jgio

FBI in Safe Mode - Trying FRST64, logs captured.....

44 posts in this topic

I have been following the instructions in the post titled: FBI virus- windows 7 can't access safe mode, help please. from January 11, 2013

I have successfully run FRST64 and have the 2 logs saved.....need help with rest of the process.

In the mean time, I used the same steps to locate the FRST64 file on a flash drive to locate, open, and run SpyHunter4; First

scan told me the computer was clean

Now I'm running SpyHunter with the Quick Scan box unchecked; It's running through Program files now but hasn't found anything yet

Any help highly appreciated....

Now it has found 2 infections: WinActive (2 infections)

IE Toolbar and Homepage Hijacker. A derivitive of lop.com/C2

Share this post


Link to post
Share on other sites

 

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:


  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst64.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.

[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe

[*]Click the Search button

[*]It will make a log (Search.txt)

I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

 

Share this post


Link to post
Share on other sites

I ran the SpyHunter program once I figured out that I could launch it from Notepad. It found two infections as I listed above in my initial post. I did run Farbar prior to running SpyHunter and collected the two logs, but when I ran Farbar after running Spyhunter, Farbar just overwrote the two logs, so I can only provide the logs from after running Sybot:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-01-2013

Ran by SYSTEM at 18-01-2013 00:20:37

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [smartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610360 2009-09-14] ()

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [295072 2013-01-04] (RealNetworks, Inc.)

HKU\Admin\...\Run: [iSUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2004-08-09] (InstallShield Software Corporation)

HKU\Admin\...\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [247768 2012-08-28] (TomTom)

HKU\Admin\...\Run: [MyTomTomSA.exe] C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe [436728 2012-09-10] (TomTom)

HKU\Admin\...\Run: [sansaDispatch] C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2012-03-10] (SanDisk Corporation)

HKU\Admin\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-25] (Google Inc.)

HKU\Admin\...\Run: [MotoCast] "C:\Program Files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [x]

HKU\Admin\...\Run: [] C:\Users\Admin\AppData\Local\Temp\awt43abr.exe [x]

HKU\Admin\...\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\Admin\...\Run: [HLBackupScheduler] C:\Program Files\Backup Assistant Plus\V CAST Backup Scheduler.exe [7065224 2012-08-20] ()

HKU\Admin\...\Run: [Adobe ARM] "C:\ProgramData\ifgxpers.exe" [79496 2013-01-14] (Microsoft Corporation)

HKU\Admin\...\Run: [tanpwi] rundll32.exe "C:\Users\Admin\AppData\Roaming\tanpwi.dll",CreateTable [188416 2013-01-14] (Igor Pavlov)

HKU\Admin\...\Winlogon: [shell] C:\Users\Admin\AppData\Roaming\ldr.mcb,explorer.exe

HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)

HKLM-x32\...\Winlogon: [userinit] C:\Windows\SysWOW64\Userinit.exe [26624 2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2012-02-01] ()

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

2 RealNetworks Downloader Resolver Service; "C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe" [38608 2012-11-29] ()

2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

2 TomTomHOMEService; "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe" [92632 2012-08-28] (TomTom)

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)

2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2009-09-17] (CyberLink Corp.)

2 MCSTRM; [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-17 22:39 - 2013-01-17 22:39 - 00000000 ____D C:\FRST

2013-01-14 12:39 - 2013-01-14 12:39 - 00590336 ____A (S3 Graphics Co., Ltd.) C:\Users\Admin\AppData\Roaming\qdvcp.dll

2013-01-14 12:38 - 2013-01-14 12:38 - 00188416 ____A (Igor Pavlov) C:\Users\Admin\AppData\Roaming\tanpwi.dll

2013-01-14 12:31 - 2013-01-14 12:31 - 00079496 ____A (Microsoft Corporation) C:\Users\All Users\ifgxpers.exe

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.exe

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.dll

2013-01-09 00:29 - 2013-01-17 19:31 - 00000168 ____A C:\Windows\setupact.log

2013-01-09 00:29 - 2013-01-09 00:29 - 00000000 ____A C:\Windows\setuperr.log

2013-01-08 11:48 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-08 11:48 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

2013-01-08 11:48 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-08 11:48 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-08 11:48 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-08 11:48 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-08 11:48 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-08 11:48 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-08 11:48 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-08 11:48 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-06 20:04 - 2013-01-06 20:04 - 00000000 ____D C:\Windows\Sun

2013-01-04 22:15 - 2013-01-16 16:17 - 00000000 ____D C:\Users\All Users\RealNetworks

2013-01-04 22:15 - 2013-01-16 16:17 - 00000000 ____D C:\Program Files (x86)\RealNetworks

2013-01-04 22:15 - 2013-01-04 22:15 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2013-01-04 22:14 - 2013-01-04 22:14 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2013-01-02 13:43 - 2013-01-16 16:20 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-02 13:43 - 2013-01-16 16:20 - 00000000 ____D C:\Program Files\iTunes

2013-01-02 13:43 - 2013-01-16 16:20 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-01-02 13:43 - 2013-01-16 16:17 - 00000000 ____D C:\Program Files\iPod

2013-01-02 13:43 - 2013-01-02 13:43 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-12-21 00:00 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-21 00:00 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-21 00:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-21 00:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

==================== One Month Modified Files and Folders =======

2013-01-17 22:39 - 2013-01-17 22:39 - 00000000 ____D C:\FRST

2013-01-17 19:32 - 2011-05-25 16:16 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-01-17 19:31 - 2013-01-09 00:29 - 00000168 ____A C:\Windows\setupact.log

2013-01-17 19:31 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-17 19:05 - 2010-03-27 10:14 - 01430788 ____A C:\Windows\WindowsUpdate.log

2013-01-16 21:53 - 2010-10-08 11:18 - 00000000 ____D C:\Users\All Users\Recovery

2013-01-16 19:04 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-16 18:55 - 2010-04-21 19:15 - 00000000 ____D C:\users\Admin

2013-01-16 16:20 - 2013-01-02 13:43 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-16 16:20 - 2013-01-02 13:43 - 00000000 ____D C:\Program Files\iTunes

