1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

After virus: CMD loads before desktop

Discussion in 'Virus & Other Malware Removal' started by bsimon, May 22, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. bsimon

    bsimon Thread Starter

    Joined:
    Apr 16, 2013
    Messages:
    38
    I just removed the FBI Moneypak virus from a user's personal computer. When I do it at work, I can just move their local data somewhere and give them a new profile, but I'm trying to keep the main profile on this user's computer so nothing has to be done outside of removing the virus and the visible tracks that it was there.

    After the virus was gone and I ran MB/CCleaner/etc, everything was back to normal except upon logging into her profile, a command prompt would automatically pop up before the desktop would load (similar to how the virus acts) with the following text in the prompt:

    c:\users\christine\documents\31e36b34.exe is not recognized as an internal or external command, operable program or batch file.

    c:\windows\system32>

    I'm guessing that 31e36b34.exe is what the virus used to refer to. From there, I can run "explorer.exe" and the desktop will start up fine, and then after exiting the command prompt, you would never know there was a virus on the computer.

    Any suggestions on how to rid the computer of looking for this exe before loading the desktop?

    Thanks in advance.
     
  2. Netghost56

    Netghost56

    Joined:
    Apr 4, 2013
    Messages:
    894
    Maybe check the Startup tab under msconfig and see if it's set to run?
     
  3. bsimon

    bsimon Thread Starter

    Joined:
    Apr 16, 2013
    Messages:
    38
    Nothing is set to start up on msconfig that I don't recognize.
     
  4. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Looks like you have remnants of the infection left behind so we had better do a full check. I shall have this moved to the Malware forum while we do the clean up.

    Please do not run any other scans or make any changes to the system that I have not asked you to do as this can cause confusion in the log results.

    Please go Here and follow the instructions to run DDS, then Copy and Paste both the logs into your next reply. You need not run HJT or GMER.

    Please run these three scans and post the logs:

    SCAN 1
    Click on this link to download : ADWCleaner and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and click on this icon on your desktop: [​IMG]

    You will then see the screen below, click on the Delete button (as indicated), accept any prompts that appear and allow it to reboot the PC. When the PC has rebooted you will be presented with the report, copy & paste it into your next post. If the log does not appear you should find it on your C: drive, using Windows Explorer, as ADWCleaner[S1].

    [​IMG]



    SCAN 2
    Download RogueKiller (by tigzy) and save direct to your Desktop.
    On the web page select the 32bit or 64bit button to match the bit rate of your version of Windows.

    • Quit all running programs.
    • Start RogueKiller.exe by double clicking on the icon.
    • Wait until Prescan has finished.
    • Ensure all boxes are ticked under "Report" tab.
    • Click on Scan.
    • Click on Report when complete. Copy/paste the contents of the report and paste into your next reply.
    • NOTE: DO NOT attempt to remove anything that the scan detects.

    [​IMG]



    SCAN 3
    Please download RKill
    There are three buttons to choose from with different names on, select the first one and save it to your desktop.


    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
    • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
    • If the tool does not run from any of the links provided, please let me know.

    DO NOT reboot, run Malwarebytes, let it update and run a full scan. If it finds anything, fix it and post the resulting log. If it finds nothing, post that log instead.

    You can download Malwarebytes from here if you do not have it: Malwarebytes
     
  5. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    75,940
    moved for you, Mark.......
     
  6. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Thank you :)(y)
     
  7. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    75,940
    de nada...I can move them as long as you can fix them; I can't handle that part. :)
     
  8. bsimon

    bsimon Thread Starter

    Joined:
    Apr 16, 2013
    Messages:
    38
    Thanks for the quick response.

    All other tasks are done - I'm running the full MB scan, after which I'll post all requested reports.
     
  9. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    I only wish I could move them myself as it would save to keep on asking, as I often do :).

    Bsimon, I'm ready when you are but will be away from my PC until later tonight, GMT+1.
     
  10. bsimon

    bsimon Thread Starter

    Joined:
    Apr 16, 2013
    Messages:
    38
    Okay, I've got the reports, 5 total. Wish there was a cleaner way to present this information:

