JJMAC

Members
  • Content count

    27
  • Joined

  • Last visited

About JJMAC

  • Rank
    New Member
  1. Maurice I do apologise. I had intended the issue with my Laptop to be sent as a new topic. I don't know how it got tagged on to my previous topic "Help with removal of hidden backdoor(s} left by Trojans is needed to which you replied on 11 December to which the following is my reply thereto. [to dispose of the Laptop issue I can confirm that I have removed all the PUP detections and a new scan confirmed that they were gone] Reply to Maurice Naggar's post dated 11 Dec. 2012 Many thanks Maurice for your reply. Very helpful as always. I have already tried to get information from Dell support without success. I sent an email to dell_direct_support@dell.com on 28 Nov.in which I said that I have the Dell Reinstallation DVD for windows vista home premium and asked "should I have or will I require a Dell DVD which would automatically reformat the hard disk, reinstall drivers and preinstalled programs so as to restore the computer to its original condition when new". I also pointed out that drive D would be wiped when reformatted and asked where could I obtain the files required to restore drive D. I got no reply. When I go on line, select Dell Product Support and enter my Service Tag (CFBRT2J) my Computer is correctly identified including the date it was shipped and the date on which the warranty expired but when I try to log onto Technical Support my Service Tag is not recognised. I did, however, manage to get through to technical support on the telephone. I was asked for my Service Tag, my name, address, telephone number etc. before I was put through to a Technician. I am 84 years of age and my hearing, particularly on the phone, is not good. The technician was a foreign national and I had extreme difficulty following what he was saying and he obviously did not follow what I was asking. I did however gather that he wanted permission to remotely access my computer in order to fix my issue. I repeatedly asked if he would intend to reformat the hard disk and I understood him to say that would not be necessary. After ¾ hour I terminated the call without getting the information I was looking for.. He sent me an email offering to fix my issue (without saying what my issue was) but as my computer was out of warranty there would be a charge of £69 for a single incident. . He has telephoned me twice since then seeking my approval of his offer. There is no way I will agree to any proposal that will not leave me confident that my computer is clean. This is ridiculous. All I am asking for is information on the availability of any software/files required for the clean restoration of the operating system being items in addition to the reinstallation DVD for Windows Vista home premium 32bit which I already have. I am not seeking Dell Technical Support per se. I intend to pursue this further with Dell. Incidentally I think that the Dell reinstallation DVD will probably fully install fresh Windows without needing any files in Recovery Disk D or from an external source. The writing on the label on the disk is shown below: OPERATING SYSTEM ALREADY INSTALLED ON YOUR COMPUTER Reinstallation DVD Windows Vista Home Premium 32BIT The software is already Installed on your computer Support for these products Only use this DVD to reinstall is provided by Dell The operating system on a DELL PC For Distribution Only This DVD is not for reinstallation of With a New Dell PC. Programs or drivers.   DELL www.dell.com !! support.dell.com @2007 Dell inc Portions@ 2007 Microsoft Corporation All rights reserved P/N HY484 There is a Help File on the DVD entitled INSTALLATION INSTRUCTIONS These instructions are for Upgrading Windows when you already have a version of Windows on your Computer and you want to keep your File Settings & Program 1. Installing a new version of Windows when you want to replace your current Operating System2. You have an operating System installed on your Computer and you want to install Windows on an available Separate Partition of your Hard Disk You have a Computer with no Operating System installed. It may be possible that the above instructions applied to the original Microsoft Windows Operating System before it was modified by DELL. In which case I will still seek conformation from Dell that their reinstallation DVD will fully install fresh Windows. The DELL FACTORY IMAGE RESTORE UTILITY is in RecoveryD/Tools/PCRestore . I don’t think it was ever hidden. It might be possible to create a restore disk from the factory created partition on the hard drive but I would not attempt to do so if there was any risk of Drive D being infected. If there is no risk or only a very remote risk of Drive D being infected would it be feasible to reformat Drive C only and leave the drive D partition as is.? Will the Diskpart.exe utility be found on the Dell reinstallation DVD. ? I have backed up Document files and Photos. That’s all I intend to Backup and intend to restore only a few if any of these. Do I read your instructions correctly Set the bios to boot from the DVD first. Insert the DVD. Start the computer and let it boot to a command prompt. Install Windows Vista and when asked Where do you want to install Windows screen press SHIFT+F10 to open a command prompt. Click start, click run and type diskpart. Follow instructions to clean the disk and permanently remove all the data and all the partitions. Does this clean up program also reformat the hard disk.? At what stage is the hard disk repartitioned ? Maurice I am afraid I will now have to put this issue once more on the back burner until after Christmas as I am caught up with other things. May I wish you a happy Christmas and thank you for all your help. Regards JJMAC
  2. I have a financial portfolio in an Excel file stored in a USB memory stick which I update weekly on my Laptop. Two days ago I opened my portfolio on my Laptop, and as I normally do, updated the portfolio and then in the usual way tried to save it in the memory stick thus overwriting the (portfolio) file therein, but that did not happen. Instead I got a message to say that the file could not be saved in drive F (the memory stick) but instead it had been saved in a temporary file with an eight character alpha numerical file name. I then opened Drive F where I found the temporary file but the original portfolio file had disappeared. I became concerned that the disappearance of the portfolio file might be caused by a virus so I scanned the computer with the MalwareBytes program. A log of the scan,which detected 103 objects, is appended hereto. I decided not to delete these objects until after I have your advice as to the nature of them and in particular whether they indicate that my portfolio may have been hacked during the short period I had it opened on my laptop. The reason I had my Portfolio stored on a memory stick was to avoid storing sensitive files on my laptop as a safeguard against it being stolen. Thank you JJMAC Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.12.09.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16736 John :: JOHN-TOSH [administrator] 10/12/2013 15:20:37 MBAM-log-2013-12-10 (16-00-50).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 238722 Time elapsed: 14 minute(s), 30 second(s) Memory Processes Detected: 3 C:\Program Files (x86)\SR Toolbar\Datamngr\datamngrUI.exe (PUP.Optional.Datamngr.A) -> 2756 -> No action taken. C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe (PUP.Optional.MindSpark) -> 2772 -> No action taken. C:\Program Files (x86)\MapsGalaxy_39\bar\2.bin\39brmon.exe (PUP.Optional.MindSpark) -> 2944 -> No action taken. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 35 HKCR\CLSID\{33119133-0854-469d-807A-171568457991} (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\CLSID\{13119113-0854-469d-807A-171568457991} (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\MapsGalaxy_39.SkinLauncher.1 (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\MapsGalaxy_39.SkinLauncher (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\TypeLib\{03119103-0854-469d-807A-171568457991} (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\Interface\{23119123-0854-469D-807A-171568457991} (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\MapsGalaxy_39.SkinLauncherSettings.1 (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\MapsGalaxy_39.SkinLauncherSettings (PUP.Optional.FunWebProducts.A) -> No action taken. HKCR\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7} (PUP.Optional.SearchQu) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> No action taken. HKCR\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> No action taken. HKCR\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15} (PUP.Optional.Bandoo.A) -> No action taken. HKCR\BrowserConnection.Loader.1 (PUP.Optional.Bandoo.A) -> No action taken. HKCR\BrowserConnection.Loader (PUP.Optional.Bandoo.A) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0} (PUP.Optional.Bandoo.A) -> No action taken. HKCR\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115} (PUP.Optional.Datamngr.A) -> No action taken. HKCR\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9} (PUP.Optional.Datamngr.A) -> No action taken. HKCR\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC} (PUP.Optional.Datamngr.A) -> No action taken. HKCR\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87} (PUP.Optional.Datamngr.A) -> No action taken. HKCR\SearchQUIEHelper.DNSGuard (PUP.Optional.SearchQu) -> No action taken. HKCR\SearchQUIEHelper.DNSGuard.1 (PUP.Optional.SearchQu) -> No action