moondog90

Members
  • Content count

    22
  • Joined

  • Last visited

About moondog90

  • Rank
    New Member
  1. I am new to Malwarebytes forum. In fact, new to forums in general. I had two problems when using the forum that may also be problems for people like me with little experience. 1. I went to type into my Reply box and found that it would not accept keystrokes. I tried everything to get back in-sync including rebooting my computer, entering the forum in various ways (going directly to the web-page of my topic, searching for my topic, etc.) Nothing helped. After much trial and error, I found that if I right-clicked on the Reply box, a context menu with choices that looked odd to me appeared. These options included "Back" and "Reload" and some other stuff. In desperation, I clicked on "Reload". The Reply box was then able to accept keystrokes. What is all this about? How does the Forum get into this state? Why does it need me to help it get out? Why is this not automatic? I don't think this was the normal context menu; how many are there? 2. After conversing on the forum for a while, I eventually reached the end of Page One. Being a novice, I did not even know there would be a Page Two. I found a Reply box at the "end" of the topic. After "Reloading" a couple of times (see problem 1, above), I was able to enter text. When I clicked on the button, the text I had entered seemed to disappear! When leaving the topic and coming back a short time later, I again found the same empty Reply box at the same place. It took me the longest time to realize that my text was being entered on Page Two of the topic where I could not see it! (no, I am not a moron, just new to using any kind of Forum). In my humble opinion, there should be no such empty reply box at the end of a page. The page should end with a filled-in reply box and below that, an arrow to click on that says "Next Page". That would have been all the help I needed. What I would like, after hearing some explanation for these anomalies, is for someone with some authority to send my complaints to someone who has the power to make changes in the mechanics of the Forum itself. Thank you in advance. if you cannot make such anomalies go away, how about at least providing an "instruction sheet" with "solutions to common problems" for new users when they create an account? How about an easy to find form in which to enter complaints to the "Webmaster" (or some such being) under "Contact Us"?
  2. Can't find "More Reply Options". Don't know where to look. Shouldn't have to. My time is up. I must go home. I think Mom will be OK. Starting tomorrow afternoon I may send you a personal message. We can communicate that way for a while. I assume they are going to my email address of record. I will try to get that functioning. In the meantime, I have a message for your webmaster: My brain may be fried due to lack of sleep. I am not up to my usual genius I.Q. However, you need to see your sub-forum website through the eyes of someone who has never used one before. 1. One should never have to "reload" a Reply box in the middle of a page (or anywhere else for that matter). Especially from a context menu that one has not even been told exists. "Reload" what? 2. You should never display an empty Reply box at the end of a page. Especially one that can accept text that will appear, not on the current page, but on the next page! Let's just stick with NEVER show an empty reply box at the bottom of a page. End with the last reply (by either party) and display below that an arrow that says "Go to Next Page". This is not rocket science. Perhaps all forums work like yours. In that case, they are all illogical and poorly designed!
  3. aswMBR.txt is a normal txt file in notepad. I can highlight it and say "copy". I come to this reply box and right-click. "paste" is not one of the options. I tried "reload" about 4 times. Are there any other options in the context box such as "Back" or "reload" that you would like me to select?
  4. I don't understand. Followed the procedure. All hidden files .sys etc are visible. I can follow the path c:\Windows\system32\drivers\ and 21426115.sys is visible on Mom's computer. But when I follow the same path by clicking on "choose file" in virustotal, the file is not visible and virustotal says "21426115.sys" "file not found", if I click on "open".
  5. Oh. So we are on page 2? It is as simple as that? Why when I click on my topic on the subforum webpage does it send me to page 1 and allow me to type in the replybox at the end of page one?
  6. All my previous replies after I entered the incomplete ComboFix output have disappeared. As far as I can see this topic ends with an incomplete combofix output and the reply I am now typing. I hope when this disappears, it will come out at the end of a new topic somewhere with some name. Please give me instructions by email at verwoert222@msn.com
  7. As far as I can see, this topic ends above with my incomplete Combofix output. What I think I replied on just before this was the beginning of a new topic with the same name. Where is it?
