 _____ C:\Windows\SysWOW64\shoDB3C.tmp
2013-10-13 00:40 - 2013-10-13 00:40 - 00000000 _____ C:\Windows\SysWOW64\shoF41E.tmp
2013-10-12 00:40 - 2013-10-12 00:40 - 00000000 _____ C:\Windows\SysWOW64\sho20D3.tmp
2013-10-10 00:59 - 2012-05-28 00:02 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-10 00:59 - 2012-05-28 00:02 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-10 00:57 - 2013-10-10 00:57 - 00000000 _____ C:\Windows\SysWOW64\shoD553.tmp
2013-10-10 00:39 - 2010-11-15 16:47 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-10 00:19 - 2009-07-13 21:13 - 00741212 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-10 00:10 - 2013-08-15 00:14 - 00000000 ____D C:\Windows\System32\MRT
2013-10-10 00:10 - 2010-11-12 21:14 - 80541720 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-10-09 11:58 - 2010-11-23 06:28 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-10-09 11:57 - 2011-10-26 04:06 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-10-09 11:55 - 2010-11-23 06:27 - 00000000 ____D C:\Users\Todd\AppData\Roaming\HP Support Assistant
2013-10-09 11:55 - 2010-11-12 20:51 - 00000000 ____D C:\Users\Todd\AppData\Roaming\HpUpdate
2013-10-09 03:13 - 2012-04-06 07:48 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-09 03:13 - 2012-04-06 07:46 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-09 03:13 - 2011-09-08 07:24 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-09 00:38 - 2013-10-09 00:38 - 00000017 _____ C:\Windows\SysWOW64\shortcut_ex.dat
2013-10-09 00:32 - 2013-10-09 00:32 - 00000000 _____ C:\Windows\SysWOW64\shoF235.tmp
2013-10-08 00:58 - 2013-10-08 00:58 - 00000000 _____ C:\Windows\SysWOW64\sho6E4D.tmp
2013-10-08 00:53 - 2013-10-08 00:53 - 00000000 _____ C:\Windows\SysWOW64\sho37AD.tmp
2013-10-07 18:42 - 2011-04-19 17:05 - 00003872 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3002832799-4013716802-3893733787-1000UA
2013-10-07 18:42 - 2011-04-19 17:05 - 00003476 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3002832799-4013716802-3893733787-1000Core
2013-10-06 00:31 - 2013-10-06 00:31 - 00000000 _____ C:\Windows\SysWOW64\sho34EF.tmp
2013-10-04 01:12 - 2010-07-12 23:42 - 00240170 _____ C:\Windows\PFRO.log
2013-10-04 01:11 - 2013-10-04 01:11 - 00000000 _____ C:\Windows\SysWOW64\shoCAC8.tmp
2013-10-03 01:08 - 2013-10-03 01:08 - 00000000 _____ C:\Windows\SysWOW64\shoB598.tmp
2013-10-02 01:08 - 2013-10-02 01:08 - 00000000 _____ C:\Windows\SysWOW64\shoEC80.tmp
2013-10-02 01:02 - 2013-10-02 01:02 - 00000000 _____ C:\Windows\SysWOW64\shoC700.tmp
2013-10-01 01:12 - 2013-10-01 01:12 - 00000000 _____ C:\Windows\SysWOW64\shoBA69.tmp
2013-10-01 01:07 - 2013-10-01 01:07 - 00000000 _____ C:\Windows\SysWOW64\sho1B29.tmp
2013-09-30 07:00 - 2010-11-11 20:02 - 00000544 _____ C:\Windows\Tasks\PCDRScheduledMaintenance.job
2013-09-29 19:07 - 2013-09-29 19:07 - 00239776 _____ C:\Users\Todd\Downloads\Chaucer’s_Characterization (1).pptx
2013-09-29 00:46 - 2013-09-29 00:46 - 00000000 _____ C:\Windows\SysWOW64\sho4EEB.tmp
2013-09-29 00:43 - 2009-07-13 21:08 - 00032558 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-28 00:51 - 2013-09-28 00:51 - 00000000 _____ C:\Windows\SysWOW64\shoC467.tmp
2013-09-28 00:46 - 2013-09-28 00:46 - 00000000 _____ C:\Windows\SysWOW64\sho99D9.tmp
2013-09-27 00:49 - 2013-09-27 00:49 - 00000000 _____ C:\Windows\SysWOW64\shoD53.tmp
 