taken. HKCU\SOFTWARE\24x7HELP (PUP.Optional.24x7) -> No action taken. HKCU\SOFTWARE\DataMngr_Toolbar (PUP.Optional.DataMngr.A) -> No action taken. HKCU\Software\DataMngr (PUP.Optional.DataMngr.A) -> No action taken. HKLM\SOFTWARE\24x7HELP (PUP.Optional.24x7) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu Toolbar (PUP.Optional.Searchqu) -> No action taken. HKCR\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515} (PUP.Optional.Searchqu) -> No action taken. HKCR\TypeLib\{841D5A49-E48D-413c-9C28-EB3D9081D705} (PUP.Optional.Searchqu) -> No action taken. HKCR\Interface\{44B619BC-3D2B-4990-AA4F-9AA366921792} (PUP.Optional.Searchqu) -> No action taken. HKCR\DnsBHO.BHO.1 (PUP.Optional.Searchqu) -> No action taken. HKCR\DnsBHO.BHO (PUP.Optional.Searchqu) -> No action taken. Registry Values Detected: 7 HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{99079A25-328F-4BD4-BE04-00955ACAA0A7} (PUP.Optional.SearchQu) -> Data: Searchqu Toolbar -> No action taken. HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{99079a25-328f-4bd4-be04-00955acaa0a7} (PUP.Optional.SearchQu) -> Data: -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|DATAMNGR (PUP.Optional.Datamngr.A) -> Data: C:\PROGRA~2\SRTOOL~1\Datamngr\DATAMN~1.EXE -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Utility Chest Search Scope Monitor (PUP.Optional.MindSpark) -> Data: "C:\PROGRA~2\UTILIT~2\bar\1.bin\49srchmn.exe" /m=2 /w /h -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|UtilityChest_49 Browser Plugin Loader (PUP.Optional.MindSpark) -> Data: C:\PROGRA~2\UTILIT~2\bar\1.bin\49brmon.exe -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MapsGalaxy Search Scope Monitor (PUP.Optional.MindSpark) -> Data: "C:\PROGRA~2\MAPSGA~2\bar\2.bin\39srchmn.exe" /m=2 /w /h -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MapsGalaxy_39 Browser Plugin Loader (PUP.Optional.MindSpark) -> Data: C:\PROGRA~2\MAPSGA~2\bar\2.bin\39brmon.exe -> No action taken. Registry Data Items Detected: 2 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs (PUP.Optional.Datamngr.A) -> Bad: (C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll) Good: () -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs (PUP.Optional.Datamngr.A) -> Bad: (C:\PROGRA~3\Wincert\WIN32C~1.DLL) Good: () -> No action taken. Folders Detected: 6 C:\Program Files (x86)\Searchqu Toolbar (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64 (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\24x7Help (PUP.Optional.24x7.A) -> No action taken. Files Detected: 50 C:\Program Files (x86)\MapsGalaxy_39\bar\2.bin\39sknlcr.dll (PUP.Optional.FunWebProducts.A) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\BrowserConnection.dll (PUP.Optional.Bandoo.A) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\IEBHO.dll (PUP.Optional.Datamngr.A) -> No action taken. C:\Users\John\Downloads\MapsSetup (1).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (2).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (3).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (4).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (5).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (6).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (7).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (8).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup (9).exe (PUP.Optional.Inbox) -> No action taken. C:\Users\John\Downloads\MapsSetup.exe (PUP.Optional.Inbox) -> No action taken. C:\ProgramData\Wincert\win32cert.dll (PUP.Optional.Datamngr.A) -> No action taken. C:\ProgramData\Wincert\win64cert.dll (PUP.Optional.Datamngr.A) -> No action taken. C:\ProgramData\Wincert\win32prop.dll (PUP.Optional.Datamngr.A) -> No action taken. C:\ProgramData\Wincert\win64prop.dll (PUP.Optional.Datamngr.A) -> No action taken. C:\Program Files (x86)\SR Toolbar\Datamngr\datamngrUI.exe (PUP.Optional.Datamngr.A) -> No action taken. C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49SrchMn.exe (PUP.Optional.MindSpark) -> No action taken. C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe (PUP.Optional.MindSpark) -> No action taken. C:\Program Files (x86)\MapsGalaxy_39\bar\2.bin\39SrchMn.exe (PUP.Optional.MindSpark) -> No action taken. C:\Program Files (x86)\MapsGalaxy_39\bar\2.bin\39brmon.exe (PUP.Optional.MindSpark) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\sysid.ini (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\uninstall.exe (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngr.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\DnsBHO.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\installhelper.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\analytics.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\constant.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\default-config.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\jquery.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\localStorage.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\new-tab.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ChromeExtension\lib\preferences.js (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\BrowserConnection.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\datamngr.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\datamngrUI.exe (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\DnsBHO.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\IEBHO.dll (PUP.Optional.Searchqu) -> No action taken. C:\Program Files (x86)\24x7Help\24x7desk.64.dll (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\24x7desk.dll (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Help.exe (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Help.old.exe (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Hook.dll (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Hook.exe (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Hook64.dll (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Hook64.exe (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\App24x7Svc.exe (PUP.Optional.24x7.A) -> No action taken. C:\Program Files (x86)\24x7Help\unins000.exe (PUP.Optional.24x7.A) -> No action taken. (end)
  3. Hallo I had not quite finished my post when it took off and was sent prematurely Other queries If the recovery utility installed in drive D restores the computer to its factory condition would that not be equivalent to reformatting the disk. There was no virus on the computer when it left the factory. Would I be correct in thinking that the recovery utility will overwrite all third party programs installed after purchase in addition to personal files and restore only the programs which were preinstalled when new? It would be great if that was the case, Of course if drive D is reformatted the utility will be wiped out. JJMAC
  4. This post is a follow up to a previous topic entitled "Rogue Program Internet Security.ink has been removed but has my personal data been compromised" which I started on 19 April 2012 in "Resolved Highjack this Logs" and in particular to Maurice Nagger's response thereto on 7 May 2012 which described in great detail the steps I need to take to ensure the integrity of my computer. These steps included the reformat of the hard drive. I have put that task on the back burner with the computer meanwhile disconnected from the internet. I am now preparing to grasp the nettle and reformat the hard disk. The hard disk in my Dell Dimension E520 computer has two partitions, Drive C and Drive D. Drive D is labelled "Recovery" and contains a utility labelled "DELL FACTORY IMAGE RESTORE" with a description "This utility will restore your system to the state it was in when it left the factory. In order to return the system to the factory state all personal files will be overwritten" I sought help from a Dell Community Forum. I asked the community for information on the availability of the software or other items I will require to restore the computer to its factory condition after reformatting the hard disk, being items in addition to the Dell Restoration DVD for Windows Vista Home Premium 32 bit which was bundled with the computer when new. I received the following reply from one member of the forum. "If you boot up from live media (such as Windows 7 DVD) and use the repair options to open a command prompt, nyou can run the BOOTREX/FIXMBR and BOOTREC/FIXBOOT commands that will overwrite the Master Boot Record where the Trojans might be activated. Once that's done booting from the hard drive won't activate the Trojans and any rootkit-type cloaking they might use. Afterwards, reinstall Windows and the Trojans should be deactivated. There's nothing magic about Trojans" In my reply I pointed out that his advice differed from that which I had received which that I should reformat the hard disk to remove all hidden back doors left by Trojans. I could be attracted to the following Modus Operandi 1 Boot from Dell reinstallation Disk for Windows Vista Premium 32 bit 2 Run BOOTREX/FIXMBR & BOOTREC/FIXBOOT 3 Reboot from Hard Drive 4 Run a PC Cleaner 5 Reformat the hard drive and reinstall Vista operating system. The problem here is that if drive D is formatted I could not restore it including the recovery utility unless I can download the required files from Dell's web Site. Please advise on above steps including their sequence. I added step 4 after seeing a statement in the promotional literature for a PC Cleaning program claiming that reformatting the HD will not remove hidden files. I don't know if that claim has any substance. Please advise. Other queries 1I have assumed that reformatting the hard drive will include Drive D as well as Drive C. Am I correct?