2013-01-16 16:20 - 2013-01-02 13:43 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-01-16 16:20 - 2012-05-24 17:03 - 00000000 ____D C:\Users\Admin\AppData\Roaming\MotoCast

2013-01-16 16:20 - 2012-01-19 22:29 - 00000000 ____D C:\Program Files (x86)\Real

2013-01-16 16:20 - 2010-09-12 09:24 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2013-01-16 16:20 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\sysprep

2013-01-16 16:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-01-16 16:19 - 2011-09-10 17:21 - 00000000 ____D C:\Windows\System32\Macromed

2013-01-16 16:18 - 2010-09-21 18:38 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Real

2013-01-16 16:18 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-01-16 16:17 - 2013-01-04 22:15 - 00000000 ____D C:\Users\All Users\RealNetworks

2013-01-16 16:17 - 2013-01-04 22:15 - 00000000 ____D C:\Program Files (x86)\RealNetworks

2013-01-16 16:17 - 2013-01-02 13:43 - 00000000 ____D C:\Program Files\iPod

2013-01-16 16:17 - 2012-12-04 19:48 - 00000000 ____D C:\Program Files (x86)\QuickTime

2013-01-16 16:17 - 2012-01-19 22:29 - 00000000 ____D C:\Users\All Users\Real

2013-01-16 16:17 - 2011-01-18 09:30 - 00000000 ____D C:\Users\All Users\InstallShield

2013-01-15 22:04 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV

2013-01-14 15:06 - 2012-05-24 17:06 - 00000000 ____D C:\Users\Admin\.gstreamer-0.10

2013-01-14 12:39 - 2013-01-14 12:39 - 00590336 ____A (S3 Graphics Co., Ltd.) C:\Users\Admin\AppData\Roaming\qdvcp.dll

2013-01-14 12:39 - 2010-04-25 21:33 - 00000000 ____D C:\Users\Admin\AppData\Local\CrashDumps

2013-01-14 12:38 - 2013-01-14 12:38 - 00188416 ____A (Igor Pavlov) C:\Users\Admin\AppData\Roaming\tanpwi.dll

2013-01-14 12:31 - 2013-01-14 12:31 - 00079496 ____A (Microsoft Corporation) C:\Users\All Users\ifgxpers.exe

2013-01-14 11:48 - 2012-04-13 18:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-14 11:44 - 2011-05-25 16:16 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.exe

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.dll

2013-01-09 10:49 - 2012-04-13 18:40 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-01-09 10:49 - 2011-05-14 07:38 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-01-09 08:57 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-09 08:57 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-09 00:30 - 2009-07-13 20:45 - 00557800 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-09 00:29 - 2013-01-09 00:29 - 00000000 ____A C:\Windows\setuperr.log

2013-01-09 00:11 - 2009-07-13 18:34 - 00000534 ____A C:\Windows\win.ini

2013-01-09 00:03 - 2010-05-06 19:03 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-01-06 20:04 - 2013-01-06 20:04 - 00000000 ____D C:\Windows\Sun

2013-01-04 22:15 - 2013-01-04 22:15 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2013-01-04 22:14 - 2013-01-04 22:14 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2013-01-02 18:32 - 2012-12-04 19:48 - 00001847 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2013-01-02 13:43 - 2013-01-02 13:43 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-01-02 11:47 - 2012-08-15 13:13 - 00000000 ____D C:\Users\Admin\Documents\James Files

2012-12-30 15:22 - 2011-08-06 12:56 - 00000000 ___AD C:\Users\Admin\Documents\Colleen's files

2012-12-21 00:17 - 2010-04-21 23:18 - 00365014 ____A C:\Windows\PFRO.log

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-01 21:01:27

Restore point made on: 2013-01-02 13:41:55

Restore point made on: 2013-01-04 19:53:37

Restore point made on: 2013-01-07 14:36:18

Restore point made on: 2013-01-08 11:34:10

Restore point made on: 2013-01-09 00:00:40

Restore point made on: 2013-01-12 00:41:08

Restore point made on: 2013-01-14 12:39:17

==================== Memory info ===========================

Percentage of memory in use: 16%

Total physical RAM: 8183.89 MB

Available physical RAM: 6815.79 MB

Total Pagefile: 8182.04 MB

Available Pagefile: 6984.25 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (HP) (Fixed) (Total:919.9 GB) (Free:650.23 GB) NTFS

2 Drive e: (FACTORY_IMAGE) (Fixed) (Total:11.32 GB) (Free:1.63 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive g: () (Removable) (Total:0.46 GB) (Free:0.21 GB) FAT

10 Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS

11 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 471 MB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 919 GB 101 MB

Partition 3 Primary 11 GB 919 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C HP NTFS Partition 919 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E FACTORY_IMA NTFS Partition 11 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 470 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 G FAT Removable 470 MB Healthy

=========================================================

Last Boot: 2013-01-03 23:00

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 15-01-2013

Ran by SYSTEM at 2013-01-18 00:23:38

Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe

[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

What should I do next with the Scan Tool Window and Command Window?

Share this post


Link to post
Share on other sites

I know your instructions said do not run any other tools until I was instructed, but I got that message from you after starting the SpyHunter app....

Share this post


Link to post
Share on other sites

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


HKU\Admin\...\Winlogon: [Shell] C:\Users\Admin\AppData\Roaming\ldr.mcb,explorer.exe
HKU\Admin\...\Run: [] C:\Users\Admin\AppData\Local\Temp\awt43abr.exe [x]
HKU\Admin\...\Run: [tanpwi] rundll32.exe "C:\Users\Admin\AppData\Roaming\tanpwi.dll",CreateTable [188416 2013-01-14] (Igor Pavlov)
C:\Users\Admin\AppData\Roaming\qdvcp.dll
C:\Users\Admin\AppData\Roaming\tanpwi.dll
C:\Users\Admin\AppData\Local\vis.exe
C:\Users\Admin\AppData\Local\vis.dll
C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

Share this post


Link to post
Share on other sites

Restarted in Normal mode ... Desktop started to load, but screen turned white with the characters "bch ccbccq" in the top left corner of screen for a few moments. Now just a white screen with no computer functionality. I have disconnected my ethernet cable so I suspect if I was still connected to the internet the FBI Virus page would have loaded.