Some content of TEMP:
====================
C:\Users\Todd\AppData\Local\Temp\an4ywqn-.dll
C:\Users\Todd\AppData\Local\Temp\COMAP.EXE
C:\Users\Todd\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Todd\AppData\Local\Temp\GC_PCTOOLS.exe
C:\Users\Todd\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Todd\AppData\Local\Temp\i4jdel0.exe
C:\Users\Todd\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Todd\AppData\Local\Temp\jQJ0cyI.exe
C:\Users\Todd\AppData\Local\Temp\jQJ0cyI0.exe
C:\Users\Todd\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Todd\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Todd\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Todd\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Todd\AppData\Local\Temp\pcttProtect32.dll
C:\Users\Todd\AppData\Local\Temp\Resource.exe
C:\Users\Todd\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Todd\AppData\Local\Temp\sp46257.exe
C:\Users\Todd\AppData\Local\Temp\sp49905.exe.exe
C:\Users\Todd\AppData\Local\Temp\sp53904.exe
C:\Users\Todd\AppData\Local\Temp\sp54931.exe
C:\Users\Todd\AppData\Local\Temp\sp58915.exe
C:\Users\Todd\AppData\Local\Temp\Trial.dll
C:\Users\Todd\AppData\Local\Temp\u6wct0e2.dll
C:\Users\Todd\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Todd\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Todd\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Todd\AppData\Local\Temp\wmpfirefoxplugin.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
13
Restore point made on: 2013-10-22 00:02:19
Restore point made on: 2013-10-22 00:21:08
Restore point made on: 2013-10-22 00:47:52
Restore point made on: 2013-10-23 00:00:58
Restore point made on: 2013-10-23 13:10:57
Restore point made on: 2013-10-23 18:59:54
Restore point made on: 2013-10-24 00:01:51
Restore point made on: 2013-10-24 00:51:08
Restore point made on: 2013-10-25 00:00:40
Restore point made on: 2013-10-26 00:01:23
Restore point made on: 2013-10-26 02:35:38
Restore point made on: 2013-10-26 03:53:15
Restore point made on: 2013-10-26 05:46:35
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 5879.89 MB
Available physical RAM: 4940.58 MB
Total Pagefile: 5878.04 MB
Available Pagefile: 4932.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:919.56 GB) (Free:180.63 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:11.66 GB) (Free:1.42 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:1.91 GB) (Free:1.91 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 932 GB) (Disk ID: 29888D4D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=920 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=12 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 4D0FBD6A)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)
 
 
LastRegBack: 2013-10-21 02:36
 
==================== End Of Log ============================
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now and if so..........run MBAR

If not...rescan with FRST and post the new log

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
tgnaztee

tgnaztee

Posted
  • Author
Posted
ComboFix 13-10-26.01 - Todd 10/26/2013  14:16:31.1.4 - x64

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5880.3801 [GMT -5:00]

Running from: c:\users\Todd\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

.

.

(((((((((((((((((((((((((   Files Created from 2013-09-26 to 2013-10-26  )))))))))))))))))))))))))))))))

.

.

2013-10-26 19:34 . 2013-10-26 19:34 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-10-26 18:39 . 2013-10-26 18:39 0 ----a-w- c:\windows\SysWow64\shoB9AE.tmp

2013-10-26 18:36 . 2013-10-26 18:36 -------- d-----w- C:\FRST

2013-10-26 18:34 . 2013-10-26 18:34 0 ----a-w- c:\windows\SysWow64\sho4D09.tmp

2013-10-26 16:23 . 2013-10-26 17:47 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-10-26 16:23 . 2013-10-26 16:23 116440 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2013-10-26 16:22 . 2013-10-26 16:22 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-10-26 14:34 . 2013-10-26 14:34 0 ----a-w- c:\windows\SysWow64\sho8E0C.tmp

