Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Norton- System infected: Tidserv Activity 2

(In Progress)
(!)

rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
12-Oct-2011, 03:34 AM #1
Question Norton- System infected: Tidserv Activity 2
hi, I need some help.
I will try to give you as much information as I can.
I seem to have a infection on my computer but I don't know how to get rid of it....I have tried following norton's suggestion of a removal tool, but everytime I download the tool then reboot my computer nothing has changed and the warning message is still there. this is what the warning says exactly:
Threat requiring manual removal detected:System Infected: Tidserv Activity 2

Also when I try to open webpages sometimes, a warning window pops up titled "Chrome.exe-bad image" and it says the following:
\\.\globalroot\systemroot\assembly\tmp\U\80000032.@ is either not designed to run on Windows or it contains
an error. Try installing the program again using the original installation media or contact your
system administrator or the software vendor for support.

another thing I have noticed is that i cannot use my mozilla browser anymore for some reason, this is what it tells me
The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections.


Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is
working.

If anyone could help me, It would be greatly appreciated. I can't seem to figure anything out.
Thanks,
Yvonne
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
12-Oct-2011, 01:10 PM #2
Also I wanted to add that I am running Norton and AVG free
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
12-Oct-2011, 10:43 PM #3
i understand I need to be patient but I don't want my post getting lost of page 2. Please help..
Ried's Avatar
Ried Ried is offline Ried is authorized to help remove malware.
Malware Removal Specialist with 121 posts.
 
Join Date: Jan 2009
16-Oct-2011, 11:45 PM #4
Hello Yvonne,

Your machine is infected with Zero Access, which is quite nasty. Before we begin removal procedures, I will require a comprehensive set of logs. Please follow the instructions in the sticky topic here --> http://forums.techguy.org/virus-othe...e-posting.html for running dds.scr.

I do not want to see a HijackThis log, or gmer log. Just dds.txt and the Attach.txt it produces.

I'd also like for you to download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. At this time, select No when prompted to download the Avast database.
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