Here's FSR.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-01-2013

Ran by SYSTEM at 18-01-2013 08:49:21

Running from G:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [smartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610360 2009-09-14] ()

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152544 2012-12-12] (Apple Inc.)

HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [295072 2013-01-04] (RealNetworks, Inc.)

HKU\Admin\...\Run: [iSUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2004-08-09] (InstallShield Software Corporation)

HKU\Admin\...\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [247768 2012-08-28] (TomTom)

HKU\Admin\...\Run: [MyTomTomSA.exe] C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe [436728 2012-09-10] (TomTom)

HKU\Admin\...\Run: [sansaDispatch] C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2012-03-10] (SanDisk Corporation)

HKU\Admin\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-25] (Google Inc.)

HKU\Admin\...\Run: [MotoCast] "C:\Program Files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [x]

HKU\Admin\...\Run: [] C:\Users\Admin\AppData\Local\Temp\awt43abr.exe [x]

HKU\Admin\...\Run: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)

HKU\Admin\...\Run: [HLBackupScheduler] C:\Program Files\Backup Assistant Plus\V CAST Backup Scheduler.exe [7065224 2012-08-20] ()

HKU\Admin\...\Run: [Adobe ARM] "C:\ProgramData\ifgxpers.exe" [79496 2013-01-14] (Microsoft Corporation)

HKU\Admin\...\Run: [tanpwi] rundll32.exe "C:\Users\Admin\AppData\Roaming\tanpwi.dll",CreateTable [188416 2013-01-14] (Igor Pavlov)

HKU\Admin\...\Winlogon: [shell] C:\Users\Admin\AppData\Roaming\ldr.mcb,explorer.exe

HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1685048 2009-09-29] (Hewlett-Packard)

HKLM-x32\...\Winlogon: [userinit] C:\Windows\SysWOW64\Userinit.exe [26624 2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2012-02-01] ()

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

2 RealNetworks Downloader Resolver Service; "C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe" [38608 2012-11-29] ()

2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

2 TomTomHOMEService; "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe" [92632 2012-08-28] (TomTom)

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)

2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2009-09-17] (CyberLink Corp.)

2 MCSTRM; [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2013-01-17 22:39 - 2013-01-17 22:39 - 00000000 ____D C:\FRST

2013-01-14 12:39 - 2013-01-14 12:39 - 00590336 ____A (S3 Graphics Co., Ltd.) C:\Users\Admin\AppData\Roaming\qdvcp.dll

2013-01-14 12:38 - 2013-01-14 12:38 - 00188416 ____A (Igor Pavlov) C:\Users\Admin\AppData\Roaming\tanpwi.dll

2013-01-14 12:31 - 2013-01-14 12:31 - 00079496 ____A (Microsoft Corporation) C:\Users\All Users\ifgxpers.exe

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.exe

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.dll

2013-01-09 00:29 - 2013-01-17 19:31 - 00000168 ____A C:\Windows\setupact.log

2013-01-09 00:29 - 2013-01-09 00:29 - 00000000 ____A C:\Windows\setuperr.log

2013-01-08 11:48 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-01-08 11:48 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe

2013-01-08 11:48 - 2012-11-19 21:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll

2013-01-08 11:48 - 2012-11-19 20:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2013-01-08 11:48 - 2012-11-08 21:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll

2013-01-08 11:48 - 2012-11-08 20:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll

2013-01-08 11:48 - 2012-10-31 21:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll

2013-01-08 11:48 - 2012-10-31 21:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll

2013-01-08 11:48 - 2012-10-31 20:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2013-01-08 11:48 - 2012-10-31 20:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2013-01-06 20:04 - 2013-01-06 20:04 - 00000000 ____D C:\Windows\Sun

2013-01-04 22:15 - 2013-01-16 16:17 - 00000000 ____D C:\Users\All Users\RealNetworks

2013-01-04 22:15 - 2013-01-16 16:17 - 00000000 ____D C:\Program Files (x86)\RealNetworks

2013-01-04 22:15 - 2013-01-04 22:15 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2013-01-04 22:14 - 2013-01-04 22:14 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2013-01-02 13:43 - 2013-01-16 16:20 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-02 13:43 - 2013-01-16 16:20 - 00000000 ____D C:\Program Files\iTunes

2013-01-02 13:43 - 2013-01-16 16:20 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-01-02 13:43 - 2013-01-16 16:17 - 00000000 ____D C:\Program Files\iPod

2013-01-02 13:43 - 2013-01-02 13:43 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-12-21 00:00 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll

2012-12-21 00:00 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll

2012-12-21 00:00 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2012-12-21 00:00 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

==================== One Month Modified Files and Folders =======

2013-01-17 22:39 - 2013-01-17 22:39 - 00000000 ____D C:\FRST

2013-01-17 19:32 - 2011-05-25 16:16 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-01-17 19:31 - 2013-01-09 00:29 - 00000168 ____A C:\Windows\setupact.log

2013-01-17 19:31 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-01-17 19:05 - 2010-03-27 10:14 - 01430788 ____A C:\Windows\WindowsUpdate.log

2013-01-16 21:53 - 2010-10-08 11:18 - 00000000 ____D C:\Users\All Users\Recovery

2013-01-16 19:04 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI

2013-01-16 18:55 - 2010-04-21 19:15 - 00000000 ____D C:\users\Admin

2013-01-16 16:20 - 2013-01-02 13:43 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-16 16:20 - 2013-01-02 13:43 - 00000000 ____D C:\Program Files\iTunes

2013-01-16 16:20 - 2013-01-02 13:43 - 00000000 ____D C:\Program Files (x86)\iTunes

2013-01-16 16:20 - 2012-05-24 17:03 - 00000000 ____D C:\Users\Admin\AppData\Roaming\MotoCast

2013-01-16 16:20 - 2012-01-19 22:29 - 00000000 ____D C:\Program Files (x86)\Real

2013-01-16 16:20 - 2010-09-12 09:24 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2013-01-16 16:20 - 2009-07-13 21:37 - 00000000 ____D C:\Windows\SysWOW64\sysprep

2013-01-16 16:20 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2013-01-16 16:19 - 2011-09-10 17:21 - 00000000 ____D C:\Windows\System32\Macromed