2013-10-26 09:05 . 2013-10-26 09:05 0 ----a-w- c:\windows\SysWow64\shoB323.tmp

2013-10-24 09:12 . 2013-10-24 09:12 0 ----a-w- c:\windows\SysWow64\shoFEA8.tmp

2013-10-24 09:07 . 2013-10-24 09:07 0 ----a-w- c:\windows\SysWow64\sho5B34.tmp

2013-10-23 09:08 . 2013-10-23 09:08 0 ----a-w- c:\windows\SysWow64\sho9D38.tmp

2013-10-22 09:33 . 2013-10-22 09:33 0 ----a-w- c:\windows\SysWow64\sho4DFB.tmp

2013-10-21 09:24 . 2013-10-21 09:24 0 ----a-w- c:\windows\SysWow64\sho87FF.tmp

2013-10-20 21:40 . 2013-10-20 21:40 -------- d-----w- c:\users\Todd\AppData\Roaming\Template

2013-10-20 15:44 . 2013-10-20 16:03 -------- d-----w- c:\users\Todd\AppData\Roaming\vlc

2013-10-19 08:54 . 2013-10-19 08:54 0 ----a-w- c:\windows\SysWow64\shoF2C.tmp

2013-10-18 08:47 . 2013-10-18 08:47 0 ----a-w- c:\windows\SysWow64\shoEB71.tmp

2013-10-17 08:54 . 2013-10-17 08:54 0 ----a-w- c:\windows\SysWow64\shoFDCE.tmp

2013-10-17 08:49 . 2013-10-17 08:49 0 ----a-w- c:\windows\SysWow64\shoFA8E.tmp

2013-10-15 08:53 . 2013-10-15 08:53 0 ----a-w- c:\windows\SysWow64\sho7B75.tmp

2013-10-14 08:51 . 2013-10-14 08:51 0 ----a-w- c:\windows\SysWow64\shoDB3C.tmp

2013-10-13 08:40 . 2013-10-13 08:40 0 ----a-w- c:\windows\SysWow64\shoF41E.tmp

2013-10-12 08:40 . 2013-10-12 08:40 0 ----a-w- c:\windows\SysWow64\sho20D3.tmp

2013-10-10 08:57 . 2013-10-10 08:57 0 ----a-w- c:\windows\SysWow64\shoD553.tmp

2013-10-09 08:32 . 2013-10-09 08:32 0 ----a-w- c:\windows\SysWow64\shoF235.tmp

2013-10-08 08:58 . 2013-10-08 08:58 0 ----a-w- c:\windows\SysWow64\sho6E4D.tmp

2013-10-08 08:53 . 2013-10-08 08:53 0 ----a-w- c:\windows\SysWow64\sho37AD.tmp

2013-10-06 08:31 . 2013-10-06 08:31 0 ----a-w- c:\windows\SysWow64\sho34EF.tmp

2013-10-04 09:11 . 2013-10-04 09:11 0 ----a-w- c:\windows\SysWow64\shoCAC8.tmp

2013-10-03 09:08 . 2013-10-03 09:08 0 ----a-w- c:\windows\SysWow64\shoB598.tmp

2013-10-02 09:08 . 2013-10-02 09:08 0 ----a-w- c:\windows\SysWow64\shoEC80.tmp

2013-10-02 09:02 . 2013-10-02 09:02 0 ----a-w- c:\windows\SysWow64\shoC700.tmp

2013-10-01 09:12 . 2013-10-01 09:12 0 ----a-w- c:\windows\SysWow64\shoBA69.tmp

2013-10-01 09:07 . 2013-10-01 09:07 0 ----a-w- c:\windows\SysWow64\sho1B29.tmp

2013-09-29 08:46 . 2013-09-29 08:46 0 ----a-w- c:\windows\SysWow64\sho4EEB.tmp

2013-09-28 08:51 . 2013-09-28 08:51 0 ----a-w- c:\windows\SysWow64\shoC467.tmp

2013-09-28 08:46 . 2013-09-28 08:46 0 ----a-w- c:\windows\SysWow64\sho99D9.tmp

2013-09-27 08:49 . 2013-09-27 08:49 0 ----a-w- c:\windows\SysWow64\shoD53.tmp

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-10-10 08:10 . 2010-11-13 05:14 80541720 ----a-w- c:\windows\system32\MRT.exe

2013-10-09 11:13 . 2012-04-06 15:46 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-10-09 11:13 . 2011-09-08 15:24 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-09-25 09:13 . 2013-09-25 09:13 0 ----a-w- c:\windows\SysWow64\sho523F.tmp