In summary, please include the following in your next reply:
  • Contents of dds.txt <-- posted directly into reply box.
  • Contents of aswmbr.txt <-- posted directly into reply box.
  • Mbr.zip and Attach.txt <--attached to your next reply.
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
17-Oct-2011, 04:19 PM #5
Thank you so much for helping me!
I did as you requested, the only thing I could not figure out is the MBR file that you wanted zipped. It never appeared on my desktop.
Here are the dds logs:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Yvonne at 15:07:08 on 2011-10-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1643.540 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Yvonne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Yvonne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Yvonne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe
C:\Users\Yvonne\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Yvonne\Downloads\aswMBR.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyServer = http=127.0.0.1:61071
mWinlogon: Userinit=userinit.exe
uWinlogon: Shell=explorer.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
uRun: [attcm.exe] C:\Program Files (x86)\AT&T\AT&T Communication Manager\attcm.exe
uRun: [Google Update] "C:\Users\Yvonne\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Facebook Update] "C:\Users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Clearwire Connection Manager] "C:\Program Files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" -a
mRun: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{08D93DD1-6057-41AE-9622-1EB1374E7C66} : NameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{669F8350-15F5-496D-9997-BAABC446679B} : NameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{7A31A08B-F04A-4A89-B775-A968B553984A} : DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{A8C36A0B-9183-49C0-8244-629114C0C1A1} : DhcpNameServer = 66.199.48.6 66.199.50.6
TCP: Interfaces\{A8C36A0B-9183-49C0-8244-629114C0C1A1}\141757160556E6765796E6D27657563747 : DhcpNameServer = 209.55.5.10 209.55.5.11 192.168.33.1
TCP: Interfaces\{A8C36A0B-9183-49C0-8244-629114C0C1A1}\34865627F64756C643 : DhcpNameServer = 151.164.11.201 151.164.160.201
TCP: Interfaces\{A8C36A0B-9183-49C0-8244-629114C0C1A1}\355707562783 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{A8C36A0B-9183-49C0-8244-629114C0C1A1}\C696E6B6379737 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BB76605B-C752-4689-AF62-6E37F108003C} : NameServer = 172.26.38.1 172.26.38.2
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: StartNow Toolbar Helper: {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
BHO-X64: StartNow Toolbar Helper - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Clearwire Connection Manager] "C:\Program Files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" -a
mRun-x64: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Yvonne\AppData\Roaming\Mozilla\Firefox\Profiles\8e0uxps1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z160&install_date=20111016
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z160&form=ZGAADF&install_date=20111016&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61071
FF - prefs.js: network.proxy.type - 1
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Yvonne\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R?2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110929.001_eb9\BHDrvx64. sys [2011-9-29 1152632]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20111014.031_f69\IDSviA64.s ys [2011-10-14 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-5-8 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-3-4 354304]
R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-5-8 1817088]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2011-9-10 130008]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe [2010-5-25 107856]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 bcm;WiMAX Network Adapter;C:\Windows\system32\DRIVERS\drxvi314_64.sys --> C:\Windows\system32\DRIVERS\drxvi314_64.sys [?]
S3 bcmbusctr;WiMAX Bus Driver;C:\Windows\system32\DRIVERS\BcmBusCtr_64.sys --> C:\Windows\system32\DRIVERS\BcmBusCtr_64.sys [?]
S3 CACLEARWIRE;Clearwire Con App Svc;C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [2010-5-25 124240]
S3 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;C:\Program Files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe [2010-4-19 399872]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [2010-5-25 120144]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-10-2 136824]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\system32\DRIVERS\ew_hwusbdev.sys --> C:\Windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\system32\DRIVERS\ew_usbe numfilter.sys --> C:\Windows\system32\DRIVERS\ew_usbenumfilter.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys --> C:\Windows\system32\DRIVERS\ewusbnet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;\??\C:\Windows\system32\PCTINDIS5X64.SYS --> C:\Windows\system32\PCTINDIS5X64.SYS [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-10-16 06:10:32 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\enchant
2011-10-16 06:09:23 -------- d-----w- C:\Users\Yvonne\AbiSuite
2011-10-16 06:06:32 -------- d-----w- C:\Program Files (x86)\AbiWord
2011-10-16 06:06:06 -------- d-----w- C:\Program Files (x86)\StartNow Toolbar
2011-10-16 05:56:03 -------- d-----w- C:\Users\Yvonne\AppData\Local\ElevatedDiagnostics
2011-10-16 00:56:17 -------- d-----w- C:\Users\Yvonne\AppData\Local\Facebook
2011-10-15 17:51:07 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\Tific
2011-10-15 17:50:42 -------- d-----w- C:\Users\Yvonne\AppData\Local\Symantec
2011-10-11 03:12:41 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\FixTDSS
2011-10-03 22:00:07 -------- d--h--w- C:\$AVG
2011-10-03 05:28:30 -------- d-----w- C:\Windows\System32\drivers\AVG
2011-10-02 21:22:45 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\mEL9gjYkrOPSi3G
2011-10-02 21:22:45 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\aamH6sWJ7E
2011-10-02 21:14:16 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-10-02 21:07:03 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\RPP00yccS1iD3nF
2011-10-02 20:37:06 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\sfRRLL9gTXqjCeI
2011-10-02 20:31:25 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\DffRRL99hTX
2011-10-02 20:26:16 2400768 ----a-w- C:\Users\Yvonne\AppData\Roaming\java.exe
2011-10-02 20:06:15 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\UbD33nGGamH6WJ
2011-10-02 20:06:15 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\HYYCCkIIrlONPuS
2011-10-02 20:06:01 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\viibbD3nGamHsfL
2011-10-02 20:06:00 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\SmH66sWJfELgZ
2011-10-02 20:01:34 -------- d-----we C:\Windows\system64
2011-10-01 02:54:13 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-30 21:37:12 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{20D298DA-70CC-4418-904B-3E2216F004A9}\mpengine.dll
2011-09-29 23:09:55 -------- d--h--w- C:\ProgramData\Common Files
2011-09-29 23:09:09 -------- d-----w- C:\ProgramData\AVG2012
2011-09-29 23:07:23 -------- d-----w- C:\Program Files (x86)\AVG
2011-09-29 22:43:44 -------- d-----w- C:\ProgramData\MFAData
2011-09-28 18:49:23 -------- d-----w- C:\ProgramData\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-26 03:27:34 -------- d-----w- C:\Users\Yvonne\AppData\Local\{3D37B5BE-5ED3-4938-88E6-31A71354AA61}
2011-09-26 03:27:24 -------- d-----w- C:\Users\Yvonne\AppData\Local\{C6B7149C-CFD2-43EA-94DF-800B84E64DAE}
2011-09-26 03:13:05 -------- d-----w- C:\Users\Yvonne\AppData\Local\{79C85B34-6A91-4710-82EE-097069F31C87}
2011-09-26 03:12:54 -------- d-----w- C:\Users\Yvonne\AppData\Local\{A3DAE226-57F6-44FA-B61F-F1029F6E2718}
2011-09-25 23:47:12 -------- d-----w- C:\Users\Yvonne\AppData\Local\{6259D416-223D-4C81-870D-592F57C5D993}
2011-09-25 23:44:43 -------- d-----w- C:\Users\Yvonne\AppData\Local\{DD87A2D7-DCE8-45A5-A5B0-8E3F97E41202}
2011-09-25 23:44:42 -------- d-----w- C:\Users\Yvonne\AppData\Local\{70DC937D-B1FB-4B48-9A5A-1EDE421810D7}
2011-09-23 07:03:46 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\iWin
2011-09-21 04:32:54 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\WildTangentv1001
2011-09-21 04:03:01 -------- d-----w- C:\ProgramData\Sony Online Entertainment
2011-09-18 05:45:31 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\WildTangentv1002
2011-09-17 20:11:27 -------- d-----w- C:\Users\Yvonne\AppData\Roaming\Flood Light Games
2011-09-17 20:11:27 -------- d-----w- C:\ProgramData\Flood Light Games
.
==================== Find3M ====================
.
2011-09-10 05:23:45 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-08-08 11:08:58 46672 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 15:09:53.89 ===============