2013-01-16 16:18 - 2010-09-21 18:38 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Real

2013-01-16 16:18 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2013-01-16 16:17 - 2013-01-04 22:15 - 00000000 ____D C:\Users\All Users\RealNetworks

2013-01-16 16:17 - 2013-01-04 22:15 - 00000000 ____D C:\Program Files (x86)\RealNetworks

2013-01-16 16:17 - 2013-01-02 13:43 - 00000000 ____D C:\Program Files\iPod

2013-01-16 16:17 - 2012-12-04 19:48 - 00000000 ____D C:\Program Files (x86)\QuickTime

2013-01-16 16:17 - 2012-01-19 22:29 - 00000000 ____D C:\Users\All Users\Real

2013-01-16 16:17 - 2011-01-18 09:30 - 00000000 ____D C:\Users\All Users\InstallShield

2013-01-15 22:04 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV

2013-01-14 15:06 - 2012-05-24 17:06 - 00000000 ____D C:\Users\Admin\.gstreamer-0.10

2013-01-14 12:39 - 2013-01-14 12:39 - 00590336 ____A (S3 Graphics Co., Ltd.) C:\Users\Admin\AppData\Roaming\qdvcp.dll

2013-01-14 12:39 - 2010-04-25 21:33 - 00000000 ____D C:\Users\Admin\AppData\Local\CrashDumps

2013-01-14 12:38 - 2013-01-14 12:38 - 00188416 ____A (Igor Pavlov) C:\Users\Admin\AppData\Roaming\tanpwi.dll

2013-01-14 12:31 - 2013-01-14 12:31 - 00079496 ____A (Microsoft Corporation) C:\Users\All Users\ifgxpers.exe

2013-01-14 11:48 - 2012-04-13 18:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-01-14 11:44 - 2011-05-25 16:16 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.exe

2013-01-14 08:53 - 2013-01-14 08:53 - 00270534 __ASH C:\Users\Admin\AppData\Local\vis.dll

2013-01-09 10:49 - 2012-04-13 18:40 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-01-09 10:49 - 2011-05-14 07:38 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-01-09 08:57 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-01-09 08:57 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-01-09 00:30 - 2009-07-13 20:45 - 00557800 ____A C:\Windows\System32\FNTCACHE.DAT

2013-01-09 00:29 - 2013-01-09 00:29 - 00000000 ____A C:\Windows\setuperr.log

2013-01-09 00:11 - 2009-07-13 18:34 - 00000534 ____A C:\Windows\win.ini

2013-01-09 00:03 - 2010-05-06 19:03 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-01-06 20:04 - 2013-01-06 20:04 - 00000000 ____D C:\Windows\Sun

2013-01-04 22:15 - 2013-01-04 22:15 - 00001042 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2013-01-04 22:14 - 2013-01-04 22:14 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00201424 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll

2013-01-04 22:14 - 2013-01-04 22:14 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll

2013-01-02 18:32 - 2012-12-04 19:48 - 00001847 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2013-01-02 13:43 - 2013-01-02 13:43 - 00001785 ____A C:\Users\Public\Desktop\iTunes.lnk

2013-01-02 11:47 - 2012-08-15 13:13 - 00000000 ____D C:\Users\Admin\Documents\James Files

2012-12-30 15:22 - 2011-08-06 12:56 - 00000000 ___AD C:\Users\Admin\Documents\Colleen's files

2012-12-21 00:17 - 2010-04-21 23:18 - 00365014 ____A C:\Windows\PFRO.log

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-01 21:01:27

Restore point made on: 2013-01-02 13:41:55

Restore point made on: 2013-01-04 19:53:37

Restore point made on: 2013-01-07 14:36:18

Restore point made on: 2013-01-08 11:34:10

Restore point made on: 2013-01-09 00:00:40

Restore point made on: 2013-01-12 00:41:08

Restore point made on: 2013-01-14 12:39:17

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 8183.89 MB

Available physical RAM: 6739 MB

Total Pagefile: 8182.04 MB

Available Pagefile: 6931.15 MB

Total Virtual: 8192 MB

Available Virtual: 8191.91 MB

==================== Partitions =============================

1 Drive c: (HP) (Fixed) (Total:919.9 GB) (Free:650.23 GB) NTFS

2 Drive e: (FACTORY_IMAGE) (Fixed) (Total:11.32 GB) (Free:1.63 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive g: () (Removable) (Total:0.46 GB) (Free:0.21 GB) FAT

10 Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS

11 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 931 GB 0 B

Disk 1 Online 471 MB 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 919 GB 101 MB

Partition 3 Primary 11 GB 919 GB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 Y SYSTEM NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 C HP NTFS Partition 919 GB Healthy

=========================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 E FACTORY_IMA NTFS Partition 11 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 470 MB 16 KB

==================================================================================

Disk: 1

Partition 1

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 5 G FAT Removable 470 MB Healthy

=========================================================

Last Boot: 2013-01-03 23:00

==================== End Of Log =============================

Share this post


Link to post
Share on other sites

Sorry, I'll be away for a few hours, will return this afternoon. Thanks again for the help!

Share this post


Link to post
Share on other sites

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


HKU\Admin\...\Winlogon: [Shell] C:\Users\Admin\AppData\Roaming\ldr.mcb,explorer.exe
HKU\Admin\...\Run: [] C:\Users\Admin\AppData\Local\Temp\awt43abr.exe [x]
HKU\Admin\...\Run: [tanpwi] rundll32.exe "C:\Users\Admin\AppData\Roaming\tanpwi.dll",CreateTable [188416 2013-01-14] (Igor Pavlov)
C:\Users\Admin\AppData\Roaming\qdvcp.dll
C:\Users\Admin\AppData\Roaming\tanpwi.dll
C:\Users\Admin\AppData\Local\vis.exe
C:\Users\Admin\AppData\Local\vis.dll
C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.

The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

Share this post


Link to post
Share on other sites

Computer restarted in normal mode and desktop loaded as what appears to be normal.

I have not attempted to navigate anywhere from the desktop....awaiting any further instructions.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2013

Ran by SYSTEM at 2013-01-18 22:19:32 Run:1

Running from L:\

==============================================

HKEY_USERS\Admin\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.

