Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

conduit connect dlc 5 hijack + other nasties

(In Progress)
(!)

MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
03-Nov-2013, 09:25 PM #1
conduit connect dlc 5 hijack + other nasties
came up with the 'conduit connect' browser hijack.
posting logs below for

hjt
attach
gmer

also a gmer.txt where i think i did it wrong - not sure about gmer
____________________________________________________________________

background in reverse sequence: (read from bottom up may make more sense)

using avast free for 2 yrs

i ran malwarebytes today and found 51 bad files. fixed according to mwb

-was looking for free vpn to watch F1 races, as expat shield began charging for that.

tried 2 vpns, no joy.

and neglected to uncheck add-ons using standard install. warn others to check custom install, and slow down when going for these 'free' services.

-previous freeze (2 days ago) using chrome on local govt gis service. unplug and reboot failed. nothing would work, not repair, not even safe mode..
had to pay tech guy $70 to come over and repair vista with his cd.
all good, working fine. made fresh back up

-previously other take-in shop was gonna say hd was failing and charge $80.
they put hd back in (crooks) lucky to get out of there for $15.
belarc says hd smart is healthy. never had hd syptoms, only corrupt vista.
however hd data recovery could be lucrative for them.

-previously win explorer was giving numerous 'ownership' errors (see previous posts)
and win explorer quirks (corrupt)

-vista sucks anyway
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
03-Nov-2013, 11:42 PM #2
also have 'OkayFreedomSevice' in processes

under 'locate file location'
there is a folder in 'program files' with 3 subfolders

all of which give error message 'you need permission to perform this action'

aka~ delete this file
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 12:50 AM #3
i've run avast 'browser cleanup' tool and firefox seems to be rid of conduit connect

however cannot remove 'conduit' folder from 'program files'
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 12:55 AM #4
TBVerifier.dll is in folder

program files>conduit>ct3306061>plugins

delete
you need permission to perform this action
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 01:00 AM #5
TBVerifier.dll

was able to rename file to '~'
but still unable to delete
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,452 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
04-Nov-2013, 07:02 AM #6
Click on this link to download : ADWCleaner Click on the Download Now button and save it to your desktop.

NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and double click on this icon on your desktop:



You will then see the screen below, click on the Scan button (as indicated), accept any prompts that appear and allow it to run, it may take several minutes to complete, when it is done click on the Clean button, accept any prompts that appear and allow the system to reboot. You will then be presented with the report, Copy & Paste it into your next post.


__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 03:14 PM #7
thanks for your help

ran adwcleaner. pasted below
it seems to have deleted quite a bit of stuff

got this ms windows notice after reboot
'rndlresolversvc.exe stopped working and was closed'
'a problem caused ... to stop working properly...'

also got virus alert from avast during cleaner run saying something about adwcleaner..?


---------------------log--------------
# AdwCleaner v3.011 - Report created 04/11/2013 at 13:42:28
# Updated 03/11/2013 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Adele S - MOSQUITOCREEK3
# Running from : C:\Users\Adele S\Desktop\Virus Nov 2013\AdwCleaner(1).exe
# Option : Clean

***** [ Services ] *****

Service Deleted : vToolbarUpdater17.0.12

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Adele S\AppData\Local\Conduit
Folder Deleted : C:\Users\ADELES~1\AppData\Local\Temp\hotspot shield
Folder Deleted : C:\Users\Adele S\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Adele S\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Adele S\AppData\Roaming\DSite
Folder Deleted : C:\Users\Adele S\AppData\Roaming\Searchprotect
Folder Deleted : C:\Program Files\Mozilla Firefox\Extensions\afurladvisor@anchorfree.com
File Deleted : C:\END
File Deleted : C:\Users\ADELES~1\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\.autoreg
File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\bProtector_exte nsions.rdf
File Deleted : C:\Program Files\Mozilla Firefox\Components\AskSearch.js
File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\invalidprefs.js
File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\searchplugins\C onduit.xml
File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\user.js
File Deleted : C:\Users\Adele S\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage

***** [ Shortcuts ] *****


***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0259D296-5BC7-4DD6-99F9-69EF035B7733}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{025A481A-2069-45BC-8775-47B2A983C95B}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0B098167-18AB-44C0-AE1F-92B9E9B4BC50}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{13E86AB5-238D-47E1-92E6-34470347E16B}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{805BA885-45A6-4160-8743-D31546043FCA}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\84df8cb438ea47
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2549263
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3306061
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\BabSolution
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
[#] Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Delta
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16514