Also here are the logs for aswmbr


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-17 15:03:50
-----------------------------
15:03:50.574 OS Version: Windows x64 6.1.7601 Service Pack 1
15:03:50.575 Number of processors: 2 586 0x100
15:03:50.578 ComputerName: YVONNE-HP UserName: Yvonne
15:03:58.699 Initialize success
15:08:33.760 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000071
15:08:33.768 Disk 0 Vendor: SAMSUNG_ 2AC1 Size: 238475MB BusType: 11
15:08:35.823 Disk 0 MBR read successfully
15:08:35.831 Disk 0 MBR scan
15:08:35.842 Disk 0 Windows 7 default MBR code
15:08:35.855 Service scanning
15:08:40.675 Modules scanning
15:08:40.689 Disk 0 trace - called modules:
15:08:40.733 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
15:08:40.749 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800244a6a0]
15:08:40.764 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa800232ca30]
15:08:40.780 5 amd_xata.sys[fffff88001102900] -> nt!IofCallDriver -> \Device\00000071[0xfffffa8002327060]
15:08:40.796 Scan finished successfully
15:09:00.646 Disk 0 MBR has been saved successfully to "C:\Users\Yvonne\Desktop\MBR.dat"
15:09:00.693 The log file has been saved successfully to "C:\Users\Yvonne\Desktop\aswMBR.txt"
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Ried's Avatar
Ried Ried is offline Ried is authorized to help remove malware.
Malware Removal Specialist with 121 posts.
 
Join Date: Jan 2009
17-Oct-2011, 05:59 PM #6
You're welcome.

The file should be there on your desktop, named MBR.dat. If you don't have file extensions set to be viewable, you would see the file as just MBR.

This will take more than 1 round to clean, so please stay with me until given the 'all clear' even if symptoms seem to abate.


Download ComboFix from one of these locations:
Link 1
Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop
====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications
====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
17-Oct-2011, 10:07 PM #7
I dowloaded it and turned off my norton like it asked but it still says my norton is running.
also i can download it but it does not give me an option to save to my desktop.
I don't have an MBR file on my desktop :/
It's doing the autoscan right now.
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
17-Oct-2011, 11:26 PM #8
Its been over an hour and the scan is just stuck at "completed stage 48"
found the MBR and i compressed it and attached.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.

Last edited by rainswirls; 18-Oct-2011 at 03:54 AM..
Ried's Avatar
Ried Ried is offline Ried is authorized to help remove malware.
Malware Removal Specialist with 121 posts.
 