2013-09-24 08:52 . 2013-09-24 08:52 0 ----a-w- c:\windows\SysWow64\shoC8DA.tmp

2013-09-24 08:47 . 2013-09-24 08:47 0 ----a-w- c:\windows\SysWow64\sho994D.tmp

2013-09-21 08:41 . 2013-09-21 08:41 0 ----a-w- c:\windows\SysWow64\sho2833.tmp

2013-09-20 08:49 . 2013-09-20 08:49 0 ----a-w- c:\windows\SysWow64\sho96D2.tmp

2013-09-19 08:42 . 2013-09-19 08:42 0 ----a-w- c:\windows\SysWow64\sho2B5E.tmp

2013-09-18 08:52 . 2013-09-18 08:52 0 ----a-w- c:\windows\SysWow64\sho7EFE.tmp

2013-09-18 08:47 . 2013-09-18 08:47 0 ----a-w- c:\windows\SysWow64\sho2BBC.tmp

2013-09-17 08:21 . 2013-09-17 08:21 0 ----a-w- c:\windows\SysWow64\sho7321.tmp

2013-09-17 03:39 . 2013-09-17 03:39 0 ----a-w- c:\windows\SysWow64\shoF848.tmp

2013-09-16 08:40 . 2013-09-16 08:40 0 ----a-w- c:\windows\SysWow64\shoEDE7.tmp

2013-09-16 08:35 . 2013-09-16 08:35 0 ----a-w- c:\windows\SysWow64\sho4ADF.tmp

2013-09-15 08:34 . 2013-09-15 08:34 0 ----a-w- c:\windows\SysWow64\sho727B.tmp

2013-09-14 08:34 . 2013-09-14 08:34 0 ----a-w- c:\windows\SysWow64\sho7FD4.tmp

2013-09-13 08:35 . 2013-09-13 08:35 0 ----a-w- c:\windows\SysWow64\shoF59E.tmp

2013-09-11 08:56 . 2013-09-11 08:56 0 ----a-w- c:\windows\SysWow64\shoEECC.tmp

2013-09-10 08:48 . 2013-09-10 08:48 0 ----a-w- c:\windows\SysWow64\shoEA3E.tmp

2013-09-09 08:51 . 2013-09-09 08:51 0 ----a-w- c:\windows\SysWow64\shoE33C.tmp

2013-09-09 08:48 . 2013-09-09 08:48 0 ----a-w- c:\windows\SysWow64\sho5692.tmp

2013-09-07 08:48 . 2013-09-07 08:48 0 ----a-w- c:\windows\SysWow64\sho6641.tmp

2013-09-06 09:20 . 2013-09-06 09:20 0 ----a-w- c:\windows\SysWow64\shoEE54.tmp

2013-09-06 09:14 . 2013-09-06 09:14 0 ----a-w- c:\windows\SysWow64\sho7C0D.tmp

2013-09-05 09:00 . 2013-09-05 09:00 0 ----a-w- c:\windows\SysWow64\sho92F6.tmp

2013-09-04 08:50 . 2013-09-04 08:50 0 ----a-w- c:\windows\SysWow64\sho6650.tmp

2013-09-04 08:45 . 2013-09-04 08:45 0 ----a-w- c:\windows\SysWow64\sho12DF.tmp

2013-09-03 08:49 . 2013-09-03 08:49 0 ----a-w- c:\windows\SysWow64\shoAB5C.tmp

2013-09-02 23:32 . 2013-09-02 23:32 0 ----a-w- c:\windows\SysWow64\sho7945.tmp

2013-08-31 18:53 . 2013-08-31 18:53 0 ----a-w- c:\windows\SysWow64\sho6F8F.tmp

2013-08-31 08:45 . 2013-08-31 08:45 0 ----a-w- c:\windows\SysWow64\shoC626.tmp

2013-08-30 08:50 . 2013-08-30 08:50 0 ----a-w- c:\windows\SysWow64\shoD96D.tmp

2013-08-30 08:45 . 2013-08-30 08:45 0 ----a-w- c:\windows\SysWow64\sho4C46.tmp

2013-08-29 08:51 . 2013-08-29 08:51 0 ----a-w- c:\windows\SysWow64\sho14B8.tmp

2013-08-28 08:48 . 2013-08-28 08:48 0 ----a-w- c:\windows\SysWow64\sho884C.tmp

2013-08-26 08:49 . 2013-08-26 08:49 0 ----a-w- c:\windows\SysWow64\sho869C.tmp

2013-08-26 08:44 . 2013-08-26 08:44 0 ----a-w- c:\windows\SysWow64\shoD72.tmp

2013-08-24 08:41 . 2013-08-24 08:41 0 ----a-w- c:\windows\SysWow64\shoB506.tmp

2013-08-23 09:10 . 2013-08-23 09:10 0 ----a-w- c:\windows\SysWow64\shoC617.tmp

2013-08-22 08:47 . 2013-08-22 08:47 0 ----a-w- c:\windows\SysWow64\shoDBAE.tmp

2013-08-21 08:46 . 2013-08-21 08:46 0 ----a-w- c:\windows\SysWow64\sho9C97.tmp

2013-08-18 08:53 . 2013-08-18 08:53 0 ----a-w- c:\windows\SysWow64\shoEA7D.tmp

2013-08-16 08:44 . 2013-08-16 08:44 0 ----a-w- c:\windows\SysWow64\shoFA03.tmp