  5. Dear MrC Thank you for your prompt reply. I have uninstalled inboxToolbar & Searchqu Toolbar. Here are the LOGFILES you requested ADWCLEANER LOGFILE # AdwCleaner v2.011 - Logfile created 12/05/2012 at 17:53:11 # Updated 02/12/2012 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits) # User : John - JOHN-TOSH # Boot Mode : Normal # Running from : C:\Users\John\Downloads\adwcleaner (1).exe # Option [Delete] ***** [services] ***** Stopped & Deleted : 24x7HelpSvc ***** [Files / Folders] ***** File Deleted : C:\Users\John\AppData\Local\Temp\searchqutoolbar-manifest.xml File Deleted : C:\Users\Public\Desktop\24x7 Help.lnk File Deleted : C:\Users\Public\Desktop\eBay.lnk File Deleted : C:\Users\Public\Desktop\iLivid.lnk File Deleted : C:\Users\Public\Desktop\RebateGiant.com.url Folder Deleted : C:\Program Files (x86)\Conduit Folder Deleted : C:\Program Files (x86)\Ilivid Folder Deleted : C:\Program Files (x86)\Inbox.com Folder Deleted : C:\Program Files (x86)\RebateInformer Folder Deleted : C:\Program Files (x86)\Searchqu Toolbar Folder Deleted : C:\Program Files (x86)\WiseConvert Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\24x7 Help Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RebateInformer Folder Deleted : C:\Users\John\AppData\Local\Conduit Folder Deleted : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbkceikmmebhmgcjiemejoaeholbnnjl Folder Deleted : C:\Users\John\AppData\Local\Ilivid Player Folder Deleted : C:\Users\John\AppData\LocalLow\Conduit Folder Deleted : C:\Users\John\AppData\LocalLow\PriceGong Folder Deleted : C:\Users\John\AppData\LocalLow\searchquband Folder Deleted : C:\Users\John\AppData\LocalLow\WiseConvert Folder Deleted : C:\Users\John\AppData\Roaming\24x7 Help ***** [Registry] ***** Key Deleted : HKCU\Software\24x7HELP Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKCU\Software\AppDataLow\Software\WiseConvert Key Deleted : HKCU\Software\AppDataLow\Toolbar Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\CToolbar Key Deleted : HKCU\Software\DataMngr Key Deleted : HKCU\Software\Google\Chrome\Extensions\jbkceikmmebhmgcjiemejoaeholbnnjl Key Deleted : HKCU\Software\ilivid Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{71B1DF81-18D9-4E5B-9493-CAB02B6E9D8F} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6} Key Deleted : HKLM\Software\24x7HELP Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Client Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Script Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Server Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Server2 Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\rebinfo Key Deleted : HKLM\SOFTWARE\Classes\RebateI.Rebate Informer BHO Key Deleted : HKLM\SOFTWARE\Classes\RebateI.RebateInformImageGen Key Deleted : HKLM\SOFTWARE\Classes\RebateInf.RebateInfObj Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3196716 Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{438B047C-C041-4D15-98CF-A97C6B366C28} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{506F578A-91E1-46CE-830F-E2F4268E9966} Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\Software\CToolbar Key Deleted : HKLM\Software\ilivid Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{71B1DF81-18D9-4E5B-9493-CAB02B6E9D8F} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} Key Deleted : HKLM\Software\WiseConvert Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{13119113-0854-469D-807A-171568457991} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{183643C8-EE67-4574-9A38-927852E34163} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{33119133-0854-469D-807A-171568457991} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{4EF645BD-65B0-4F98-AD56-D0437B7045F6} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{54ECA872-DB2A-4C6B-BBB2-F3777C6786CC} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{71B1DF81-18D9-4E5B-9493-CAB02B6E9D8F} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{8736C681-37A0-40C6-A0F0-4C083409151C} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AF808758-C780-404C-A4EE-4526323FD9B6} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DB35C569-5624-4CFC-8043-E5139F55A073} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{01C78433-6FDF-4E5A-A82D-B535C32E03DF} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23119123-0854-469D-807A-171568457991} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{41349826-5C7F-4BF0-8279-5DAF1DE6E9AE} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{604EA016-1EDE-41E6-A23E-76CF8F2A4808} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B3BA5582-79A9-464D-A7FA-711C5888C6E9} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E9BBD270-4B87-4EE2-912F-6635674986C0} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jbkceikmmebhmgcjiemejoaeholbnnjl Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5569FDC6-10A6-49DC-AEF3-8CB1611EEB5D} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CB5E3782-13B7-4BE2-A905-6E30A2ADFAD8} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4EF645BD-65B0-4F98-AD56-D0437B7045F6}_is1 Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A957F04C-49F4-4375-8C8A-D04B769EFE47}_is1 Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ilivid Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WiseConvert Toolbar Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01C78433-6FDF-4E5A-A82D-B535C32E03DF} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{41349826-5C7F-4BF0-8279-5DAF1DE6E9AE} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{604EA016-1EDE-41E6-A23E-76CF8F2A4808} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B3BA5582-79A9-464D-A7FA-711C5888C6E9} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E9BBD270-4B87-4EE2-912F-6635674986C0} Key Deleted : HKLM\SOFTWARE\DataMngr Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} Key Deleted : HKLM\SOFTWARE\Software Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [RebateInformer] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [24x7HELP] Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}] Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}] ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16455 [OK] Registry is clean. -\\ Google Chrome v23.0.1271.95 File : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Preferences Deleted [l.11] : homepage = "hxxp://www.inbox.com/homepage.aspx?tbid=80678&lng=en", Deleted [l.15] : urls_to_restore_on_startup = [ "hxxp://www.inbox.com/homepage.aspx?tbid=80678&lng=en" ] Deleted [l.39] : icon_url = "hxxp://search.conduit.com/fav.ico", Deleted [l.42] : keyword = "search.conduit.com", Deleted [l.45] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3[...] Deleted [l.1228] : homepage = "hxxp://www.inbox.com/homepage.aspx?tbid=80678&lng=en", Deleted [l.1427] : urls_to_restore_on_startup = [ "hxxp://www.inbox.com/homepage.aspx?tbid=80678&lng=en" ] ************************* AdwCleaner[s2].txt - [11404 octets] - [05/12/2012 17:53:11] ########## EOF - C:\AdwCleaner[s2].txt - [11465 octets] ##########   Mbar-Log 1st Run Malwarebytes Anti-Rootkit 1.1.0.1009 www.malwarebytes.org Database version: v2012.12.05.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 John :: JOHN-TOSH [administrator] 05/12/2012 20:25:03 mbar-log-2012-12-05 (20-25-03).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: PUP | PUM | P2P Objects scanned: 27424 Time elapsed: 25 minute(s), 34 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\ARTGALRY.CAG (Trojan.Downloader) -> Delete on reboot. [a952d009c39ab97de48010381fe2669a] (end) Mbar Log 2nd Run Malwarebytes Anti-Rootkit 1.1.0.1009 www.malwarebytes.org Database version: v2012.12.05.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 John :: JOHN-TOSH [administrator] 05/12/2012 21:04:25 mbar-log-2012-12-05 (21-04-25).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: PUP | PUM | P2P Objects scanned: 27308 Time elapsed: 21 minute(s), 14 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) At the start of the first MBAR scan I received the following message: Registry value "AppInit_Dlls" has been found which may be caused by rootkil activity. Press the "No" if you are not sure. If the tool crashes during a system scan restart and if the message is reoeated click the yes button. I clicked the "no" button at the start of both runs. No crash occurred.