HKEY_USERS\Admin\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.

HKEY_USERS\Admin\Software\Microsoft\Windows\CurrentVersion\Run\\tanpwi Value deleted successfully.

C:\Users\Admin\AppData\Roaming\qdvcp.dll moved successfully.

C:\Users\Admin\AppData\Roaming\tanpwi.dll moved successfully.

C:\Users\Admin\AppData\Local\vis.exe moved successfully.

C:\Users\Admin\AppData\Local\vis.dll moved successfully.

C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff moved successfully.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

Hello

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Share this post


Link to post
Share on other sites

Results log of Adaware:

# AdwCleaner v2.106 - Logfile created 01/19/2013 at 10:20:58

# Updated 17/01/2013 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Admin - MAIN

# Boot Mode : Normal

# Running from : C:\Users\Admin\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

Folder Deleted : C:\ProgramData\Ask

Folder Deleted : C:\Users\Admin\AppData\LocalLow\AVG Security Toolbar

Folder Deleted : C:\Users\Admin\AppData\LocalLow\boost_interprocess

***** [Registry] *****

Key Deleted : HKCU\Software\Headlight

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Software

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

Results log of RogueKiller:

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Admin [Admin rights]

Mode : Remove -- Date : 01/19/2013 10:28:01

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] SansaDispatch.exe -- C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : SansaDispatch (C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe) -> DELETED

[RUN][sUSP PATH] HKCU\[...]\Run : Adobe ARM ("C:\ProgramData\ifgxpers.exe") -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff\n.) -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10EADS-65M2B1 SCSI Disk Device +++++

--- User ---

[MBR] 05259554d99d4662226c902be91d62bb

[bSP] b6be6e9d0f0336d35e5e33756ce073f7 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941977 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1929375744 | Size: 11595 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_D_01192013_02d1028.txt >>

RKreport[1]_S_01192013_02d1026.txt ; RKreport[2]_D_01192013_02d1028.txt

RogueKiller also placed this Quarantine Report on my desktop:

Time : 19/01/2013 10:26:57

--------------------------

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[ifgxpers.exe.vir] -> C:\ProgramData\ifgxpers.exe

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[ifgxpers.exe.vir] -> C:\ProgramData\ifgxpers.exe

ERROR [n..vir] -> C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff\n.

Time : 19/01/2013 10:28:00

--------------------------

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[ifgxpers.exe.vir] -> C:\ProgramData\ifgxpers.exe

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[ifgxpers.exe.vir] -> C:\ProgramData\ifgxpers.exe

ERROR [n..vir] -> C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff\n.

[sansaDispatch.exe.vir] -> C:\Users\Admin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[ifgxpers.exe.vir] -> C:\ProgramData\ifgxpers.exe

ERROR [n..vir] -> C:\$Recycle.Bin\S-1-5-21-2330962660-369131529-1779213200-1001\$2ec8d1ce702523f992c2b54f49bcd6ff\n.

Share this post


Link to post
Share on other sites

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Share this post


Link to post
Share on other sites

I have not yet connected the infected HP Desktop back to the internet. I have been posting through a laptop and transferring to the desktop and back via a usb drive. Shall I re-connect the desktop to the web and proceed directly through your instructions

Share this post


Link to post
Share on other sites

While I'm waiting for ComboFix to run its scan, I was wondering if you could comment on two other questions?

I have an Acer Aspire laptop about a year and a half old. It was an inexpensive purchase (just under $300) and has served very well for a simple task resource: Web browsing, some music files, a bit of video, watching movies on the DVD drive.

Last week while traveling, I droped it three times. Carpet cushioned the falls, nothing broke physically on the outside and the screen is fine.

The problem is that when I start it up it takes forever to laod the desktop. Also takes forever to open IE8. However, when it does load the desktop it responds normally, and when IE8 finally loads the home page, I can navigate with almost instant response to almost any other page, either through a new tab, a new IE8 window or a link on a web page. The very lengthy startup and the very lenghty openingof IE8 is a bit of a mystery to me...

Second, I have been running Spyhunter4 on this laptop, I set it to run a scan at startup, but I'll need to change that because it recognizes waking up as a startup and runs every time I wake the laptop up. I think I'd want it to run maybe every few days? The real question is this: every time it runs it finda a long list of infections, 35 so far and its currently 95% completed on the current scan that's running. I select Fix every time it finds bugs, and I have only been on malwarebytes.org for your help with the FBI infection on the desktop. Where do these files keep coming from??????

Share this post


Link to post
Share on other sites

Hello

The problem is that when I start it up it takes forever to laod the desktop. Also takes forever to open IE8. However, when it does load the desktop it responds normally, and when IE8 finally loads the home page, I can navigate with almost instant response to almost any other page, either through a new tab, a new IE8 window or a link on a web page. The very lengthy startup and the very lenghty openingof IE8 is a bit of a mystery to me...

It is out of my area but a few things come to mind - one is to check the ram see if one of them came loose

this should give you an idea on where to look - http://www.dummies.com/how-to/content/how-to-remove-ram-from-your-laptop.html

I would take them out and then put them back in

also run a diagnostic on the harddrive something like seatools for windows

Share this post


Link to post
Share on other sites

Here is the ComboFix log. No problems running it. Haven't really done anything else on the computer except open IE8 to get back here and post results, but appears to be operating/responding normally...

ComboFix 13-01-17.04 - Admin 01/19/2013 21:59:39.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.5575 [GMT -5:00]

Running from: c:\users\Admin\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\programdata\ifgxpers.exe

c:\users\Admin\AppData\Roaming\8D291D

c:\users\Admin\AppData\Roaming\inst.exe

c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\redcblk.url

c:\users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Redhead.url

c:\users\Admin\Documents\~WRL0520.tmp

c:\users\Admin\g2mdlhlpx.exe

G:\Autorun.inf

G:\Setup.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 )))))))))))))))))))))))))))))))

.

.