2013-08-15 08:56 . 2013-08-15 08:56 0 ----a-w- c:\windows\SysWow64\sho58FB.tmp

2013-08-14 15:33 . 2013-08-14 15:33 0 ----a-w- c:\windows\SysWow64\shoF0C4.tmp

2013-08-13 09:05 . 2013-08-13 09:05 0 ----a-w- c:\windows\SysWow64\shoDC4A.tmp

2013-08-13 09:01 . 2013-08-13 09:01 0 ----a-w- c:\windows\SysWow64\sho5951.tmp

2013-08-10 08:47 . 2013-08-10 08:47 0 ----a-w- c:\windows\SysWow64\sho5772.tmp

2013-08-10 08:42 . 2013-08-10 08:42 0 ----a-w- c:\windows\SysWow64\sho6F50.tmp

2013-08-09 08:47 . 2013-08-09 08:47 0 ----a-w- c:\windows\SysWow64\sho2F59.tmp

2013-08-09 08:43 . 2013-08-09 08:43 0 ----a-w- c:\windows\SysWow64\shoFA21.tmp

2013-08-08 08:41 . 2013-08-08 08:41 0 ----a-w- c:\windows\SysWow64\shoE73D.tmp

2013-08-07 08:46 . 2013-08-07 08:46 0 ----a-w- c:\windows\SysWow64\shoBB9B.tmp

2013-08-05 08:41 . 2013-08-05 08:41 0 ----a-w- c:\windows\SysWow64\shoF46.tmp

2013-08-04 08:43 . 2013-08-04 08:43 0 ----a-w- c:\windows\SysWow64\sho797D.tmp

2013-08-02 08:41 . 2013-08-02 08:41 0 ----a-w- c:\windows\SysWow64\sho45E.tmp

2013-08-01 08:43 . 2013-08-01 08:43 0 ----a-w- c:\windows\SysWow64\shoFA02.tmp

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2012-08-29 20:51 1014344 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-08-29 20:51 1014344 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-08-29 20:51 1014344 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 130736 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 130736 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 130736 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-09-28 1715768]

"Akamai NetSession Interface"="c:\users\Todd\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]

"MusicManager"="c:\users\Todd\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2013-04-23 7331840]

"GoogleChromeAutoLaunch_074FE521E48D2FD943354AD99FDC5BFB"="c:\users\Todd\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-10-09 844752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-03 98304]

"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]

"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-08-29 1061960]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

.

c:\users\Todd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Todd\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]

NexDef Plug-in.lnk - c:\users\Todd\AppData\Local\Autobahn\nexdef.exe [2011-8-11 15490560]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-20 65588]

PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-6-3 430080]

Spyder3Utility.lnk - c:\program files (x86)\Datacolor\Spyder3Express\Utility\Spyder3Utility.exe [2009-8-11 6798714]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys;c:\windows\SYSNATIVE\drivers\TfFsMon.sys [x]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys;c:\windows\SYSNATIVE\drivers\TfSysMon.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]

R3 Spyder3;Datacolor Spyder3;c:\windows\system32\DRIVERS\Spyder3.sys;c:\windows\SYSNATIVE\DRIVERS\Spyder3.sys [x]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys;c:\windows\SYSNATIVE\drivers\TfNetMon.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]