  6. Many thanks for your help. The 2 logs and the report requested follow but may require more than 1 post. In addition to the Trojan removed by Malwarebytes on 2/12/12, Trend Micro (my internet security program) has now reported that on 3/12/12 mbam-setup.exe had been deleted for my protection.. You do not need to do anything else. Affected file:C:\PROGRAMDATA\Malwa... Threat:: TROJ.FAKEAV.BMC. Response: REMOVED Post no. 1 DDS.txt. DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.5.1 Run by John at 18:13:05 on 2012-12-04 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1916.796 [GMT 0:00] . AV: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA} SP: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\ParetoLogic\FileCure\FileCure.exe C:\Program Files (x86)\24x7Help\App24x7Svc.exe C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe c:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\Program Files (x86)\RebateInformer\RebateInf.exe C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\TODDSrv.exe C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\Inbox Toolbar\Inbox.exe C:\Program Files (x86)\Searchqu Toolbar\Datamngr\datamngrUI.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\24x7Help\App24x7Help.exe C:\Program Files (x86)\24x7Help\App24x7Hook.exe C:\Program Files (x86)\24x7Help\App24x7Hook64.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe C:\Windows\system32\consent.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingApp.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingBar.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingSurrogate.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingSurrogate.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingSurrogate.exe C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingSurrogate.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uURLSearchHooks: Inbox Toolbar: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll uURLSearchHooks: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - <orphaned> mURLSearchHooks: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - <orphaned> BHO: <No Name>: {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\Program Files (x86)\SiteRanker\SiteRank.dll BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg32.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned> BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll BHO: DataMngr: {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\BrowserConnection.dll BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe32.dll BHO: <No Name>: {CCB69577-088B-4004-9ED8-FF5BCC83A039} - C:\Program Files (x86)\RebateInformer\RebateI.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll BHO: Inbox Toolbar: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll BHO: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - <orphaned> BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\Toshiba\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - TB: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll uRun: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [RebateInformer] C:\PROGRA~2\REBATE~1\REBATE~1.EXE /STARTUP uRun: [MRC] "C:\Program Files (x86)\PC Tune-Up\PCTuneUp.exe" /MBRSTART mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [inboxToolbar] "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /STARTUP mRun: [24x7HELP] "C:\Program Files (x86)\24x7Help\App24x7Help.exe" /STARTUP mRun: [DATAMNGR] C:\PROGRA~2\SEARCH~1\Datamngr\DATAMN~1.EXE dRun: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE uPolicies-Explorer: NoDrives = dword:0 uPolicies-Explorer: NoResolveTrack = dword:1 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoResolveTrack = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: mcafee.com DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: NameServer = 192.168.2.1 TCP: Interfaces\{7BC6162B-8FA6-4F02-9D16-FCC1846E815F} : DHCPNameServer = 192.168.2.1 TCP: Interfaces\{A22D127C-938C-4DC7-8264-DF55CA381631} : DHCPNameServer = 10.239.24.5 Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\Program Files (x86)\RebateInformer\RebateI.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe32.dll Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg32.dll AppInit_DLLs= C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll C:\PROGRA~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg.dll x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: DataMngr: {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Searchqu Toolbar\Datamngr\x64\BrowserConnection.dll x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll x64-BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe64.dll x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll x64-Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" x64-Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab x64-DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab x64-Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - <orphaned> x64-Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - <orphaned> x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned> x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned> x64-Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe64.dll x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg.dll x64-Notify: igfxcui - igfxdev.dll . ============= SERVICES / DRIVERS =============== . R1 tmevtmgr;tmevtmgr;C:\Windows\System32\drivers\tmevtmgr.sys [2012-5-10 77184] R2 24x7HelpSvc;24x7HelpService;C:\Program Files (x86)\24x7Help\App24x7Svc.exe [2012-9-23 394392] R2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2012-5-10 275912] R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200] R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2009-3-10 46448] R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408] R3 FwLnk;FwLnk Driver;C:\Windows\System32\drivers\FwLnk.sys [2010-4-8 9216] R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-3-4 75816] R3 tmeevw;tmeevw;C:\Windows\System32\drivers\tmeevw.sys [2012-5-10 67344] R3 tmnciesc;tmnciesc;C:\Windows\System32\drivers\tmnciesc.sys [2012-5-10 210704] S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-5-9 30192] S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2012-5-24 31800] S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-4-8 232992] S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-2-11 124368] S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2010-4-8 51512] S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-5-19 59392] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-10 1255736] . =============== Created Last 30 ================ . 2012-11-25 17:28:54 -------- d-----w- C:\Users\John\AppData\Roaming\Quat 2012-11-25 17:28:53 -------- d-----w- C:\Users\John\AppData\Roaming\Xagaf 2012-11-23 19:24:22 -------- d-----w- C:\MyBackup 2012-11-23 18:47:06 -------- d-----w- C:\Program Files (x86)\PC Tune-Up 2012-11-16 00:35:26 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui 2012-11-16 00:35:24 9728 ----a-w- C:\Windows\System32\Wdfres.dll 2012-11-16 00:35:24 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys 2012-11-16 00:35:24 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys 2012-11-16 00:23:40 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys 2012-11-16 00:23:40 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys 2012-11-16 00:23:39 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll 2012-11-16 00:23:38 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll 2012-11-16 00:23:36 744448 ----a-w- C:\Windows\System32\WUDFx.dll 2012-11-16 00:23:36 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll 2012-11-16 00:23:36 229888 ----a-w- C:\Windows\System32\WUDFHost.exe 2012-11-15 21:32:09 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll 2012-11-15 21:32:09 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll 2012-11-15 21:32:09 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll 2012-11-15 21:32:09 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll 2012-11-15 21:32:03 3149824 ----a-w- C:\Windows\System32\win32k.sys . ==================== Find3M ==================== . 