2013-01-20 03:20 . 2013-01-20 03:20 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-19 15:23 . 2013-01-19 15:23 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\offreg.dll

2013-01-18 06:39 . 2013-01-18 06:39 -------- d-----w- C:\FRST

2013-01-14 08:40 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\mpengine.dll

2013-01-13 08:41 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-08 19:48 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-01-08 19:48 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-01-08 19:48 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-08 19:48 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-08 19:48 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-01-08 19:48 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-08 19:48 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-08 19:48 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-08 19:48 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-01-08 19:48 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2013-01-07 04:04 . 2013-01-07 04:04 -------- d-----w- c:\windows\Sun

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\program files (x86)\RealNetworks

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\programdata\RealNetworks

2013-01-05 06:14 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\Common Files\xing shared

2013-01-02 21:43 . 2013-01-17 00:17 -------- d-----w- c:\program files\iPod

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files\iTunes

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\iTunes

2012-12-21 08:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 08:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 18:49 . 2012-04-14 02:40 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-09 18:49 . 2011-05-14 15:38 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-09 08:03 . 2010-05-07 03:03 67599240 ----a-w- c:\windows\system32\MRT.exe

2012-11-30 05:16 . 2012-11-30 05:17 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B19E9B11-2518-4158-A2A7-8536A7C8F0CB}\gapaengine.dll

2012-11-26 22:49 . 2012-11-26 22:50 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-26 22:49 . 2012-07-03 18:39 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-11-12 14:20 . 2012-12-12 12:25 9055744 ----a-w- c:\windows\system32\mshtml.dll

2012-11-12 12:28 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-12 11:52 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-11-09 05:45 . 2012-12-12 12:26 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-09 04:42 . 2012-12-12 12:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-11-02 05:59 . 2012-12-12 12:24 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 05:11 . 2012-12-12 12:24 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-10-27 06:26 . 2012-12-12 12:25 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1494528 ----a-w- c:\windows\system32\urlmon.dll

2012-10-27 05:51 . 2012-12-12 12:25 134144 ----a-w- c:\windows\system32\url.dll

2012-10-27 05:49 . 2012-12-12 12:25 97792 ----a-w- c:\windows\system32\mshtmled.dll

2012-10-27 05:49 . 2012-12-12 12:25 735744 ----a-w- c:\windows\system32\msfeeds.dll

2012-10-27 05:49 . 2012-12-12 12:25 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-10-27 05:49 . 2012-12-12 12:25 247808 ----a-w- c:\windows\system32\ieui.dll

2012-10-27 05:49 . 2012-12-12 12:25 2453504 ----a-w- c:\windows\system32\iertutil.dll

2012-10-27 05:49 . 2012-12-12 12:25 12295680 ----a-w- c:\windows\system32\ieframe.dll

2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-08-28 247768]

"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2012-09-10 436728]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-26 39408]

"MotoCast"="c:\program files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [2012-05-25 2053]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"HLBackupScheduler"="c:\program files\Backup Assistant Plus\V CAST Backup Scheduler.exe" [2012-08-20 7065224]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-01-05 295072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2012-01-25 22016]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2012-01-25 9728]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2010-01-18 4608]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-22 1255736]

S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [2009-10-06 230456]

S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/02/22 18:44];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 01:41 146928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-24 204288]

S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-09-19 122880]

S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2012-02-16 87368]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]

S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2012-02-01 214896]

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-08-28 92632]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-07-12 82816]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-21 239616]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 18:49]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-15 610360]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: Free YouTube Download - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm

IE: Free YouTube to MP3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

Trusted Zone: monster.com

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]

"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-19 22:22:37

ComboFix-quarantined-files.txt 2013-01-20 03:22

.

Pre-Run: 698,366,087,168 bytes free

Post-Run: 698,108,432,384 bytes free

.

- - End Of File - - 82B1D7835B01AECE36CBD73D1148C338

Share this post


Link to post
Share on other sites

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Share this post


Link to post
Share on other sites

No problems running the script via ComboFix. Have surfed a bit and IE8 appears to be working properly. Successfully logged-on to a banking web site. Opened MS Word and file opened properly. ComboFix log follows:

ComboFix 13-01-17.04 - Admin 01/19/2013 23:23:01.2.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.5329 [GMT -5:00]

Running from: c:\users\Admin\Desktop\ComboFix.exe

Command switches used :: c:\users\Admin\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 )))))))))))))))))))))))))))))))

.

.

2013-01-20 04:26 . 2013-01-20 04:26 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-19 15:23 . 2013-01-19 15:23 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\offreg.dll

2013-01-18 06:39 . 2013-01-18 06:39 -------- d-----w- C:\FRST

2013-01-14 08:40 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\mpengine.dll

2013-01-13 08:41 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-08 19:48 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-01-08 19:48 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-01-08 19:48 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-08 19:48 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-08 19:48 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-01-08 19:48 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-08 19:48 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-08 19:48 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-08 19:48 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-01-08 19:48 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2013-01-07 04:04 . 2013-01-07 04:04 -------- d-----w- c:\windows\Sun

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\program files (x86)\RealNetworks

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\programdata\RealNetworks

2013-01-05 06:14 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\Common Files\xing shared

2013-01-02 21:43 . 2013-01-17 00:17 -------- d-----w- c:\program files\iPod

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files\iTunes

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\iTunes

2012-12-21 08:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 08:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 18:49 . 2012-04-14 02:40 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-09 18:49 . 2011-05-14 15:38 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-09 08:03 . 2010-05-07 03:03 67599240 ----a-w- c:\windows\system32\MRT.exe

2012-11-30 05:16 . 2012-11-30 05:17 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B19E9B11-2518-4158-A2A7-8536A7C8F0CB}\gapaengine.dll

2012-11-26 22:49 . 2012-11-26 22:50 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-26 22:49 . 2012-07-03 18:39 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-11-12 14:20 . 2012-12-12 12:25 9055744 ----a-w- c:\windows\system32\mshtml.dll

2012-11-12 12:28 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-12 11:52 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-11-09 05:45 . 2012-12-12 12:26 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-09 04:42 . 2012-12-12 12:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-11-02 05:59 . 2012-12-12 12:24 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 05:11 . 2012-12-12 12:24 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-10-27 06:26 . 2012-12-12 12:25 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1494528 ----a-w- c:\windows\system32\urlmon.dll