  8. ComboFix 12-05-03.02 - Mary 05/03/2012 12:43:42.3.2 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3127 [GMT -7:00] Running from: c:\users\Mary\Desktop\ComboFix.exe AV: Ad-Aware Total Security *Disabled/Updated* {54ACC2FC-837E-E665-7A92-5352D560D5EF} AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} FW: Ad-Aware Personal Firewall *Disabled* {6C9743D9-C911-E73D-51CD-FA672BB39294} SP: Ad-Aware Total Security *Disabled/Updated* {EFCD2318-A544-E9EB-4022-6820AEE79F52} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2012-04-03 to 2012-05-03 ))))))))))))))))))))))))))))))) . . 2012-05-03 19:52 . 2012-05-03 19:52 -------- d-----w- c:\users\Steve\AppData\Local\temp 2012-05-03 19:52 . 2012-05-03 19:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-05-03 19:52 . 2012-05-03 19:52 -------- d-----w- c:\users\Carol\AppData\Local\temp 2012-05-03 14:54 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C6D5769D-5EA5-4893-9BA6-D31C53F71099}\mpengine.dll 2012-05-03 00:13 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-05-02 06:38 . 2012-05-02 06:38 116016 ----a-w- c:\windows\system32\drivers\21426115.sys 2012-05-02 06:26 . 2012-05-02 06:26 116016 ----a-w- c:\windows\system32\drivers\62644338.sys 2012-05-02 03:11 . 2012-05-02 03:11 8766112 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-05-02 03:02 . 2012-05-02 03:11 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-05-01 17:44 . 2012-05-01 17:44 -------- d-----w- c:\program files (x86)\Microsoft Security Client 2012-04-26 14:50 . 2012-04-26 14:50 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2012-04-26 14:50 . 2012-04-26 14:50 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe 2012-04-26 14:50 . 2012-04-26 14:50 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe 2012-04-16 10:22 . 2012-04-16 10:22 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes 2012-04-16 10:22 . 2012-04-16 10:22 -------- d-----w- c:\programdata\Malwarebytes 2012-04-16 10:22 . 2012-05-01 20:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-04-16 10:22 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-14 23:58 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-14 23:58 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-04-14 23:58 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-04-14 23:58 . 2012-04-14 23:58 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2012-04-14 23:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-04-14 23:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll 2012-04-14 23:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2012-04-14 23:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2012-04-14 23:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll 2012-04-14 23:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2012-04-14 23:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-03 14:07 . 2011-10-13 20:08 106224 ----a-w- c:\windows\SysWow64\drivers\GRD.sys 2012-05-02 03:11 . 2011-10-12 18:00 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-03-21 03:44 . 2011-04-27 22:25 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys 2012-03-21 03:44 . 2011-04-18 20:18 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2012-02-26 18:17 . 2012-02-26 18:18 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0417F7A9-CE38-43E5-A3E9-CC79375849F0}\gapaengine.dll 2012-02-17 06:38 . 2012-03-17 00:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll 2012-02-17 05:34 . 2012-03-17 00:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll 2012-02-17 04:58 . 2012-03-17 00:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-02-17 04:57 . 2012-03-17 00:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX 2012-02-10 06:36 . 2012-03-17 00:29 1544192 ----a-w- c:\windows\system32\DWrite.dll 2012-02-10 05:38 . 2012-03-17 00:29 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-05-02_19.42.39 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-14 04:54 . 2012-05-03 19:07 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2009-07-14 04:54 . 2012-05-02 19:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2009-07-14 04:54 . 2012-05-02 19:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-07-14 04:54 . 2012-05-03 19:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2009-07-14 04:54 . 2012-05-02 19:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-07-14 04:54 . 2012-05-03 19:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2010-11-21 03:09 . 2012-05-03 19:54 52898 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-05-03 19:54 48610 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2011-10-12 04:37 . 2012-05-03 19:54 12680 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-874174280-269866361-546167079-1000_UserData.bin - 2011-06-13 00:18 . 2012-05-02 04:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2011-06-13 00:18 . 2012-05-03 14:00 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2012-04-23 20:49 . 2012-05-02 04:50 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2012-04-23 20:49 . 2012-05-03 14:00 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-07-14 04:54 . 2012-05-03 14:00 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2009-07-14 04:54 . 2012-05-02 04:50 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-07-14 04:46 . 2012-05-03 05:28 95984 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat - 2012-05-02 19:41 . 