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [Default]

-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\prefs.js ]

Line Deleted : user_pref("CT3306061.FF19Solved", "true");
Line Deleted : user_pref("CT3306061.UserID", "UN69504611632361824");
Line Deleted : user_pref("CT3306061.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3306061.fullUserID", "UN69504611632361824.IN.20131103135351");
Line Deleted : user_pref("CT3306061.installDate", "03/11/2013 13:53:56");
Line Deleted : user_pref("CT3306061.installSessionId", "{EF16BAB0-99F2-43BB-A8F9-B6C630D527A8}");
Line Deleted : user_pref("CT3306061.installSp", "TRUE");
Line Deleted : user_pref("CT3306061.installerVersion", "1.8.0.14");
Line Deleted : user_pref("CT3306061.keyword", "true");
Line Deleted : user_pref("CT3306061.originalHomepage", "about:home");
Line Deleted : user_pref("CT3306061.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT3306061.originalSearchEngine", "");
Line Deleted : user_pref("CT3306061.originalSearchEngineName", "");
Line Deleted : user_pref("CT3306061.searchRevert", "true");
Line Deleted : user_pref("CT3306061.searchUserMode", "2");
Line Deleted : user_pref("CT3306061.smartbar.homepage", "true");
Line Deleted : user_pref("CT3306061.toolbarInstallDate", "03-11-2013 13:53:51");
Line Deleted : user_pref("CT3306061.versionFromInstaller", "10.21.1.7");
Line Deleted : user_pref("CT3306061.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "Connect DLC 5 Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN69504611632361824&UM=2&SearchSource=3& q={searchTerms}");
Line Deleted : user_pref("extensions.delta.admin", false);
Line Deleted : user_pref("extensions.delta.aflt", "babsst");
Line Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Line Deleted : user_pref("extensions.delta.autoRvrt", "false");
Line Deleted : user_pref("extensions.delta.dfltLng", "en");
Line Deleted : user_pref("extensions.delta.excTlbr", false);
Line Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Line Deleted : user_pref("extensions.delta.id", "c21e046600000000000000ffa8239fe3");
Line Deleted : user_pref("extensions.delta.instlDay", "15948");
Line Deleted : user_pref("extensions.delta.instlRef", "sst");
Line Deleted : user_pref("extensions.delta.newTab", false);
Line Deleted : user_pref("extensions.delta.prdct", "delta");
Line Deleted : user_pref("extensions.delta.prtnrId", "delta");
Line Deleted : user_pref("extensions.delta.rvrt", "false");
Line Deleted : user_pref("extensions.delta.smplGrp", "none");
Line Deleted : user_pref("extensions.delta.tlbrId", "base");
Line Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Line Deleted : user_pref("extensions.delta.vrsn", "1.8.24.6");
Line Deleted : user_pref("extensions.delta.vrsnTs", "1.8.24.616:52:59");
Line Deleted : user_pref("extensions.delta.vrsni", "1.8.24.6");
Line Deleted : user_pref("extensions.delta_i.babExt", "");
Line Deleted : user_pref("extensions.delta_i.babTrack", "affID=119351&tsp=4991");
Line Deleted : user_pref("extensions.delta_i.srcExt", "ss");
Line Deleted : user_pref("extensions.enabledItems", "helperbar@helperbar.com:1.0,{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}:1.0,{ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0,wrc@avast.com:20110101,{23fcfd51-4958-4f00-80a3-[...]
Line Deleted : user_pref("extensions.helperbar.DockingPositionDown", false);
Line Deleted : user_pref("extensions.helperbar.LastHiddenTime", 22477203);
Line Deleted : user_pref("extensions.helperbar.SmartbarDisabled", true);
Line Deleted : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3306061");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3306061&CUI=UN69504611632361824&UM=2&SearchSource=13");
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&SearchSource=2&CUI=UN69504611632361824&UM=2& q=");
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3306061");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3306061");
Line Deleted : user_pref("smartbar.machineId", "75JLUVWRJBM8SKQHQ3XRDJD+DMS3A6N2NKBFRC9IQK9+F741M13I7OOIVFGUHMT0689DBB AP/W3TO8JZKFX7PG");

-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\Adele S\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [90067 octets] - [04/11/2013 13:41:06]
AdwCleaner[S0].txt - [11981 octets] - [04/11/2013 13:42:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [12042 octets] ##########
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 03:22 PM #8
conduit folder is gone

but okayfreedom folder still in program files
can't delete
not showing in ad/remove programs
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 03:27 PM #9
ended process okayfreedom (task mgr)

was then able to delete okay freedom folder
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,452 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
04-Nov-2013, 05:01 PM #10
Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully
Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Hereto your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on renamed combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 06:35 PM #11
below is the combo fix log

it seems to have deleted 5 gigs of something

when i tried to turn off windows defender i got an error message ?