2012-10-27 05:51 . 2012-12-12 12:25 134144 ----a-w- c:\windows\system32\url.dll

2012-10-27 05:49 . 2012-12-12 12:25 97792 ----a-w- c:\windows\system32\mshtmled.dll

2012-10-27 05:49 . 2012-12-12 12:25 735744 ----a-w- c:\windows\system32\msfeeds.dll

2012-10-27 05:49 . 2012-12-12 12:25 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-10-27 05:49 . 2012-12-12 12:25 247808 ----a-w- c:\windows\system32\ieui.dll

2012-10-27 05:49 . 2012-12-12 12:25 2453504 ----a-w- c:\windows\system32\iertutil.dll

2012-10-27 05:49 . 2012-12-12 12:25 12295680 ----a-w- c:\windows\system32\ieframe.dll

2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-08-28 247768]

"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2012-09-10 436728]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-26 39408]

"MotoCast"="c:\program files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [2012-05-25 2053]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"HLBackupScheduler"="c:\program files\Backup Assistant Plus\V CAST Backup Scheduler.exe" [2012-08-20 7065224]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-01-05 295072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2012-01-25 22016]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2012-01-25 9728]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2010-01-18 4608]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-22 1255736]

S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [2009-10-06 230456]

S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/02/22 18:44];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 01:41 146928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-24 204288]

S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-09-19 122880]

S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2012-02-16 87368]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]

S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2012-02-01 214896]

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-08-28 92632]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-07-12 82816]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-21 239616]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 18:49]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-15 610360]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: Free YouTube Download - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm

IE: Free YouTube to MP3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

Trusted Zone: monster.com

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]

"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-19 23:27:49

ComboFix-quarantined-files.txt 2013-01-20 04:27

ComboFix2.txt 2013-01-20 03:22

.

Pre-Run: 698,225,680,384 bytes free

Post-Run: 698,145,603,584 bytes free

.

- - End Of File - - 7D92000844E4F266DE320EF79D7BE4F1

Share this post


Link to post
Share on other sites

Should I ask what in the world you see in all that log text????????

Share this post


Link to post
Share on other sites

Do you have any particular recommendations for Virus protection going forward, malware protection, etc. that would prevent things like the FBI virus infecting the desktop and SafeMode???? Used to have an AVG license but now I'm running Microsoft Security Essentials, use Spybot occassionally, and now have SpyHunter4 - AdwCleaner - RogueKiller - ComboFix ....

Share this post


Link to post
Share on other sites

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Share this post


Link to post
Share on other sites

Here's the script log. While ComboFix was running the "Illegal operation attempted on a registry key that has been marked for deletion." warning popped up. I tried to go back to your post to see what to do when this warning appeared but before I could get the laptop back on (remember the delay problem with start-up?) the warning closed, ComboFix completed and created the log. So I didn't restart the computer.

ComboFix 13-01-17.04 - Admin 01/20/2013 0:27.3.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.5229 [GMT -5:00]

Running from: c:\users\Admin\Desktop\ComboFix.exe

Command switches used :: c:\users\Admin\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 )))))))))))))))))))))))))))))))

.

.

2013-01-20 05:30 . 2013-01-20 05:30 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-19 15:23 . 2013-01-19 15:23 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\offreg.dll

2013-01-18 06:39 . 2013-01-18 06:39 -------- d-----w- C:\FRST

2013-01-14 08:40 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\mpengine.dll

2013-01-13 08:41 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-08 19:48 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-01-08 19:48 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-01-08 19:48 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-08 19:48 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-08 19:48 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-01-08 19:48 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-08 19:48 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-08 19:48 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-08 19:48 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-01-08 19:48 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2013-01-07 04:04 . 2013-01-07 04:04 -------- d-----w- c:\windows\Sun

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\program files (x86)\RealNetworks

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\programdata\RealNetworks

2013-01-05 06:14 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\Common Files\xing shared

2013-01-02 21:43 . 2013-01-17 00:17 -------- d-----w- c:\program files\iPod

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files\iTunes

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\iTunes

2012-12-21 08:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 08:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 18:49 . 2012-04-14 02:40 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-09 18:49 . 2011-05-14 15:38 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-09 08:03 . 2010-05-07 03:03 67599240 ----a-w- c:\windows\system32\MRT.exe

2012-11-30 05:16 . 2012-11-30 05:17 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B19E9B11-2518-4158-A2A7-8536A7C8F0CB}\gapaengine.dll

2012-11-26 22:49 . 2012-11-26 22:50 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-26 22:49 . 2012-07-03 18:39 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-11-12 14:20 . 2012-12-12 12:25 9055744 ----a-w- c:\windows\system32\mshtml.dll

2012-11-12 12:28 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-12 11:52 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-11-09 05:45 . 2012-12-12 12:26 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-09 04:42 . 2012-12-12 12:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-11-02 05:59 . 2012-12-12 12:24 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 05:11 . 2012-12-12 12:24 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-10-27 06:26 . 2012-12-12 12:25 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1494528 ----a-w- c:\windows\system32\urlmon.dll

2012-10-27 05:51 . 2012-12-12 12:25 134144 ----a-w- c:\windows\system32\url.dll

2012-10-27 05:49 . 2012-12-12 12:25 97792 ----a-w- c:\windows\system32\mshtmled.dll

2012-10-27 05:49 . 2012-12-12 12:25 735744 ----a-w- c:\windows\system32\msfeeds.dll

2012-10-27 05:49 . 2012-12-12 12:25 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-10-27 05:49 . 2012-12-12 12:25 247808 ----a-w- c:\windows\system32\ieui.dll

2012-10-27 05:49 . 2012-12-12 12:25 2453504 ----a-w- c:\windows\system32\iertutil.dll

2012-10-27 05:49 . 2012-12-12 12:25 12295680 ----a-w- c:\windows\system32\ieframe.dll

2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-08-28 247768]

"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2012-09-10 436728]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-26 39408]

"MotoCast"="c:\program files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [2012-05-25 2053]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"HLBackupScheduler"="c:\program files\Backup Assistant Plus\V CAST Backup Scheduler.exe" [2012-08-20 7065224]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-01-05 295072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2012-01-25 22016]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2012-01-25 9728]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2010-01-18 4608]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-22 1255736]

S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [2009-10-06 230456]

S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/02/22 18:44];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 01:41 146928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-24 204288]

S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-09-19 122880]

S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2012-02-16 87368]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]

S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2012-02-01 214896]

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-08-28 92632]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-07-12 82816]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-21 239616]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 18:49]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-15 610360]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: Free YouTube Download - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm

IE: Free YouTube to MP3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

Trusted Zone: monster.com

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]

"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-20 00:31:48

ComboFix-quarantined-files.txt 2013-01-20 05:31

ComboFix2.txt 2013-01-20 04:27

ComboFix3.txt 2013-01-20 03:22

.