2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll 2012-10-10 13:56:53 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-10 13:56:53 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll 2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll 2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll 2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll 2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll 2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll 2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll 2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll 2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll 2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll 2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll 2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll 2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys 2012-09-29 19:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll 2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll 2012-09-24 22:01:12 107048 ----a-w- C:\Windows\System32\drivers\tmactmon.sys 2012-09-24 22:00:36 77184 ----a-w- C:\Windows\System32\drivers\tmevtmgr.sys 2012-09-24 22:00:00 173504 ----a-w- C:\Windows\System32\drivers\tmcomm.sys 2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll 2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll . ============= FINISH: 18:14:19.55 =============== ATTACH.TXT DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 09/05/2011 18:27:05 System Uptime: 04/12/2012 16:54:13 (2 hours ago) . Motherboard: TOSHIBA | | Portable PC Processor: Intel® Celeron® CPU 900 @ 2.20GHz | CPU | 2194/800mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 116 GiB total, 81.745 GiB free. D: is FIXED (NTFS) - 116 GiB total, 109.178 GiB free. E: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP89: 10/10/2012 18:35:55 - Windows Update RP90: 10/10/2012 23:49:01 - Windows Update RP91: 01/11/2012 17:13:09 - TITANUIMRES5[0x01001101] RP92: 01/11/2012 17:19:40 - TITANUIMRES5[0x01001101] RP93: 16/11/2012 00:22:37 - Windows Update RP94: 25/11/2012 14:13:32 - Scheduled Checkpoint RP95: 27/11/2012 23:40:52 - Windows Update . ==== Installed Programs ====================== . 24x7 Help Adobe AIR Adobe Flash Player 11 ActiveX Adobe Reader 9.5.1 Advertising Center Amazon.co.uk Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver Atheros Driver Installation Program Bejeweled 2 Deluxe Bing Bar Chuzzle Deluxe Conexant HD Audio Diner Dash 2 Restaurant Rescue eBay FATE Google Chrome Google Desktop Google Toolbar for Internet Explorer Google Update Helper iLivid ImagXpress Inbox Toolbar Intel® Graphics Media Accelerator Driver Intel® Matrix Storage Manager Internet TV for Windows Media Center Java Auto Updater Java™ 6 Update 25 (64-bit) Java™ 7 Update 5 JavaFX 2.1.1 Jewel Quest II Junk Mail filter update Malwarebytes Anti-Malware version 1.65.1.1000 Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Choice Guard Microsoft Default Manager Microsoft Excel 97 Microsoft Money 2001 Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Word 97 MSVCRT MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nero 9 Essentials Nero BackItUp Nero BackItUp and Burn Nero BurnRights Nero BurnRights Help Nero ControlCenter Nero DiscSpeed Nero DiscSpeed Help Nero DriveSpeed Nero DriveSpeed Help Nero Express Nero Express Help Nero InfoTool Nero InfoTool Help Nero Installer Nero Online Upgrade Nero RescueAgent Nero StartSmart Nero StartSmart Help NeroExpress neroxml ParetoLogic FileCure PC Tune-Up Penguins! Photo Service - powered by myphotobook Plants vs. Zombies PlayReady PC Runtime amd64 Polar Bowler Realtek USB 2.0 Card Reader RebateInformer Revo Uninstaller Pro 2.5.8 Searchqu Toolbar Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) SiteRanker Skype Toolbars Skype™ 5.10 Synaptics Pointing Device Driver Toshiba Assist TOSHIBA Bulletin Board TOSHIBA ConfigFree TOSHIBA Disc Creator TOSHIBA Hardware Setup TOSHIBA HDD/SSD Alert Toshiba Manuals TOSHIBA Media Controller TOSHIBA Media Controller Plug-in TOSHIBA Online Product Information TOSHIBA Recovery Media Creator TOSHIBA Recovery Media Creator Reminder TOSHIBA ReelTime TOSHIBA Service Station TOSHIBA Supervisor Password Toshiba TEMPRO TOSHIBA Value Added Package Trend Micro Titanium Trend Micro Titanium Internet Security 2012 TRORMCLauncher Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) WildTangent Games WildTangent ORB Game Console Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live ID Sign-in Assistant Windows Live Mail Windows Live Messenger Windows Live Movie Maker Windows Live Photo Gallery Windows Live Sync Windows Live Upload Tool Windows Live Writer Windows Media Center Add-in for Silverlight WiseConvert Toolbar Zuma Deluxe . ==== Event Viewer Messages From Past Week ======== . 02/12/2012 23:36:41, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR4. 02/12/2012 23:20:53, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2. 02/12/2012 22:48:27, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1. . ==== End Of File =========================== RogueKiller REPORT RogueKiller V8.3.1 [Dec 2 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo...13-roguekiller/ Website : http://tigzy.geeksto...roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : John [Admin rights] Mode : Scan -- Date : 12/04/2012 21:15:23 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 6 ¤¤¤ [TASK][sUSP PATH] {BC28DFF6-20D5-4B9A-AB50-D0801943B1AC} : C:\Users\John\Desktop\cjrZ500-Z600EN (2).exe -> FOUND [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost   ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST9250315AS +++++ --- User --- [MBR] 338565a982b9886267cebc5a507d9731 [bSP] 48aeef1769ddc9929b5900423b368521 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 400 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 821248 | Size: 119001 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 244535296 | Size: 119072 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_12042012_02d2115.txt >> RKreport[1]_S_12042012_02d2115.txt End of Report. I did not think it would all fit into one Post. JJMAC
  7. Hallo A malwarebyte scan carried out on 2/12/12 found and sucessfully deleted the undernoted Trojan. Can I assume that my Laptop is now clean or is there a risk that a hidden backdoor may have been left.? The Laptop had not been showing any symptoms of infection which was uncovered during a routine scan. I am currently using Trend Micro Titanium internet security 2012. C:\Users\John\AppData\Roaming\Xagaf\noso.exe (Trojan.Zbot) -> Quarantined and deleted successfully. Thank You JJMAC
  8. Maurice I am pleased to inform you that I found inbox toolbar and have succesfully removed it from my computer. I think that you might be right when you suggested that this may also be causing the browser fault. I have closed it down twice, after removing the inbox toolbar,and no error message was received. I will be delighted if that issue has been resolved. Do you want me to run the DDS program again?. Kind Regards JJMAC