Join Date: Jan 2009
19-Oct-2011, 08:51 PM #9
Thank you for the attachment.

Try running ComboFix from Safe Mode with networking. Reboot your computer into Safe Mode with networking. To do this:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode with networking and press Enter.
5) Login with your usual account.

Double click ComboFix.exe and follow all prompts. Post the C:\ComboFix.txt when it has completed.
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
20-Oct-2011, 05:21 PM #10
okay i started it in safe mode with networking but it still said norton was running, BUT it did finally give me a log.
here ya go!

ComboFix 11-10-17.02 - Yvonne 10/20/2011 14:38:56.3.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1643.843 [GMT -5:00]
Running from: c:\users\Yvonne\Downloads\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\StartNow Toolbar
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files (x86)\StartNow Toolbar\Resources\installer.xml
c:\program files (x86)\StartNow Toolbar\Resources\protect\index.html
c:\program files (x86)\StartNow Toolbar\Resources\protect\NotIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\protect\OnlyIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
c:\program files (x86)\StartNow Toolbar\Resources\protect\window.css
c:\program files (x86)\StartNow Toolbar\Resources\protect\window.js
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\index.html
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\LeftImage.png
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\NotIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\window.css
c:\program files (x86)\StartNow Toolbar\Resources\reactivate\window.js
c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml
c:\program files (x86)\StartNow Toolbar\Resources\update.xml
c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files (x86)\StartNow Toolbar\ToOLbar32.dll
c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
c:\program files (x86)\StartNow Toolbar\uninstall.dat
c:\users\Yvonne\AppData\Roaming\5486.CD5
c:\users\Yvonne\AppData\Roaming\aamH6sWJ7EOpen Cloud AV.ico
c:\users\Yvonne\AppData\Roaming\java.exe
c:\users\Yvonne\AppData\Roaming\UbD33nGGamH6WJOpen Cloud AV.ico
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\80000032.@
c:\windows\assembly\tmp\U\80000064.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Updater Service for StartNow Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-20 19:53 . 2011-10-20 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-19 05:04 . 2011-10-19 05:05 -------- d-----w- c:\program files (x86)\WildTangent Games
2011-10-18 17:29 . 2011-09-01 02:30 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2011-10-18 17:29 . 2011-09-01 05:19 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-10-17 20:47 . 2011-10-17 20:47 -------- d-----w- c:\users\Yvonne\AppData\Roaming\Yahoo!
2011-10-17 20:46 . 2011-10-20 19:30 -------- d-----w- c:\users\Yvonne\AppData\Roaming\Skype
2011-10-17 20:46 . 2011-10-17 20:46 -------- d-----r- c:\program files (x86)\Skype
2011-10-17 20:46 . 2011-10-17 20:46 -------- d-----w- c:\programdata\Skype
2011-10-17 20:28 . 2011-10-17 20:28 -------- d-----w- c:\programdata\Yahoo!
2011-10-17 20:24 . 2011-10-17 20:28 -------- d-----w- c:\program files (x86)\Yahoo!
2011-10-17 18:35 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-17 18:35 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-10-17 18:35 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-10-17 18:35 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-17 18:34 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-10-17 18:34 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-10-17 18:34 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-17 18:34 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-10-16 06:10 . 2011-10-16 06:10 -------- d-----w- c:\users\Yvonne\AppData\Roaming\enchant
2011-10-16 06:09 . 2011-10-16 07:11 -------- d-----w- c:\users\Yvonne\AbiSuite
2011-10-16 06:06 . 2011-10-16 06:07 -------- d-----w- c:\program files (x86)\AbiWord
2011-10-16 05:56 . 2011-10-16 05:56 -------- d-----w- c:\users\Yvonne\AppData\Local\ElevatedDiagnostics
2011-10-16 00:56 . 2011-10-16 00:56 -------- d-----w- c:\users\Yvonne\AppData\Local\Facebook
2011-10-15 17:51 . 2011-10-15 17:51 -------- d-----w- c:\users\Yvonne\AppData\Roaming\Tific
2011-10-15 17:50 . 2011-10-15 17:50 -------- d-----w- c:\users\Yvonne\AppData\Local\Symantec
2011-10-15 09:07 . 2011-10-15 09:07 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-10-13 22:15 . 2011-09-06 03:03 3138048 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 03:12 . 2011-10-11 03:12 -------- d-----w- c:\users\Yvonne\AppData\Roaming\FixTDSS
2011-10-03 22:00 . 2011-10-03 22:00 -------- d-----w- C:\$AVG
2011-10-03 05:28 . 2011-10-15 11:36 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-02 21:22 . 2011-10-02 21:22 -------- d-----w- c:\users\Yvonne\AppData\Roaming\mEL9gjYkrOPSi3G
2011-10-02 21:22 . 2011-10-02 21:22 -------- d-----w- c:\users\Yvonne\AppData\Roaming\aamH6sWJ7E
2011-10-02 21:14 . 2011-10-15 11:32 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-10-02 21:07 . 2011-10-02 21:07 -------- d-----w- c:\users\Yvonne\AppData\Roaming\RPP00yccS1iD3nF