    DDS
    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16483
    Run by christine at 18:05:11 on 2013-05-22
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.2467 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_fd9b60625db011f9\STacSV64.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\mfevtps.exe
    C:\Windows\system32\DRIVERS\o2flash.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\explorer.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com/
    mStart Page = hxxp://searchfunmoods.com/?f=1&a=nv1&ir=nv1&cd=2XzuyEtN2Y1L1QzuyBtDtC0AtDyEyD0FyB0E0D0AtDtCtCyDtN0D0Tzu0CtAyBtBtN1L2XzutBtFtBtFtCtFyEtDyB&cr=809979400
    mDefault_Page_URL = hxxp://www.yahoo.com
    uProxyServer = localhost:21320
    uProxyOverride = <local>
    uURLSearchHooks: {00000000-6E41-4FD3-8538-502F5495E5FC} - <orphaned>
    uWinlogon: Shell = cmd.exe
    mWinlogon: Userinit = userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - <orphaned>
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
    mRunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
    StartupFolder: C:\Users\CHRIST~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
    StartupFolder: C:\Users\CHRIST~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
    DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} - hxxps://www.backup.com/user/webrestore.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    TCP: NameServer = 10.10.21.252 10.10.21.253
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A} : DHCPNameServer = 10.10.21.252 10.10.21.253
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\26473677966696 : DHCPNameServer = 10.1.0.153 172.20.83.10 10.1.0.251
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\642716E636963736F637 : DHCPNameServer = 192.168.2.1 192.168.1.254
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\67F63616C6372313 : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\C696E6B6379737 : DHCPNameServer = 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WebCheck - <orphaned>
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-mStart Page = hxxp://searchfunmoods.com/?f=1&a=nv1&ir=nv1&cd=2XzuyEtN2Y1L1QzuyBtDtC0AtDyEyD0FyB0E0D0AtDtCtCyDtN0D0Tzu0CtAyBtBtN1L2XzutBtFtBtFtCtFyEtDyB&cr=809979400
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
    x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    x64-DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-11-15 771536]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-11-2 55280]
    R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2011-11-15 340216]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-11-2 203264]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-10-18 201304]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-10-18 201304]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-10-18 201304]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-11-15 241456]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-11-15 218760]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2011-11-15 182752]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-5-21 1817560]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-5-21 1033688]
    R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-5-21 171928]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-11-2 656624]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2011-11-15 70112]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2011-11-15 309840]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2011-11-15 515968]
    R3 O2MDGRDR;O2MDGRDR;C:\Windows\System32\drivers\o2mdgx64.sys [2009-11-2 69152]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2009-11-2 172704]
    S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2012-9-30 196440]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-11-15 106552]
    S3 Passwdrenew;Passwdrenew;System32\rnpasswd.exe --> System32\rnpasswd.exe [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-21 19456]
    S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-21 57856]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-24 1255736]
    .
    =============== Created Last 30 ================
    .
    2013-05-22 21:21:26 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{462B0CDC-EF7D-46B9-AB3F-436E3262CC13}\offreg.dll
    2013-05-22 05:56:06 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{462B0CDC-EF7D-46B9-AB3F-436E3262CC13}\mpengine.dll
    2013-05-22 05:56:05 278800 ------w- C:\Windows\System32\MpSigStub.exe
    2013-05-22 03:51:41 -------- d-----w- C:\Windows\CheckSur
    2013-05-22 02:04:57 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
    2013-05-22 01:49:05 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2013-05-22 01:48:08 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
    2013-05-22 01:48:02 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-05-22 01:40:12 -------- d-----w- C:\Program Files\CCleaner
    2013-05-22 01:31:42 -------- d-----w- C:\Windows\pss
    2013-05-22 01:06:27 -------- d-----w- C:\Users\christine\AppData\Roaming\Malwarebytes
    2013-05-22 01:05:52 -------- d-----w- C:\ProgramData\Malwarebytes
    2013-05-22 01:05:50 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2013-05-22 01:05:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-05-22 01:05:34 -------- d-----w- C:\Users\christine\AppData\Local\Programs
    2013-05-21 23:50:14 -------- d-----w- C:\Users\christine\AppData\Roaming\IObit
    2013-05-21 18:28:46 95744 ----a-w- C:\Windows\System32\rnpasswd.exe
    2013-05-21 01:20:14 -------- d-----w- C:\Emergency
    2013-05-15 08:02:55 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2013-05-15 08:02:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2013-05-15 02:47:37 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
    2013-05-14 23:36:30 16948616 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2013-05-08 00:11:12 -------- d-----w- C:\Users\christine\AppData\Local\LogMeIn Rescue Applet
    2013-04-24 01:54:46 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    .
    ==================== Find3M ====================
    .
    2013-05-14 23:36:44 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-05-14 23:36:44 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
    2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
    2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
    2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
    2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
    2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
    2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
    2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
    2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
    2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
    2013-02-27 06:02:44 111448 ----a-w- C:\Windows\System32\consent.exe
    2013-02-27 05:48:00 1930752 ----a-w- C:\Windows\System32\authui.dll
    2013-02-27 05:47:10 70144 ----a-w- C:\Windows\System32\appinfo.dll
    2013-02-27 04:49:24 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
    .
    ============= FINISH: 18:05:41.27 ===============