2012-05-02 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-05-03 19:52 . 2012-05-03 19:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-05-03 19:52 . 2012-05-03 19:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2012-05-02 19:41 . 2012-05-02 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2011-10-12 16:20 . 2012-05-03 19:03 243370 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin + 2009-07-14 05:01 . 2012-05-03 19:52 317292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2009-07-14 05:01 . 2012-05-02 19:40 317292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2011-10-12 18:07 . 2012-05-03 19:52 7070696 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-874174280-269866361-546167079-1000-12288.dat + 2011-10-12 07:53 . 2012-05-03 00:01 13616928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-874174280-269866361-546167079-1000-8192.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-10-12 14940040] "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480] "QuickGammaLoader"="c:\program files (x86)\QuickGamma\QuickGammaLoader.exe" [2005-03-28 68096] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Hotkey Utility"="c:\program files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe" [2011-01-19 620136] "SAOB Monitor"="c:\program files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe" [2011-09-22 2536760] "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-09-23 5550984] "G Data AntiVirus Tray Application"="c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKTray\AVKTray.exe" [2010-06-30 981504] "GDFirewallTray"="c:\program files (x86)\Lavasoft\Ad-Aware Total Security\Firewall\GDFirewallTray.exe" [2010-06-30 1550576] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 253088] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560] R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072] R3 GDBackupSvc;Ad-Aware Backup Service;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKBackup\AVKBackupService.exe [2010-06-30 911976] R3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKTuner\AVKTunerService.exe [2010-06-30 1234896] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-26 129976] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [x] S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys [x] S1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [x] S1 gdwfpcd;G DATA WFP CD;c:\windows\system32\drivers\gdwfpcd64.sys [x] S1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-10-13 3246040] S2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files (x86)\Common Files\G Data\AVKProxy\AVKProxy.exe [2010-06-30 1081384] S2 AVKService;Ad-Aware Scheduler;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe [2010-06-30 412944] S2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtlX64.exe [2010-06-23 2170224] S2 GREGService;GREGService;c:\program files (x86)\eMachines\Registration\GREGsvc.exe [2010-01-08 23584] S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832] S2 Live Updater Service;Live Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2011-01-31 244624] S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080] S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [x] S3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files (x86)\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvcx64.exe [2010-06-15 1954472] S3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [x] S3 GDScan;Ad-Aware Scanner;c:\program files (x86)\Common Files\G Data\GDScan\GDScan.exe [2010-06-30 624064] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x] . . Contents of the 'Scheduled Tasks' folder . 2012-05-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 03:11] . 2012-05-03 c:\windows\Tasks\HP Photo Creations Communicator.job - c:\programdata\HP Photo Creations\MessageCheck.exe [2012-03-12 04:03] . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060320] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304] "Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-09-23 394832] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168] . ------- Supplementary Scan ------- . uStart Page = hxxp://emachines.msn.com uLocal Page = c:\windows\system32\blank.htm mStart Page = hxxp://emachines.msn.com mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\2xs1mble.default\ . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE . ************************************************************************** . Completion time: 2012-05-03 12:57:25 - machine was rebooted ComboFix-quarantined-files.txt 2012-05-03 19:57 ComboFix2.txt 2012-05-02 20:14 ComboFix3.txt 2012-05-02 19:47 . Pre-Run: 936,762,818,560 bytes free Post-Run: 936,450,097,152 bytes free . - - End Of File - - 91E8F3365FDAEABA95D493EF447B9B20 Hope that is right. Sorry for the delay. I have no idea how a PM is supposed to signal me. I am registered on this forum by my home email which is somehow inaccessible. I saw no postings after my first download of ComboFix. I looked at the forum repeatedly after restarting my computer, etc. I had great difficulty typing anything in the reply box. I had to "reload" the box repeatedly. Finally, I saw a message about ComboFix output being incomplete. It flashed by. then I could not see it anymore. Still cannot see it. Hope this clears up. What do you suggest?