S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys;c:\windows\SYSNATIVE\DRIVERS\ahcix64s.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMDS64.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMEFA64.SYS [x]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20131022.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20131022.001\BHDrvx64.sys [x]

S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\ccSetx64.sys [x]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20131025.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20131025.001\IDSvia64.sys [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\Ironx64.SYS [x]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NISx64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMNETS.SYS [x]

S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]

S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]

S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [x]

S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [x]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]

S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [x]

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [x]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe;c:\windows\SysWOW64\nlssrv32.exe [x]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-10-26 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 11:13]

.

2013-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3002832799-4013716802-3893733787-1000Core.job

- c:\users\Todd\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-20 01:05]

.

2013-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3002832799-4013716802-3893733787-1000UA.job

- c:\users\Todd\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-20 01:05]

.

2013-10-26 c:\windows\Tasks\HPCeeScheduleForTodd.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]

.

2013-09-30 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2010-02-01 23:02]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2012-08-29 20:43 1284168 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-08-29 20:43 1284168 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-08-29 20:43 1284168 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\Todd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]

"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-18 568888]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]

"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm


mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;<local>



IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1


.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-Sharpener Pro 3.0 Stand-Alone - c:\program files (x86)\Nik Software\Sharpener Pro 3.0 for Lightroom\Uninstall.exe

AddRemove-{BA3D5FF2-A405-4654-826E-A09FABB01853} - c:\programdata\{91A6AF7F-6DAD-4AE6-91C6-74D71193471A}\fusion2_setup_ext.exe

AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-10-26  14:38:07

ComboFix-quarantined-files.txt  2013-10-26 19:38

.

Pre-Run: 243,005,521,920 bytes free

Post-Run: 252,401,348,608 bytes free

.

- - End Of File - - 290814CF2DDED9E14BDA2DB9E4435B6B
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites
tgnaztee

tgnaztee

Posted
  • Author
Posted

Report for AdwCleaner:

 

# AdwCleaner v3.010 - Report created 26/10/2013 at 18:46:39
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Todd - NASKEDOV-HP
# Running from : C:\Users\Todd\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Todd\AppData\Local\PackageAware
Folder Deleted : C:\Users\Todd\AppData\Local\SanctionedMedia
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_pop-art-studio_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_pop-art-studio_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\SanctionedMedia
Key Deleted : HKCU\Software\Softonic
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16450
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Todd\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1963 octets] - [26/10/2013 18:43:07]
AdwCleaner[s0].txt - [1825 octets] - [26/10/2013 18:46:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1885 octets] ##########
 
 
 
 
 
 
And for MBAR:
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org
 
Database version: v2013.10.26.09
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Todd :: NASKEDOV-HP [administrator]
 
10/26/2013 7:00:42 PM
mbar-log-2013-10-26 (19-00-42).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 250898
Time elapsed: 36 minute(s), 4 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
MrC
Link to post
Share on other sites
tgnaztee

tgnaztee

Posted
  • Author
Posted

Sorry, went out of town. Here is log:

 

Farbar Service Scanner Version: 24-10-2013
Ran by Todd (administrator) on 01-11-2013 at 16:42:50
Running from "C:\Users\Todd\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Nothing wrong in the log.

You can try running Fixit in the following 2 links:

http://support.microsoft.com/mats/windows_update/

http://support.microsoft.com/kb/971058

----------------------------------------------

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites
tgnaztee

tgnaztee

Posted
  • Author
Posted
Results of screen317's Security Check version 0.99.76  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  

 Internet Explorer 10  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Norton Internet Security   

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Spyder3Express     

 Java 7 Update 21  

 Java version out of Date! 

 Adobe Flash Player 11.9.900.117  

 Adobe Reader 10.1.8 Adobe Reader out of Date!  

 Google Chrome 30.0.1599.101  

 Google Chrome 30.0.1599.69  

 Google Chrome plugins...  

````````Process Check: objlist.exe by Laurent````````  

 Norton ccSvcHst.exe 

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 0% 

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java 7 Update 21 <----please update, should be Update 45
Java version out of Date! <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

-----------------------------------

Adobe Reader 10.1.8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.