2011-10-02 20:37 . 2011-10-02 20:37 -------- d-----w- c:\users\Yvonne\AppData\Roaming\sfRRLL9gTXqjCeI
2011-10-02 20:31 . 2011-10-02 20:31 -------- d-----w- c:\users\Yvonne\AppData\Roaming\DffRRL99hTX
2011-10-02 20:06 . 2011-10-02 20:06 -------- d-----w- c:\users\Yvonne\AppData\Roaming\UbD33nGGamH6WJ
2011-10-02 20:06 . 2011-10-02 20:06 -------- d-----w- c:\users\Yvonne\AppData\Roaming\HYYCCkIIrlONPuS
2011-10-02 20:06 . 2011-10-02 21:29 -------- d-----w- c:\users\Yvonne\AppData\Roaming\viibbD3nGamHsfL
2011-10-02 20:06 . 2011-10-02 20:06 -------- d-----w- c:\users\Yvonne\AppData\Roaming\SmH66sWJfELgZ
2011-10-01 02:54 . 2011-10-17 20:28 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-30 21:37 . 2011-09-13 00:26 9049936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20D298DA-70CC-4418-904B-3E2216F004A9}\mpengine.dll
2011-09-29 23:09 . 2011-09-29 23:09 -------- d--h--w- c:\programdata\Common Files
2011-09-29 23:09 . 2011-10-15 11:36 -------- d-----w- c:\programdata\AVG2012
2011-09-29 23:07 . 2011-09-29 23:07 -------- d-----w- c:\program files (x86)\AVG
2011-09-29 22:43 . 2011-10-15 11:32 -------- d-----w- c:\programdata\MFAData
2011-09-28 18:49 . 2011-09-28 18:49 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-23 07:03 . 2011-09-23 07:03 -------- d-----w- c:\users\Yvonne\AppData\Roaming\iWin
2011-09-21 04:32 . 2011-09-30 23:39 -------- d-----w- c:\users\Yvonne\AppData\Roaming\WildTangentv1001
2011-09-21 04:03 . 2011-09-21 04:03 -------- d-----w- c:\programdata\Sony Online Entertainment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-18 18:00 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-10 05:23 . 2011-05-08 12:48 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-08-08 11:08 . 2011-08-08 11:08 46672 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-16 137536]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-04 336384]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 318520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Clearwire Connection Manager"="c:\program files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" [2010-05-26 54608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314_64.sys [x]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr_64.sys [x]
R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [2010-05-26 124240]
R3 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;c:\program files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe [2010-04-19 399872]
R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [2010-05-26 120144]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbe numfilter.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20111014.001\BHDrvx64.sys [2011-10-14 1155704]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20111019.030\IDSvia64.sys [2011-10-15 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-03-04 354304]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe [2010-05-26 107856]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-10-02 136824]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001Core.job
- c:\users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-16 00:56]
.
2011-10-20 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001UA.job
- c:\users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-16 00:56]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001Core.job
- c:\users\Yvonne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:05]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001UA.job
- c:\users\Yvonne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:05]
.
2011-09-28 c:\windows\Tasks\HPCeeScheduleForYvonne.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 6602856]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"combofix"="c:\combofix\CF7414.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:61071
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{08D93DD1-6057-41AE-9622-1EB1374E7C66}: NameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{669F8350-15F5-496D-9997-BAABC446679B}: NameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{BB76605B-C752-4689-AF62-6E37F108003C}: NameServer = 172.26.38.1 172.26.38.2
FF - ProfilePath - c:\users\Yvonne\AppData\Roaming\Mozilla\Firefox\Profiles\8e0uxps1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z160&install_date=20111016
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z160&form=ZGAADF&install_date=20111016&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61071
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-attcm.exe - c:\program files (x86)\AT&T\AT&T Communication Manager\attcm.exe
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Wow6432Node-HKLM-Run-StartNowToolbarHelper - c:\program files (x86)\StartNow Toolbar\ToolbarHelper.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_Ac tiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
.
**************************************************************************
.
Completion time: 2011-10-20 15:08:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 20:08
.
Pre-Run: 195,344,343,040 bytes free
Post-Run: 195,020,070,912 bytes free
.
- - End Of File - - 0D7171FFAB0FFDFACCA35764CE50F4F5