  9. Hello MrCharlie, Many thanks all your help. I have learned how to watch you service various people on the subforum. You do the work of 3 people! This will be my swan song. I have time to run one or two more programs and post the results. Then I will have to return home and leave Mom's computer for about a month. I will read the forum but will not be able to experiment. So... 1. Tell me what you think of the ComboFix output. 2. Tell me what to run next and I will give the output before I go home. 3. Tell me your conclusions given all of the outputs taken together. 4. Later, read the short novel below and tell me what you think (BestSeller? KeepTheDayJob?) Something to Consider! The detection of Trojan:Win32/Comisproc by Microsoft Security Essentials (MSE) may be a false positive. It is almost certainly "interference" between antiviruses. It may be "synergy" between AVs! In my first post to this Forum, paragraph 5, I said: "To help you understand better which version of comisproc [Mom] has, I will tell you what MSE says about it. The trojan always hides in C:\Windows\Temp\_avast4_\ and has names like unp251129543.tmp". This is according to the MSE History. When I go to C:\Windows\Temp\_avast4_\ it is always empty. (OK I thought, so MSE has deleted it...) If I delete the folder _avast4_ it comes back! What is creating and using the _avast4_ folder? Avast is an antivirus I never installed. Under C:Program Files (x86)\Common Files\G Data\AVKScanP\ I find folders AdAware and Avast (containing a compressed folder of the Avast Engine). I find processes running such as GDFirewallTray.exe (the G-Data Personal Firewall) and AVKTray.exe. Holy Crap! A little research turns up that G-Data uses the Avast (and bitdefender) engines. Ad-Aware Total Security (the version I have repeatedly mentioned that I use) is an OEM version of GDATA, and uses the G-DATA engine! I am now pretty sure that Ad-Aware Total Security's "Personal Firewall" is not Microsoft Firewall but is the G-Data Personal Firewall (hence the running process GDFirewallTray.exe). Is G-Data Personal Firewall the same as Microsoft Firewall? Well, Microsoft says not to use any other security tool with MSE. Mom bought her computer with Windows 7 pre-intalled. I did not even know what MSE was until it started reporting trojans. I installed Ad-Aware T. S. because I use it on my XP computer at home and it finds more stuff than anything else I have tried. So the question is: Is Ad-Aware finding a real Trojan:Win32/Comisproc, and putting it in the _avast4_ folder? I believe this is the folder where Avast unpacks and scans files, so if Avast unpacks a file into that folder, might it be discovered and deleted by MSE? Or perhaps, is MSE seeing a "false positive" of something that the Ad-Aware real-time protection is putting in the _avast4_ folder? (When I command Ad-Aware to "scan the computer" it never finds any trojans. Ad-Aware real-time protection comes on boot-up, but it scans only on command, no schedule. MSE scans on daily schedule.) Should I un-install Ad-Aware and MSE and then re-install MSE (I am sure that is what Microsoft would say). But is MSE capable of finding trojans without Ad-Aware's "help"? To answer this question read the next paragraph! In #9, Posted 01 May 2012 - 07:26 PM, I say that MSE detected Trojan:JS/IframeRef on a website whose name is similar to yours (www.malwarbytes.org). This is probably true, but the question remains: did Ad-Adware (using the Avast engine) find it and then have it "stolen" from its scaning folder by MSE? MSE reports the trojan found: C:\Windows\Temp\AvkHttp02EB1919.tmp (note, this one was in Temp not Temp\_avast4_) I told MSE to exclude C:\Windows\Temp. Neither MSE nor Ad-Aware reported the trojan (Ad-Aware virus monitor set to "query desired action", firewall: Auto, Normal Security). I removed the exclusion from MSE, and MSE again found the trojan. I disable Ad-Aware's "Web protection". Nobody finds the trojan. I re-enable Ad-Aware Web protection, MSE finds the trojan! Synergy? What do you make of that??? At the end of my post for DDS.attach you will see some entries for: "Error: Microsoft Antimalware [3002]". This also sounds like a conflict between run-time protections. Ad-Aware and MSE? Solution?