ComboFix 13-11-03.02 - Adele S 11/04/2013 16:47:56.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3453.2387 [GMT -5:00]
Running from: c:\users\Adele S\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\SetupDWGTrueView2013_32bit.exe
C:\Thumbs.db
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\Temp
c:\windows\system32\Temp\DWFmonitor3.inf
c:\windows\system32\Temp\DWFPortMon3.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-10-04 to 2013-11-04 )))))))))))))))))))))))))))))))
.
.
2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Adele S\AppData\Local\temp
2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Kyl\AppData\Local\temp
2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-11-04 18:40 . 2013-11-04 19:17 -------- d-----w- C:\AdwCleaner
2013-11-04 02:26 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D01154A-6815-4442-93CA-BBD04F5DA357}\mpengine.dll
2013-11-03 19:01 . 2013-11-04 03:06 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos VPN
2013-11-03 18:59 . 2013-11-03 18:59 -------- d-----w- c:\program files\Common Files\Steganos
2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\NativeMessaging
2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\CRE
2013-11-03 18:53 . 2013-11-03 21:32 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos
2013-11-01 15:46 . 2013-11-01 15:46 -------- d-----w- c:\users\Adele S\AppData\Roaming\Oracle
2013-11-01 05:00 . 2013-11-01 05:00 -------- d-----w- c:\programdata\Oracle
2013-11-01 05:00 . 2013-10-08 11:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-22 03:32 . 2013-10-22 03:35 -------- d-----w- c:\users\Adele S\MiTek
2013-10-22 02:37 . 2013-10-22 02:37 -------- d-----w- c:\program files\MiTek
2013-10-22 02:35 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2013-10-10 04:37 . 2013-07-12 09:04 73344 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2013-10-10 04:37 . 2013-06-26 23:01 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-10-10 04:37 . 2013-06-04 01:49 293376 ----a-w- c:\windows\system32\atmfd.dll
2013-10-10 04:37 . 2013-06-04 04:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-10-10 04:37 . 2013-07-04 04:21 532480 ----a-w- c:\windows\system32\comctl32.dll
2013-10-10 04:37 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-10-10 04:37 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-08 23:04 . 2012-08-09 02:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-08 23:04 . 2012-07-11 01:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-02 13:53 . 2013-04-10 21:13 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-03 19:35 . 2009-10-02 19:35 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-30 07:48 . 2013-03-14 00:00 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-08-30 07:48 . 2011-04-21 01:41 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-08-30 07:48 . 2011-04-21 01:41 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-08-30 07:48 . 2013-03-14 00:00 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-08-30 07:48 . 2011-04-21 01:41 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-08-30 07:48 . 2011-04-21 01:41 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-08-30 07:48 . 2011-04-21 01:41 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-08-30 07:48 . 2011-04-21 01:41 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-08-30 07:47 . 2011-04-21 01:40 41664 ----a-w- c:\windows\avastSS.scr
2013-08-30 07:47 . 2011-04-21 01:40 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-08-22 12:40 . 2013-08-22 12:40 35288 ----a-w- c:\windows\system32\drivers\tap0901.sys
2013-08-20 04:03 . 2013-08-20 04:03 3477508 ----a-w- c:\programdata\SPL2307.tmp
2013-01-21 18:11 . 2013-01-21 18:09 31181592 ----a-w- c:\program files\DWFWriter4Setup.exe
1999-03-25 01:06 . 2013-01-12 16:15 45056 ----a-w- c:\program files\ACETUTIL.ARX
1999-03-25 01:06 . 2013-01-12 16:15 16384 ----a-w- c:\program files\ACETUTIL.DLL
1999-03-18 15:17 . 2013-01-12 16:15 492032 ----a-w- c:\program files\SCRIPTPRO.EXE
1999-03-06 11:25 . 2013-01-12 16:15 274 ----a-w- c:\program files\SAMPLE-DWFOUT.SCR
1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-SAVEAS-2000.SCR
1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-DXFOUT-2000.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R14.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R13.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R14.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R13.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R12.SCR
2010-02-06 03:13 . 2013-07-02 22:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"Akamai NetSession Interface"="c:\users\Adele S\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"chromium"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-10-09 844752]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"LXCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 106496]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2007-05-11 205744]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2007-05-11 103344]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"ADSK DLMSession"="c:\program files\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-15 1632216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-04 295512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Adele S^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 20:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-18 03:25 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 23:04]
.
2013-11-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-21 18:31]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001Core.job
- c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001UA.job
- c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
.
2011-01-16 c:\windows\Tasks\User_Feed_Synchronization-{53808186-85FD-435C-B61C-8FEB50FCB859}.job
- c:\windows\system32\msfeedssync.exe [2012-05-05 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com
mSearch Bar =
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>;*.local
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A8239FE3-DA45-4589-940D-16A3CBCA005B}: NameServer = 8.8.8.8
FF - ProfilePath - c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - ExtSQL: 2013-11-03 13:31; {6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}; c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\extensions\{6d9 6bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
FF - ExtSQL: !HIDDEN! 2009-06-28 18:46; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-OKAYFREEDOM_Agent - c:\program files\OkayFreedom\OkayFreedomClient.exe
c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TunesNINJA.lnk - c:\users\Adele S\AppData\Roaming\TunesNINJA\TunesNINJA.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MetroFax Printer.lnk - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-04 17:03
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????`?2??????@???x?????????
.
scanning hidden files ...
.
.
c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TunesNINJA.lnk 917 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_ 9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-11-04 17:08:50
ComboFix-quarantined-files.txt 2013-11-04 22:08
ComboFix2.txt 2012-10-14 21:52
.
Pre-Run: 27,828,473,856 bytes free
Post-Run: 32,814,706,688 bytes free
.
- - End Of File - - AA71F7F77E3FC052992A6E1774015992
5B5E648D12FCADC244C1EC30318E1EB9
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 06:46 PM #12
windows defender error :