and so far no pesky pop ups! or alerts.
Ried's Avatar
Ried Ried is offline Ried is authorized to help remove malware.
Malware Removal Specialist with 121 posts.
 
Join Date: Jan 2009
20-Oct-2011, 08:26 PM #11
Well done.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************
Open notepad and copy/paste the text in the quote box below into it:
Quote:
Folder::
c:\users\Yvonne\AppData\Roaming\mEL9gjYkrOPSi3G
c:\users\Yvonne\AppData\Roaming\aamH6sWJ7E
c:\users\Yvonne\AppData\Roaming\RPP00yccS1iD3nF
c:\users\Yvonne\AppData\Roaming\sfRRLL9gTXqjCeI
c:\users\Yvonne\AppData\Roaming\DffRRL99hTX
c:\users\Yvonne\AppData\Roaming\UbD33nGGamH6WJ
c:\users\Yvonne\AppData\Roaming\HYYCCkIIrlONPuS
c:\users\Yvonne\AppData\Roaming\viibbD3nGamHsfL
c:\users\Yvonne\AppData\Roaming\SmH66sWJfELgZ
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:61071
Firefox::
FF - ProfilePath - c:\users\Yvonne\AppData\Roaming\Mozilla\Firefox\Profiles\8e0uxps1.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61071
Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post the C:\ComboFix.txt in your next reply.