  10. Hello MrCharlie, Many thanks for all your help. I have learned how to watch you service various people on this subforum. You do the work of three people! This will be my swan song. I have time to run one or two more programs for you and post the results. Then I will have to return home and leave Mom's computer for about a month. I will read the forum but will not be able to experiment on Mom's computer. So... 1. Tell me what you think of the ComboFix output. 2. Tell me what to run next and I will give you output before I go home. 3. Tell me your conclusions given all of the outputs taken together. 4. Later, read the short novel below and tell me later what you think of it (BestSeller? KeepTheDayJob?) Something to Consider! The detection of Trojan:Win32/Comisproc by Microsoft Security Essentials (MSE) may be a "false positive". It is almost certainly "interference" between antiviruses. It may be "synergy" between AVs! In my first post to this Forum, paragraph 5, I said: "To help you understand better which version of comisproc [Mom] has, I will tell you what MSE says about it. The trojan always hides in C:\Windows\Temp\_avast4_\ and has names like unp251129543.tmp". This is according to the MSE History. When I go to C:\Windows\Temp\_avast4_\ it is always empty. (OK I thought, so MSE has deleted it...) If I delete the folder _avast4_ it comes back! What is creating and using the _avast4_ folder? Avast is an antivirus I never installed. Under C:Program Files (x86)\Common Files\G Data\AVKScanP\ I find folders AdAware and Avast (containing a compressed folder of the Avast Engine). I find processes running such as GDFirewallTray.exe (the G-Data Personal Firewall) and AVKTray.exe. Holy Crap! A little research turns up that G-Data uses the Avast (and bitdefender) engines. Ad-Aware Total Security (the version I have repeatedly mentioned that I use) is an OEM version of GDATA, and uses the G-DATA engine! I am now pretty sure that Ad-Aware Total Security's "Personal Firewall" is not Microsoft Firewall but is the G-Data Personal Firewall (hence the running process GDFirewallTray.exe). Is G-Data Personal Firewall the same as Microsoft Firewall? Well, Microsoft says not to use any other security tool with MSE. Mom bought her computer with Windows 7 pre-intalled. I did not even know what MSE was until it started reporting trojans. I installed Ad-Aware T. S. because I use it on my XP computer at home and it finds more stuff than anything else I have tried. So the question is: Is Ad-Aware finding a real Trojan:Win32/Comisproc, and putting it in the _avast4_ folder? I believe this is the folder where Avast unpacks and scans files, so if Avast unpacks a file into that folder, might it be discovered and deleted by MSE? Or perhaps, is MSE seeing a "false positive" of something that the Ad-Aware real-time protection is putting in the _avast4_ folder? (When I command Ad-Aware to "scan the computer" it never finds any trojans. Ad-Aware real-time protection comes on boot-up, but it scans only on command, no schedule. MSE scans on daily schedule.) Should I un-install Ad-Aware and MSE and then re-install MSE (I am sure that is what Microsoft would say). But is MSE capable of finding trojans without Ad-Aware's "help"? To answer this question read the next paragraph! In #9, Posted 01 May 2012 - 07:26 PM, I say that MSE detected Trojan:JS/IframeRef on a website whose name is similar to yours (www.malwarbytes.org). This is probably true, but the question remains: did Ad-Adware (using the Avast engine) find it and then have it "stolen" from its scaning folder by MSE? MSE reports the trojan found: C:\Windows\Temp\AvkHttp02EB1919.tmp (note, this one was in Temp not Temp\_avast4_) I told MSE to exclude C:\Windows\Temp. Neither MSE nor Ad-Aware reported the trojan (Ad-Aware virus monitor set to "query desired action", firewall: Auto, Normal Security). I removed the exclusion from MSE, and MSE again found it. I disable Ad-Aware's "Web protection". Nobody finds the trojan. I re-enable Ad-Aware Web protection, MSE finds the trojan! Synergy? What do you make of that??? At the end of my post for DDS.attach you will see some entries for: "Error: Microsoft Antimalware [3002]". This also sounds like a conflict between run-time protections. Ad-Aware and MSE? Solution?