Pre-Run: 697,960,771,584 bytes free

Post-Run: 697,881,153,536 bytes free

.

- - End Of File - - FAC37D06265985A309CB3FA2BA2B98EE

Share this post


Link to post
Share on other sites

Sitting around hoping to see if you'd reply once more this evening, I got bored and decided to run the CFScript.txt again (did not restart the computer) to see what would happen. No "illegal operation attempted" warning, and here's the log:

ComboFix 13-01-17.04 - Admin 01/20/2013 1:03.4.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8184.5204 [GMT -5:00]

Running from: c:\users\Admin\Desktop\ComboFix.exe

Command switches used :: c:\users\Admin\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 )))))))))))))))))))))))))))))))

.

.

2013-01-20 06:06 . 2013-01-20 06:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-19 15:23 . 2013-01-19 15:23 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\offreg.dll

2013-01-18 06:39 . 2013-01-18 06:39 -------- d-----w- C:\FRST

2013-01-14 08:40 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{410FDEFC-AEE8-4A7E-9A73-A92635A61D14}\mpengine.dll

2013-01-13 08:41 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-08 19:48 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll

2013-01-08 19:48 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll

2013-01-08 19:48 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-08 19:48 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-08 19:48 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll

2013-01-08 19:48 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-08 19:48 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-08 19:48 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-08 19:48 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

2013-01-08 19:48 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2013-01-07 04:04 . 2013-01-07 04:04 -------- d-----w- c:\windows\Sun

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\program files (x86)\RealNetworks

2013-01-05 06:15 . 2013-01-17 00:17 -------- d-----w- c:\programdata\RealNetworks

2013-01-05 06:14 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\Common Files\xing shared

2013-01-02 21:43 . 2013-01-17 00:17 -------- d-----w- c:\program files\iPod

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files\iTunes

2013-01-02 21:43 . 2013-01-17 00:20 -------- d-----w- c:\program files (x86)\iTunes

2012-12-21 08:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 08:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-09 18:49 . 2012-04-14 02:40 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-09 18:49 . 2011-05-14 15:38 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-09 08:03 . 2010-05-07 03:03 67599240 ----a-w- c:\windows\system32\MRT.exe

2012-11-30 05:16 . 2012-11-30 05:17 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B19E9B11-2518-4158-A2A7-8536A7C8F0CB}\gapaengine.dll

2012-11-26 22:49 . 2012-11-26 22:50 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-26 22:49 . 2012-07-03 18:39 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-11-12 14:20 . 2012-12-12 12:25 9055744 ----a-w- c:\windows\system32\mshtml.dll

2012-11-12 12:28 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-12 11:52 . 2012-12-12 12:25 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-11-09 05:45 . 2012-12-12 12:26 2048 ----a-w- c:\windows\system32\tzres.dll

2012-11-09 04:42 . 2012-12-12 12:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-11-02 05:59 . 2012-12-12 12:24 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-11-02 05:11 . 2012-12-12 12:24 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2012-10-27 06:26 . 2012-12-12 12:25 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1188864 ----a-w- c:\windows\system32\wininet.dll

2012-10-27 05:51 . 2012-12-12 12:25 1494528 ----a-w- c:\windows\system32\urlmon.dll

2012-10-27 05:51 . 2012-12-12 12:25 134144 ----a-w- c:\windows\system32\url.dll

2012-10-27 05:49 . 2012-12-12 12:25 97792 ----a-w- c:\windows\system32\mshtmled.dll

2012-10-27 05:49 . 2012-12-12 12:25 735744 ----a-w- c:\windows\system32\msfeeds.dll

2012-10-27 05:49 . 2012-12-12 12:25 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-10-27 05:49 . 2012-12-12 12:25 247808 ----a-w- c:\windows\system32\ieui.dll

2012-10-27 05:49 . 2012-12-12 12:25 2453504 ----a-w- c:\windows\system32\iertutil.dll

2012-10-27 05:49 . 2012-12-12 12:25 12295680 ----a-w- c:\windows\system32\ieframe.dll

2012-10-25 08:12 . 2012-10-25 08:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 08:12 . 2012-10-25 08:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-08-28 247768]

"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2012-09-10 436728]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-26 39408]

"MotoCast"="c:\program files (x86)\Motorola Mobility\MotoCast\MotoLauncher.lnk" [2012-05-25 2053]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"HLBackupScheduler"="c:\program files\Backup Assistant Plus\V CAST Backup Scheduler.exe" [2012-08-20 7065224]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-01-05 295072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2012-01-25 22016]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2012-01-25 9728]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2010-01-18 4608]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-22 1255736]

S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [2009-10-06 230456]

S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/02/22 18:44];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 01:41 146928]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-24 204288]

S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-09-19 122880]

S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2012-02-16 87368]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]

S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2012-02-01 214896]

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-08-28 92632]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-07-12 82816]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-21 239616]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 18:49]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-26 00:16]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-15 610360]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: Free YouTube Download - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm

IE: Free YouTube to MP3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

Trusted Zone: monster.com

Trusted Zone: real.com\rhap-app-4-0

Trusted Zone: real.com\rhapreg

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]

"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-20 01:08:22

ComboFix-quarantined-files.txt 2013-01-20 06:08

ComboFix2.txt 2013-01-20 05:31

ComboFix3.txt 2013-01-20 04:27

ComboFix4.txt 2013-01-20 03:22

.

Pre-Run: 697,962,651,648 bytes free

Post-Run: 697,882,083,328 bytes free

.

- - End Of File - - 8172C24E300FEE7BFC6880F0A887A18B

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.