=========================================


After running ComboFix, it's important to run an online scan to search for any remnants that may be lurking. Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
21-Oct-2011, 12:07 PM #12
ComboFix 11-10-17.02 - Yvonne 10/21/2011 0:14.6.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1643.1244 [GMT -5:00]
Running from: c:\users\Yvonne\Downloads\ComboFix.exe
Command switches used :: c:\users\Yvonne\Desktop\CFScript.txt
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-21 05:27 . 2011-10-21 05:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-21 04:06 . 2011-10-21 04:06 -------- d-----w- c:\program files (x86)\ESET
2011-10-21 01:06 . 2009-08-19 21:49 35840 ----a-r- c:\windows\system32\drivers\BVRPMPR5a64.SYS
2011-10-21 01:04 . 2011-10-21 01:21 -------- d-----w- C:\Netgear
2011-10-19 05:04 . 2011-10-19 05:05 -------- d-----w- c:\program files (x86)\WildTangent Games
2011-10-18 17:29 . 2011-09-01 02:30 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2011-10-18 17:29 . 2011-09-01 05:19 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-10-17 20:47 . 2011-10-17 20:47 -------- d-----w- c:\users\Yvonne\AppData\Roaming\Yahoo!
2011-10-17 20:46 . 2011-10-21 05:00 -------- d-----w- c:\users\Yvonne\AppData\Roaming\Skype
2011-10-17 20:46 . 2011-10-17 20:46 -------- d-----r- c:\program files (x86)\Skype
2011-10-17 20:46 . 2011-10-17 20:46 -------- d-----w- c:\programdata\Skype
2011-10-17 20:28 . 2011-10-17 20:28 -------- d-----w- c:\programdata\Yahoo!
2011-10-17 20:24 . 2011-10-17 20:28 -------- d-----w- c:\program files (x86)\Yahoo!
2011-10-17 18:35 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-17 18:35 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-10-17 18:35 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-10-17 18:35 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-17 18:34 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-10-17 18:34 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-10-17 18:34 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-17 18:34 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-10-16 06:10 . 2011-10-16 06:10 -------- d-----w- c:\users\Yvonne\AppData\Roaming\enchant
2011-10-16 06:09 . 2011-10-16 07:11 -------- d-----w- c:\users\Yvonne\AbiSuite
2011-10-16 06:06 . 2011-10-16 06:07 -------- d-----w- c:\program files (x86)\AbiWord
2011-10-16 05:56 . 2011-10-16 05:56 -------- d-----w- c:\users\Yvonne\AppData\Local\ElevatedDiagnostics
2011-10-16 00:56 . 2011-10-16 00:56 -------- d-----w- c:\users\Yvonne\AppData\Local\Facebook
2011-10-15 17:51 . 2011-10-15 17:51 -------- d-----w- c:\users\Yvonne\AppData\Roaming\Tific
2011-10-15 17:50 . 2011-10-15 17:50 -------- d-----w- c:\users\Yvonne\AppData\Local\Symantec
2011-10-15 09:07 . 2011-10-15 09:07 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-10-13 22:15 . 2011-09-06 03:03 3138048 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 03:12 . 2011-10-11 03:12 -------- d-----w- c:\users\Yvonne\AppData\Roaming\FixTDSS
2011-10-03 22:00 . 2011-10-03 22:00 -------- d-----w- C:\$AVG
2011-10-03 05:28 . 2011-10-15 11:36 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-02 21:14 . 2011-10-15 11:32 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-10-01 02:54 . 2011-10-17 20:28 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-30 21:37 . 2011-09-13 00:26 9049936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20D298DA-70CC-4418-904B-3E2216F004A9}\mpengine.dll
2011-09-29 23:09 . 2011-09-29 23:09 -------- d--h--w- c:\programdata\Common Files
2011-09-29 23:09 . 2011-10-15 11:36 -------- d-----w- c:\programdata\AVG2012
2011-09-29 23:07 . 2011-09-29 23:07 -------- d-----w- c:\program files (x86)\AVG
2011-09-29 22:43 . 2011-10-15 11:32 -------- d-----w- c:\programdata\MFAData
2011-09-28 18:49 . 2011-09-28 18:49 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-23 07:03 . 2011-09-23 07:03 -------- d-----w- c:\users\Yvonne\AppData\Roaming\iWin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-18 18:00 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-10 05:23 . 2011-05-08 12:48 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-08-08 11:08 . 2011-08-08 11:08 46672 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-20_19.58.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2011-10-20 21:14 30710 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-10-21 04:40 47172 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-09-09 22:21 . 2011-10-20 19:35 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2011-09-09 22:21 . 2011-10-21 02:57 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2011-09-09 22:21 . 2011-10-20 19:35 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2011-09-09 22:21 . 2011-10-21 02:57 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-20 19:35 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-21 02:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-10-20 20:06 94744 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\Cache\cache.dat
+ 2011-09-09 22:47 . 2011-10-21 04:40 9262 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3247187366-1554929785-146752643-1001_UserData.bin
+ 2011-10-21 01:21 . 2011-10-21 01:21 9560 c:\windows\system32\NetworkList\Icons\{22A3B62C-3102-4308-B8AF-8D8A48B037D0}_48.bin
+ 2011-10-21 01:21 . 2011-10-21 01:21 4280 c:\windows\system32\NetworkList\Icons\{22A3B62C-3102-4308-B8AF-8D8A48B037D0}_32.bin
+ 2011-10-21 01:21 . 2011-10-21 01:21 2456 c:\windows\system32\NetworkList\Icons\{22A3B62C-3102-4308-B8AF-8D8A48B037D0}_24.bin