  11. Oh, OK. Found it. Thank you, I did miss your warning to reboot. What I was referring to was why was I not warned about having to "refresh" the Reply box? here is ComboFix output: ComboFix 12-05-02.03 - Mary 05/02/2012 13:01:48.2.2 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2636 [GMT -7:00] Running from: c:\users\Mary\Desktop\ComboFix.exe AV: Ad-Aware Total Security *Disabled/Updated* {54ACC2FC-837E-E665-7A92-5352D560D5EF} AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} FW: Ad-Aware Personal Firewall *Disabled* {6C9743D9-C911-E73D-51CD-FA672BB39294} SP: Ad-Aware Total Security *Disabled/Updated* {EFCD2318-A544-E9EB-4022-6820AEE79F52} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 ))))))))))))))))))))))))))))))) . . 2012-05-02 20:09 . 2012-05-02 20:09 -------- d-----w- c:\users\Steve\AppData\Local\temp 2012-05-02 20:09 . 2012-05-02 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-05-02 20:09 . 2012-05-02 20:09 -------- d-----w- c:\users\Carol\AppData\Local\temp 2012-05-02 06:38 . 2012-05-02 06:38 116016 ----a-w- c:\windows\system32\drivers\21426115.sys 2012-05-02 06:26 . 2012-05-02 06:26 116016 ----a-w- c:\windows\system32\drivers\62644338.sys 2012-05-02 03:11 . 2012-05-02 03:11 8766112 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-05-02 03:02 . 2012-05-02 03:11 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-05-01 22:26 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{94AFD1D7-2FA2-4D24-8B83-30B594BDA168}\mpengine.dll 2012-05-01 20:17 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-05-01 17:44 . 2012-05-01 17:44 -------- d-----w- c:\program files (x86)\Microsoft Security Client 2012-04-26 14:50 . 2012-04-26 14:50 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2012-04-26 14:50 . 2012-04-26 14:50 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe 2012-04-26 14:50 . 2012-04-26 14:50 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe 2012-04-16 10:22 . 2012-04-16 10:22 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes 2012-04-16 10:22 . 2012-04-16 10:22 -------- d-----w- c:\programdata\Malwarebytes 2012-04-16 10:22 . 2012-05-01 20:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-04-16 10:22 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-14 23:58 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-14 23:58 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-04-14 23:58 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-04-14 23:58 . 2012-04-14 23:58 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2012-04-14 23:55 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-04-14 23:55 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll 2012-04-14 23:55 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2012-04-14 23:55 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2012-04-14 23:55 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll 2012-04-14 23:55 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2012-04-14 23:55 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-02 03:37 . 2011-10-13 20:08 106224 ----a-w- c:\windows\SysWow64\drivers\GRD.sys 2012-05-02 03:11 . 2011-10-12 18:00 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-03-21 03:44 . 2011-04-27 22:25 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys 2012-03-21 03:44 . 2011-04-18 20:18 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2012-02-26 18:17 . 2012-02-26 18:18 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0417F7A9-CE38-43E5-A3E9-CC79375849F0}\gapaengine.dll 2012-02-17 06:38 . 2012-03-17 00:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll 2012-02-17 05:34 . 2012-03-17 00:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll 2012-02-17 04:58 . 2012-03-17 00:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-02-17 04:57 . 2012-03-17 00:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX 2012-02-10 06:36 . 2012-03-17 00:29 1544192 ----a-w- c:\windows\system32\DWrite.dll 2012-02-10 05:38 . 2012-03-17 00:29 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll 2012-02-03 04:34 . 2012-03-17 00:29 3145728 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((( SnapShot@2012-05-02_19.42.39 ))))))))))))))))))))))))))))))))))))))))) . + 2010-11-21 03:09 . 2012-05-02 20:00 51908 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-05-02 20:00 48418 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2011-10-12 04:37 . 2012-05-02 20:00 12408 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-874174280-269866361-546167079-1000_UserData.bin - 2012-05-02 19:41 . 2012-05-02 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-05-02 20:10 . 2012-05-02 20:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-05-02 19:41 . 2012-05-02 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-05-02 20:10 . 2012-05-02 20:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2009-07-14 05:01 . 2012-05-02 19:40 317292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2009-07-14 05:01 . 2012-05-02 20:09 317292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-10-12 14940040] "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480] "QuickGammaLoader"="c:\program files (x86)\QuickGamma\QuickGammaLoader.exe" [2005-03-28 68096] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Hotkey Utility"="c:\program files (x86)\eMachines\Hotkey Utility\HotkeyUtility.exe" [2011-01-19 620136] "SAOB Monitor"="c:\program files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe" [2011-09-22 2536760] "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-09-23 5550984] "G Data AntiVirus Tray Application"="c:\program files (x86)\Lavasoft\Ad-Aware Total Security\AVKTray\AVKTray.exe" [2010-06-30 981504] "GDFirewallTray"="c:\program files (x86)\Lavasoft\Ad-Aware Total Security\Firewall\GDFirewallTray.exe" [2010-06-30 1550576] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "EnableLinkedConnections"= 1 (0x1) .