  9. Maurice After running DDS I get a message that DDS had created 2 log file 1 dds.txt 2 Attach.txt The logs will appear after you have closed this (TFC) window. However. only the dds.txt log appeared. The Attach.txt log did not appear. The same thing happened when I previously ran DDS (on 19 June.) You asked me to let you know generally how the PC is overall. Generally very good. It boots up in half the time taken by my Dell computer running on Windows Vista home premium (the infected Computer) or in a quarter of the time required by my Gateway computer running on Xppro. Currently the only issue with this computer is its failure to shut down IE 9 properly at the end of a browsing session, error message: A problem has caused Internet Explorer to stop working correctly. Windows will close the program –……….. Not too much of a problem as it normally only occurs when I try to close a web site. DDS LOG DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1 Run by John at 13:01:14 on 2012-07-27 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1916.1217 [GMT 1:00] . AV: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} SP: Trend Micro Titanium Internet Security 2012 *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\taskhost.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Dwm.exe C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe C:\Windows\system32\conhost.exe C:\Windows\system32\taskeng.exe C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe C:\Windows\system32\conhost.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\ParetoLogic\FileCure\FileCure.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation c:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\TODDSrv.exe C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\WUDFHost.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe . ============== Pseudo HJT Report =============== . uURLSearchHooks: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - C:\PROGRA~2\INBOXT~1\Inbox.dll uURLSearchHooks: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - C:\Program Files (x86)\WiseConvert\prxtbWise.dll mURLSearchHooks: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - C:\Program Files (x86)\WiseConvert\prxtbWise.dll BHO: : {11bf46c6-b3de-48bd-bf70-3ad85cab80b5} - C:\PROGRA~2\SITERA~1\SiteRank.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - C:\PROGRA~2\INBOXT~1\Inbox.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll BHO: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - C:\Program Files (x86)\WiseConvert\prxtbWise.dll BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - C:\PROGRA~2\INBOXT~1\Inbox.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll" TB: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - C:\Program Files (x86)\WiseConvert\prxtbWise.dll mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" dRun: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: EnableLinkedConnections = 1 (0x1) IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Trusted Zone: internet Trusted Zone: mcafee.com DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{7BC6162B-8FA6-4F02-9D16-FCC1846E815F} : DhcpNameServer = 192.168.2.1 TCP: Interfaces\{A22D127C-938C-4DC7-8264-DF55CA381631} : DhcpNameServer = 10.239.24.5 Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~2\INBOXT~1\Inbox.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll BHO-X64: : {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\PROGRA~2\SITERA~1\SiteRank.dll BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll BHO-X64: Trend Micro NSC BHO - No File BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll BHO-X64: SkypeIEPluginBHO - No File BHO-X64: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll BHO-X64: TmBpIeBHO - No File BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll BHO-X64: Inbox Toolbar: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~2\INBOXT~1\Inbox.dll BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll BHO-X64: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - C:\Program Files (x86)\WiseConvert\prxtbWise.dll BHO-X64: WiseConvert - No File BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll TB-X64: &Inbox Toolbar: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~2\INBOXT~1\Inbox.dll TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll" TB-X64: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - C:\Program Files (x86)\WiseConvert\prxtbWise.dll mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" AppInit_DLLs-X64: C:\PROGRA~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll . ============= SERVICES / DRIVERS =============== . R1 tmevtmgr;tmevtmgr;C:\Windows\system32\DRIVERS\tmevtmgr.sys --> C:\Windows\system32\DRIVERS\tmevtmgr.sys [?] R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?] R2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2012-5-10 275912] R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816] R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys --> C:\Windows\system32\DRIVERS\FwLnk.sys [?] R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?] S2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2009-3-10 46448] S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-10 136176] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-9 250056] S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-5-9 30192] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-10 136176] S3 Revoflt;Revoflt;C:\Windows\system32\DRIVERS\revoflt.sys --> C:\Windows\system32\DRIVERS\revoflt.sys [?] S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?] S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-2-11 124368] S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2010-4-8 51512] S3 tmeevw;tmeevw;C:\Windows\system32\DRIVERS\tmeevw.sys --> C:\Windows\system32\DRIVERS\tmeevw.sys [?] S3 tmnciesc;tmnciesc;C:\Windows\system32\DRIVERS\tmnciesc.sys --> C:\Windows\system32\DRIVERS\tmnciesc.sys [?] S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560] S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] . =============== Created Last 30 ================ . 2012-07-20 17:16:52 -------- d-----w- C:\_OTL 2012-07-17 19:42:09 -------- d-----w- C:\Program Files (x86)\ESET 2012-07-11 23:16:05 3148800 ----a-w- C:\Windows\System32\win32k.sys 2012-07-11 14:07:07 2004480 ----a-w- C:\Windows\System32\msxml6.dll 2012-07-11 14:06:56 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll 2012-07-11 14:06:56 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll 2012-07-11 14:06:56 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll 2012-07-11 14:06:56 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll 2012-07-11 14:06:56 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll 2012-07-11 14:06:56 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll 2012-07-11 14:06:56 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll 2012-07-11 14:06:56 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll 2012-07-11 14:06:55 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll 2012-07-11 14:06:55 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll 2012-07-11 14:06:55 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll 2012-07-11 14:06:55 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll 2012-07-11 14:06:55 1133568 ----a-w- C:\Windows\System32\cdosys.dll 2012-07-10 14:45:50 -------- d-sh--w- C:\$RECYCLE.BIN 2012-07-10 13:48:26 98816 ----a-w- C:\Windows\sed.exe 2012-07-10 13:48:26 518144 ----a-w- C:\Windows\SWREG.exe 2012-07-10 13:48:26 256000 ----a-w- C:\Windows\PEV.exe 2012-07-10 13:48:26 208896 ----a-w- C:\Windows\MBR.exe 2012-07-10 12:36:44 -------- d-----w- C:\Windows\pss 2012-07-06 16:27:57 -------- d-----w- C:\Program Files (x86)\Oracle 2012-06-29 13:28:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe 2012-06-29 13:28:59 77312 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-06-29 13:28:59 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-06-29 13:28:27 209920 ----a-w- C:\Windows\System32\profsvc.dll 2012-06-29 13:28:19 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe 2012-06-29 13:28:10 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2012-06-29 13:28:09 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2012-06-29 13:27:32 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-06-29 13:24:28 3216384 ----a-w- C:\Windows\System32\msi.dll 2012-06-29 13:24:27 2342400 ----a-w- C:\Windows\SysWow64\msi.dll 2012-06-29 13:24:09 184320 ----a-w- C:\Windows\System32\cryptsvc.dll 2012-06-29 13:24:09 1462272 ----a-w- C:\Windows\System32\crypt32.dll 2012-06-29 13:24:09 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll 2012-06-29 13:24:09 140288 ----a-w- C:\Windows\System32\cryptnet.dll 2012-06-29 13:24:09 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll 2012-06-29 13:24:09 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll 2012-06-29 11:04:39 2622464 ----a-w- C:\Windows\System32\wucltux.dll 2012-06-29 11:03:55 99840 ----a-w- C:\Windows\System32\wudriver.dll 2012-06-29 11:03:33 36864 ----a-w- C:\Windows\System32\wuapp.exe 2012-06-29 11:03:33 186752 ----a-w- C:\Windows\System32\wuwebv.dll . ==================== Find3M ==================== . 