"application failed to initialize: 0x800106ba. a problem caused this program's service to stop.
to start this service, restart your computer or search help and support fo how to start a service manually."

no joy with starting manually ?
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,452 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
04-Nov-2013, 06:51 PM #13
windows defender is normally turned off when Avast or another antivirus is installed
but lets see if it comes back on after we fix this & then reboot again
Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply


Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to
http://www.bleepingcomputer.com/subm...php?channel=38 and upload the file there
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 08:06 PM #14
rebooted and this:
rndlresolversvc.exe stopped working and was closed

then the same windows defender error above again.

i'm going to try the script / zip instructions and repost.

i don't know how long the defender issue has been going on, i only discovered it because of instructions to turn it off.

i have been getting windows update errors for a few months. couldn't guess as to whether any of this is related.

i'll post the update error codes in later post
MacsVista's Avatar
MacsVista MacsVista is offline
Computer Specs
Member with 74 posts.
THREAD STARTER
 
Join Date: Oct 2012
Experience: Intermediate
04-Nov-2013, 09:32 PM #15
here is the new combo fix log:
had error message part way through:
'pev.3xe stopped working'
process was stopped etc. etc

ComboFix 13-11-03.02 - Adele S 11/04/2013 19:45:01.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3453.2244 [GMT -5:00]
Running from: c:\users\Adele S\Desktop\ComboFix.exe
Command switches used :: c:\users\Adele S\Desktop\Virus Nov 2013\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2013-10-05 to 2013-11-05 )))))))))))))))))))))))))))))))
.
.
2013-11-05 01:00 . 2013-11-05 01:11 -------- d-----w- c:\users\Adele S\AppData\Local\temp
2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Kyl\AppData\Local\temp
2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-04 18:40 . 2013-11-04 19:17 -------- d-----w- C:\AdwCleaner
2013-11-04 02:26 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D01154A-6815-4442-93CA-BBD04F5DA357}\mpengine.dll
2013-11-03 19:01 . 2013-11-04 03:06 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos VPN
2013-11-03 18:59 . 2013-11-03 18:59 -------- d-----w- c:\program files\Common Files\Steganos
2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\NativeMessaging
2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\CRE
2013-11-03 18:53 . 2013-11-03 21:32 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos
2013-11-01 15:46 . 2013-11-01 15:46 -------- d-----w- c:\users\Adele S\AppData\Roaming\Oracle
2013-11-01 05:00 . 2013-11-01 05:00 -------- d-----w- c:\programdata\Oracle
2013-11-01 05:00 . 2013-10-08 11:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-22 03:32 . 2013-10-22 03:35 -------- d-----w- c:\users\Adele S\MiTek
2013-10-22 02:37 . 2013-10-22 02:37 -------- d-----w- c:\program files\MiTek
2013-10-22 02:35 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2013-10-10 04:37 . 2013-07-12 09:04 73344 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2013-10-10 04:37 . 2013-06-26 23:01 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-10-10 04:37 . 2013-06-04 01:49 293376 ----a-w- c:\windows\system32\atmfd.dll
2013-10-10 04:37 . 2013-06-04 04:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-10-10 04:37 . 2013-07-04 04:21 532480 ----a-w- c:\windows\system32\comctl32.dll
2013-10-10 04:37 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-10-10 04:37 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-08 23:04 . 2012-08-09 02:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-08 23:04 . 2012-07-11 01:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-02 13:53 . 2013-04-10 21:13 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-09-03 19:35 . 2009-10-02 19:35 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-30 07:48 . 2013-03-14 00:00 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-08-30 07:48 . 2011-04-21 01:41 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-08-30 07:48 . 2011-04-21 01:41 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-08-30 07:48 . 2013-03-14 00:00 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-08-30 07:48 . 2011-04-21 01:41 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-08-30 07:48 . 2011-04-21 01:41 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-08-30 07:48 . 2011-04-21 01:41 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-08-30 07:48 . 2011-04-21 01:41 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-08-30 07:47 . 2011-04-21 01:40 41664 ----a-w- c:\windows\avastSS.scr