  12. Sorry if I sound like a neophyte, but when I did the manual reboot the log, I think it was on notepad, disappeared. If it somehow survives the reboot, how do I get it?
  13. You are a man of few words, Sir. "Less is sometimes more, but usually less is just less." Well, that was fun! ComboFix (CF) stopped and prompted me to turn off more stuff in Ad-Aware. So I just wrote down the settings and unchecked and disabled everything. CF continued. CF finished and did an auto reboot. I did not interfere, except to select "User Mary". When the reboot finished, CF produced a pop-up log. As I have done with every tool so far, I had prepared in advance a blank text file in which to place my personal copy of the report. When I tried to open the empty .txt file, I got "Illegal operation attempted on a registry key that has been marked for deletion." I tried to open Ad-Aware (to turn it back on). Same msg. I tried to open Firefox (to Reply to you). Same msg. I did a manual reboot. CF log went away. Ran CF again. Same problem. Printed out the CF log on paper. Did another manual reboot but did not run CF. Things open OK (was worried I was going to have to try a Windows boot to safe mode and a restore point. Pobably would not have worked, I have not used Windows 7 before). Went to this topic to cry to you and found that I could not type anything in the "Reply" box to this topic! Opened a new topic to complain about this topic, but could not type anything into the Reply box for the new topic! Eventually discovered that I had to right-click on the Reply box and select "Refresh" or something like that. Why was I not warned, as new member, that I might have to know how to do this? So, I have the log for CF on paper. Should only take me about two hours to figure out how to scan this on Mom's computer, put the scanned pages into a .txt file, and the paste the file into my Reply to you. If I run CF again, I will get stuck again. If I manually reboot, the CF output on notepad will disappear again. Any suggestions?
  14. Hello. Please disregard my personal message to you MrC. I had to "reload" the replay window. Now I can type in it again. This never happened before. I am a new user. What warning should I have read?
  15. I am still reading how to download and use ComboFix. But you have reminded me of something I did not know or have forgotten - to disable my other antivirus stuff. I assume you mean only the run-time protection. I have not been doing this up until now. Is there anything we should go back and run again? Accordingly, I have just turned off Ad-Adware Total Security, firewall and web prtection. Is that OK? I also turned off Microsoft Securtiy Essentials, real-time protection. Is that OK? Normally, these seem to work OK together. I am pretty sure that the Ad-Aware personal firewall is the same as the Microsoft firewall. I don't think I have any other real-time protection running. However, when I try to run any program, I get an annoying pop-up that says "User Account Control" "Do you want to allow the following program to make changes to this computer?" This is still happening so I assume it is part of the Windows 7 operating system. Call this behaviour "Annoying pop-up". What causes "Annoying pop-up"? Do you want it turned off for your tests? I want to turn it off permanently. Mom does not understand the difference between allowing a program to run that you have just commanded to run and allowing a dangerous program to do something you did not ask for. I cannot seem to teach her this. Therefore "Annoying pop-up serves no purpose for her. How do I turn it off permanently?