2012-07-26 21:06:54 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-26 21:06:54 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2012-07-03 12:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll 2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll 2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll 2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll 2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys 2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys 2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys 2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll 2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll 2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll 2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll 2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll 2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll 2012-05-24 10:18:09 4101392 ----a-w- C:\Windows\uninst.exe 2012-05-10 11:25:46 56 ----a-w- C:\Windows\System32\SupportTool.exe.bat 2012-05-04 18:29:22 772504 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll 2012-05-04 18:29:16 687504 ----a-w- C:\Windows\SysWow64\deployJava1.dll . ============= FINISH: 13:03:30.79 =============== Many thanks for your valued assistance. JJMAC
  10. Maurice I can’t explain it but I seem to be going from bad to worse. I ran TFC.exe as administrator. Temp file cleaner by old timer v3.1.9.0 opens Click start. Program runs. System requires a reboot to finish removing files. I click on ok to reboot now. After the system restarts I can’t find the DDS utility. When you say that after the system restarts I have the DDS utility already do you mean that I didn’t have the utility until the system restarts or that the DDS utility was already installed on my computer during some earlier tests. Either way I can’t find DDS or DDS.scr anywhere on my computer. I suspect that the internet explorer malfunction which causes the program to stop working correctly may have something toi do with this issue. JJMAC
  11. Maurice I have gone through this process three times and still come up with the same answer. Here are the steps taken 1 Right click on OTL (3).exe, (the item with the yellow and black motif) and select run as administrator. Click yes to allow OTL(3).exe to make changes to my computer. OTL version 3.2.53.0 opens, 2 go to instructions and high light & copy to clipboard the 6 items grouped vertically within the code box. 3 Return to OTL and paste these 6 items into the Custom Scan Fixes box. They appear as a single line along the top of the box. 4 Right click on internet explorer icon on the task bar and select Close all windows. I get the familiar error message : internet explorer has stopped working. Windows will close the program and notify you if a solution is available. I click on close program. 5 Click on Run Fix. Click OK to reboot. Got a security message asking if I was sure I wanted to run OTL(3).exe. Click on run and almost immediately I got the following: All processes killed Error: Unable to interpret <:Commands[purity][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]> in the current context! OTL by OldTimer - Version 3.2.53.0 log created on 07232012_163512 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot... Maurice I have been trying to figure out for myself what has gone wrong. When I clicked on runfix it obviously did not run, instead the computer rebooted and I was asked for permission to run OTL(3).exe which I could have withheld but that would not have got me anywhere. When at the start of the process I was asked to right click OTL.exe and select run as administrator I first clicked on start and searched the computer for OTL.EXE. A number of OTLs were listed including OTL(1)(2)(3) & (4). I selected OTL(3) as it was the only one with the black and yellow motif. which I presume was the correct one. I interpreted Copy all the lines in between the code box below to the clipboard to mean highlight the items within the code box and copy them as a group to the clipboard. When pasted into the OTL Custom Scans/Fixes window they appear as a single horizontal line along the top of the Custom Scans/Fixes window. Please let me know what has gone wrong. Thank you JJMAC
  12. Maurice Further to my last post (yesterday evening) I have now rerun the FixLog program having closed all browser windows before clicking the fix log button & it has come up with the same result. FIX LOG All processes killed Error: Unable to interpret <:processeskillallprocesses:filesrecycler /alldrives:Commands[purity][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]> in the current context!. OTL by OldTimer - Version 3.2.53.0 log created on 07202012_181652 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot... Is there still something wrong? I has expected to see a list of the processes killed, a list of files moved on reboot and their new location, & a list of the registry entries deleted. I’m afraid I am still getting the error message, Internet Explorer has stopped working, every time I try to close it. It seldom stops working during as browsing session so it is not too much of a problem. Regards JJMAC
  13. Maurice I am surprised that the RUN FIX log appended below shows less detail than I expected. I think that I followed the instructions accurately with one exception. Internet Explorer is the only open browser on this computer and the only browser window open was that of OTL.exe which I assumed could not be closed without also closing OTL.exe which had not completed at that stage. After clicking on Run Fix I was not presented with a fix complete message or an OK button. The next thing I saw was the Notebook log. I think now that leaving IE open was a mistake. I will have another go at that tomorrow and let you know if I get a different result. I have reinstalled Java and changed the settings as instructed. OTL log All processes killed Error: Unable to interpret <:processeskillallprocesses:filesrecycler /alldrives:Commands[purity][emptytemp][CREATERESTOREPOINT][EMPTYFLASH][Reboot]> in the current context! OTL by OldTimer - Version 3.2.53.0 log created on 07202012_181652 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot... Thanks for your help JJ Mac
  14. Maurice I can’t find System Mechanic on my laptop. It is not shown in Program and Features and a search of my laptop reports file not found. It is not a program that I bought and am currently using. The only programs that I bought during the past ten years were XPPro, PC Tune-up and a program that scans the computer to locate and update any out of date drivers found. I have mislaid the installation disk of the latter program. I think it was called driver genius. I purchased this laptop on 11/11/2010. If you can advise me where System Mechanic is located on my laptop I will do my best to locate and delete it. The following is the Eset Scan Log. This laptop continues to run very smoothly. The only problem of note is IE explorer stops working every time you log off. ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=00a9739ceb3bb64980c85e3350b3d149 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-07-17 08:31:40 # local_time=2012-07-17 09:31:40 (+0000, GMT Daylight Time) # country="United Kingdom" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=512 16777215 100 0 5905196 5905196 0 0 # compatibility_mode=5893 16776574 100 94 34156874 95019349 0 0 # compatibility_mode=8192 67108863 100 0 170 170 0 0 # scanned=137020 # found=0 # cleaned=0 # scan_time=2800 Thanks again for your help.