2013-08-30 07:47 . 2011-04-21 01:40 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-08-22 12:40 . 2013-08-22 12:40 35288 ----a-w- c:\windows\system32\drivers\tap0901.sys
2013-08-20 04:03 . 2013-08-20 04:03 3477508 ----a-w- c:\programdata\SPL2307.tmp
2013-01-21 18:11 . 2013-01-21 18:09 31181592 ----a-w- c:\program files\DWFWriter4Setup.exe
1999-03-25 01:06 . 2013-01-12 16:15 45056 ----a-w- c:\program files\ACETUTIL.ARX
1999-03-25 01:06 . 2013-01-12 16:15 16384 ----a-w- c:\program files\ACETUTIL.DLL
1999-03-18 15:17 . 2013-01-12 16:15 492032 ----a-w- c:\program files\SCRIPTPRO.EXE
1999-03-06 11:25 . 2013-01-12 16:15 274 ----a-w- c:\program files\SAMPLE-DWFOUT.SCR
1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-SAVEAS-2000.SCR
1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-DXFOUT-2000.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R14.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R13.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R14.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R13.SCR
1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R12.SCR
2010-02-06 03:13 . 2013-07-02 22:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"Akamai NetSession Interface"="c:\users\Adele S\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"chromium"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-10-09 844752]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"LXCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 106496]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2007-05-11 205744]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2007-05-11 103344]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"ADSK DLMSession"="c:\program files\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-15 1632216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-04 295512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Adele S^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 20:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-18 03:25 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 23:04]
.
2013-11-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-21 18:31]
.
2013-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001Core.job
- c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
.
2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001UA.job
- c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
.
2011-01-16 c:\windows\Tasks\User_Feed_Synchronization-{53808186-85FD-435C-B61C-8FEB50FCB859}.job
- c:\windows\system32\msfeedssync.exe [2012-05-05 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com
mSearch Bar =
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A8239FE3-DA45-4589-940D-16A3CBCA005B}: NameServer = 8.8.8.8
FF - ProfilePath - c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - ExtSQL: 2013-11-03 13:31; {6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}; c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\extensions\{6d9 6bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
FF - ExtSQL: !HIDDEN! 2009-06-28 18:46; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-04 20:10
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????`?2??????@???x?????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_ 9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5008)
c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
c:\program files\Common Files\Autodesk Shared\DWF Common\en-US\DWFShellExtensionRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Expat Shield\bin\openvpnas.exe
c:\program files\Expat Shield\HssWPR\hsssrv.exe
c:\program files\Expat Shield\bin\hsswd.exe
c:\windows\system32\lxcicoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Expat Shield\bin\openvpntray.exe
c:\windows\RtHDVCpl.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-11-04 20:18:46 - machine was rebooted
ComboFix-quarantined-files.txt 2013-11-05 01:18
ComboFix2.txt 2013-11-04 22:08
ComboFix3.txt 2012-10-14 21:52
.
Pre-Run: 27,288,457,216 bytes free
Post-Run: 27,070,464,000 bytes free
.
- - End Of File - - 901C91A21BCCF1811963B5805B9883FA
5B5E648D12FCADC244C1EC30318E1EB9
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