- 2011-10-20 19:54 . 2011-10-20 19:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-21 02:56 . 2011-10-21 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-21 02:56 . 2011-10-21 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-10-20 19:54 . 2011-10-20 19:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-09-09 23:37 . 2011-10-21 05:00 337084 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-10-21 04:43 624622 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-10-18 18:07 624622 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-21 04:43 106708 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-10-18 18:07 106708 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-10-20 19:22 229540 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-10-21 02:54 229540 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-09-29 19:37 . 2011-10-20 19:22 731948 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3247187366-1554929785-146752643-1001-12288.dat
+ 2011-09-29 19:37 . 2011-10-21 01:44 731948 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3247187366-1554929785-146752643-1001-12288.dat
- 2011-10-20 19:23 . 2011-10-20 19:23 1317648 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-10-20 19:23 . 2011-10-21 02:54 1317648 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-09-11 16:14 . 2011-10-20 19:22 9860478 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3247187366-1554929785-146752643-1001-8192.dat
+ 2011-09-11 16:14 . 2011-10-21 02:54 9860478 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3247187366-1554929785-146752643-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-10-16 137536]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-04 336384]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2010-12-13 318520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Clearwire Connection Manager"="c:\program files (x86)\Clearwire\Connection Manager\ClearwireCM.exe" [2010-05-26 54608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20111014.001\BHDrvx64.sys [2011-10-14 1155704]
R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20111019.030\IDSvia64.sys [2011-10-15 488568]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-03-04 354304]
R2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
R2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
R2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
R2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
R2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
R2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
R2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe [2010-05-26 107856]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314_64.sys [x]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr_64.sys [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 CACLEARWIRE;Clearwire Con App Svc;c:\program files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe [2010-05-26 124240]
R3 clearwireDeviceDiagnosticsService;Clearwire Device Diagnostics Service;c:\program files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe [2010-04-19 399872]
R3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files (x86)\Clearwire\Connection Manager\RcAppSvc.exe [2010-05-26 120144]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-10-02 136824]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbe numfilter.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001Core.job
- c:\users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-16 00:56]
.
2011-10-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001UA.job
- c:\users\Yvonne\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-16 00:56]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001Core.job
- c:\users\Yvonne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:05]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3247187366-1554929785-146752643-1001UA.job
- c:\users\Yvonne\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-10 20:05]
.
2011-09-28 c:\windows\Tasks\HPCeeScheduleForYvonne.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-11 02:32 2240000 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 6602856]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{08D93DD1-6057-41AE-9622-1EB1374E7C66}: NameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{669F8350-15F5-496D-9997-BAABC446679B}: NameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{BB76605B-C752-4689-AF62-6E37F108003C}: NameServer = 172.26.38.1 172.26.38.2
FF - ProfilePath - c:\users\Yvonne\AppData\Roaming\Mozilla\Firefox\Profiles\8e0uxps1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z160&install_date=20111016
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z160&form=ZGAADF&install_date=20111016&q=
FF - prefs.js: network.proxy.type - 1
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_Ac tiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-21 00:31:51
ComboFix-quarantined-files.txt 2011-10-21 05:31
ComboFix2.txt 2011-10-21 03:55
ComboFix3.txt 2011-10-20 20:08
.
Pre-Run: 194,334,425,088 bytes free
Post-Run: 194,039,996,416 bytes free
.
- - End Of File - - 88B120D461550A1F511E93BED2006281
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
21-Oct-2011, 03:50 PM #13
export text file


C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToOLbar32.dll.vir a variant of Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Users\Yvonne\AppData\Roaming\java.exe.vir a variant of Win32/Kryptik.TOL trojan
C:\Users\Yvonne\Downloads\AbiWord_Setup.exe a variant of Win32/Adware.iBryte.A application
Ried's Avatar
Ried Ried is offline Ried is authorized to help remove malware.
Malware Removal Specialist with 121 posts.
 
Join Date: Jan 2009
23-Oct-2011, 08:17 PM #14
Hello Yvonne,

My apologies for the delay, I was away this weekend.

The items in Qoobox are backups created during the course of this fix and will be deleted when we are through and uninstall ComboFix.

Do you recall where you downloaded AbiWord from?
rainswirls's Avatar
rainswirls rainswirls is offline
Junior Member with 12 posts.
THREAD STARTER
 
Join Date: Oct 2011
24-Oct-2011, 12:40 AM #15
I don't remember where I downloaded it at. I was looking for a microsoft word starter 2010 because the one on my computer had stopped working for some reason ( maybe bc of the virus) and I had a paper to turn in for school.
I attached what it shows me on my screen when I try to open my microsoft word starter.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