  15. Maurice I have run the TFC and the Combofix programs and append below the Combofix.txt log. The test procedure ran smoothly. After I re-enabled my antivirus program I got a Trend Micro message to say that affected file C:/users/john/desktop/TFC.exe, threat TROJ_Hidefil. BMC had been deleted for your protection. You do not need to do anything else so feel free to close this message. I presume that Trend Micro has come up with a false positive result and I am quite content to ignore it. You previously informed me that I could run the tests previously carried out on my laptop (the 6 steps) on my other system (my desktop) by copying the tools which had been downloaded on my laptop to my other system. Could I also copy over TFC.exe and Combo-Fix.exe. Does the first paragraph of step3 imply that there may be a restriction on running Combo-fix on more than one computer? These additional tests would not be worth running unless as a result it could be concluded that instead of there might have been a trojan backdoor left to the probability would be unlikely that a back door had been left. If I decide to run these additional tests on my desktop I will open a new Help topic. Would they be worth running? Please advise. COMBOFIX .TXT LOG ComboFix 12-07-10.01 - John 10/07/2012 14:50:12.1.1 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.1916.1248 [GMT 1:00] Running from: c:\users\John\Desktop\ComboFix.exe AV: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92} SP: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\security\Database\tmp.edb c:\windows\SysWow64\rnaph.dll . . ((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 ))))))))))))))))))))))))))))))) . . 2012-07-10 13:58 . 2012-07-10 13:58 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-06 16:27 . 2012-07-06 16:27 -------- d-----w- c:\program files (x86)\Oracle 2012-06-29 21:50 . 2012-05-18 01:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-06-29 21:50 . 2012-05-17 22:24 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-06-29 13:28 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll 2012-06-29 13:28 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-06-29 13:28 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-06-29 13:28 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll 2012-06-29 13:28 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-06-29 13:28 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-06-29 13:28 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-06-29 13:27 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys 2012-06-29 13:27 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-29 13:24 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll 2012-06-29 13:24 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll 2012-06-29 13:24 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-29 13:24 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-06-29 13:24 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll 2012-06-29 13:24 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-06-29 13:24 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-06-29 13:24 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-06-29 11:04 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-29 11:04 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-29 11:04 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-29 11:04 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-29 11:03 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-29 11:03 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-29 11:03 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-29 11:03 . 2012-06-02 14:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-29 11:03 . 2012-06-02 14:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-23 12:15 . 2012-06-23 12:15 -------- d-----w- C:\ARC 2012-06-21 19:29 . 2012-06-26 21:16 -------- d-----w- c:\program files (x86)\ERUNT 2012-06-12 13:39 . 2012-06-12 13:39 -------- d-----w- c:\users\John\AppData\Roaming\iolo 2012-06-12 13:39 . 2012-06-12 13:39 -------- d-----w- c:\programdata\iolo . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-29 11:02 . 2012-05-09 21:53 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-06-29 11:02 . 2011-06-11 14:15 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-05-24 10:18 . 2012-05-23 19:06 4101392 ----a-w- c:\windows\uninst.exe 2012-05-12 20:40 . 2012-05-12 20:40 16384 ----a-r- c:\users\John\AppData\Roaming\Microsoft\Installer\{D085A1B6-90A4-11D3-82B7-00C04FA309DE}\MnyIco.exe 2012-05-10 11:25 . 2012-05-10 11:25 56 ----a-w- c:\windows\system32\SupportTool.exe.bat 2012-05-04 18:29 . 2012-05-12 14:08 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-05-04 18:29 . 2012-05-12 14:08 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}"= "c:\program files (x86)\WiseConvert\prxtbWise.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}] . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}] 2012-02-20 03:34 342232 ----a-w- c:\progra~2\SITERA~1\SiteRank.dll . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}] 2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\WiseConvert\prxtbWise.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}"= "c:\program files (x86)\WiseConvert\prxtbWise.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "TOSHIBA Online Product Information"="c:\program files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe" [2010-03-03 4581280] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files (x86)\Toshiba\TRDCReminder\TRDCReminder.exe [2009-9-1 481184] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-10 136176] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-29 257224] R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408] R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x] R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-05-09 30192] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-10 136176] R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-01 232992] R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2010-02-11 124368] R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512] R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-05 137560] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-10 1255736] S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-07-12 70928] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x] S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200] S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448] S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216] S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-03-04 75816] S3 tmeevw;tmeevw;c:\windows\system32\DRIVERS\tmeevw.sys [2011-08-02 67344] S3 tmnciesc;tmnciesc;c:\windows\system32\DRIVERS\tmnciesc.sys [2011-08-02 210704] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 11:02] . 2012-01-11 c:\windows\Tasks\FileCure Default.job - c:\program files (x86)\ParetoLogic\FileCure\FileCure.exe [2011-03-01 23:00] . 2012-07-10 c:\windows\Tasks\FileCure Startup.job - c:\program files (x86)\ParetoLogic\FileCure\FileCure.exe [2011-03-01 23:00] . 2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-10 14:25] . 2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-10 14:25] . 2012-07-08 c:\windows\Tasks\ParetoLogic Registration3.job - c:\windows\system32\rundll32.exe [2009-07-13 01:14] . 2011-05-22 c:\windows\Tasks\ParetoLogic Update Version3.job - c:\program files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-01-28 21:19] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 213824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80135&lng=en mLocal Page = c:\windows\SysWOW64\blank.htm Trusted Zone: internet Trusted Zone: mcafee.com TCP: DhcpNameServer = 192.168.2.1 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Toolbar-Locked - (no file) WebBrowser-{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} - (no file) AddRemove-Excel - g:\office\Setup\AcmeXl.exe AddRemove-Lexmark Z500-Z600 Series - c:\program files (x86) (x86)\Lexmark Z500-Z600 Series\Install\x64\Uninst.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-276842375-2578982421-1398554826-1001_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) @Allowed: (Read) (RestrictedCode) "scansk"=hex(0):44,6a,da,36,b1,79,8e,80,95,9a,4e,c3,0e,d9,26,45,64,eb,f4,c0,01, 01,92,81,d1,c0,02,18,94,4f,60,2b,ea,47,f1,b3,90,b5,58,b5,00,00,00,00,00,00,\ . [HKEY_USERS\S-1-5-21-276842375-2578982421-1398554826-1001_Classes\Wow6432Node\CLSID\{a4ff78c5-ad40-42e2-90b2-70a0a8a854a8}] @Denied: (Full) (Everyone) @Allowed: (Read) (RestrictedCode) "Model"=dword:000000a0 "Therad"=dword:0000001f "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,9c,f5,cb,2c,af,d6,12,76,f2,19,3f,57,1d,c6,30,3f,ca,17,f5,bc,41,f8,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe . ************************************************************************** . Completion time: 2012-07-10 15:36:34 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-10 14:36 . Pre-Run: 92,228,927,488 bytes free Post-Run: 91,461,296,128 bytes free . - - End Of File - - 30C7F2A4245EB89D80AF20CD9BC1A9BD