    ADWCleaner
    # AdwCleaner v2.301 - Logfile created 05/22/2013 at 18:12:36
    # Updated 16/05/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : christine - CHRISTINE-PC
    # Boot Mode : Normal
    # Running from : C:\Users\christine\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Users\christine\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage
    File Deleted : C:\Users\christine\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage
    Folder Deleted : C:\Program Files (x86)\Ask.com
    Folder Deleted : C:\ProgramData\Tarma Installer
    Folder Deleted : C:\Users\christine\AppData\Local\PutLockerDownloader
    Folder Deleted : C:\Users\christine\AppData\LocalLow\Funmoods
    Folder Deleted : C:\Users\christine\AppData\LocalLow\ShopperReports3
    Folder Deleted : C:\Users\christine\AppData\Roaming\Funmoods
    Folder Deleted : C:\Users\christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Movie2KDownloader.com
    Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

    ***** [Registry] *****

    Key Deleted : HKCU\Software\1ClickDownload
    Key Deleted : HKCU\Software\APN
    Key Deleted : HKCU\Software\AppDataLow\AskToolbarInfo
    Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
    Key Deleted : HKCU\Software\AppDataLow\Software\ShopperReports3
    Key Deleted : HKCU\Software\Funmoods
    Key Deleted : HKCU\Software\InstallCore
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
    Key Deleted : HKCU\Software\YahooPartnerToolbar
    Key Deleted : HKCU\Software\Zugo
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    Key Deleted : HKLM\Software\APN
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
    Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
    Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
    Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
    Key Deleted : HKLM\Software\Iminent
    Key Deleted : HKLM\Software\InstallCore
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B32966A2-F7C2-4362-A6CF-399EC8B44110}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{83B2FE06-BA20-4F7D-96C6-6FC3A4E877D3}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32966A2-F7C2-4362-A6CF-399EC8B44110}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8560AC2-21B5-4C1A-BDD4-BD12BC83B082}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E25DA6D6-C365-46CF-ABAF-DC5893135D7A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F8B4EC8A-2407-4BE0-AEE2-0F430D65A90D}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funmoods
    Key Deleted : HKLM\SOFTWARE\Tarma Installer
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16483

    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://searchfunmoods.com/?f=1&a=nv1&ir=nv1&cd=2XzuyEtN2Y1L1QzuyBtDtC0AtDyEyD0FyB0E0D0AtDtCtCyDtN0D0Tzu0CtAyBtBtN1L2XzutBtFtBtFtCtFyEtDyB&cr=809979400 --> hxxp://www.google.com
    Replaced : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] = hxxp://searchfunmoods.com/?f=1&a=nv1&ir=nv1&cd=2XzuyEtN2Y1L1QzuyBtDtC0AtDyEyD0FyB0E0D0AtDtCtCyDtN0D0Tzu0CtAyBtBtN1L2XzutBtFtBtFtCtFyEtDyB&cr=809979400 --> hxxp://www.google.com

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\christine\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [7937 octets] - [22/05/2013 18:12:36]

    ########## EOF - C:\AdwCleaner[S1].txt - [7997 octets] ##########


    RougeKiller
    RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : christine [Admin rights]
    Mode : Scan -- Date : 05/22/2013 18:19:53
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 12 ¤¤¤
    [TASK][SUSP PATH] Funmoods : C:\Users\CHRIST~1\AppData\Roaming\Funmoods\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:21320) -> FOUND
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST9500420AS ATA Device +++++
    --- User ---
    [MBR] 51333bb0fa59a70b6bce5519702417e6
    [BSP] 0b035d86d359c4952cfd23d3083b4308 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1]_S_05222013_02d1819.txt >>
    RKreport[1]_S_05222013_02d1819.txt


    RKill
    Rkill 2.4.8 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 05/22/2013 06:22:05 PM in x64 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Active Proxy Server Detected

    * Proxy Disabled.
    * ProxyOverride value deleted.
    * ProxyServer value deleted.
    * AutoConfigURL value deleted.
    * Proxy settings were backed up to Registry file.

    Checking Registry for malware related settings:

    * Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

    Backup Registry file created at:
    C:\Users\christine\Desktop\rkill\rkill-05-22-2013-06-22-07.reg

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * No issues found.

    Checking Windows Service Integrity:

    * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * No issues found.

    Program finished at: 05/22/2013 06:22:15 PM
    Execution time: 0 hours(s), 0 minute(s), and 10 seconds(s)


    MBam
    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.05.22.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    christine :: CHRISTINE-PC [administrator]

    5/22/2013 6:24:37 PM
    mbam-log-2013-05-22 (18-24-37).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 398906
    Time elapsed: 1 hour(s), 41 minute(s), 9 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  11. bsimon

    bsimon Thread Starter

    Joined:
    Apr 16, 2013
    Messages:
    38
    Also wanted to mention, after running these scans, I restarted the computer, logged back in, and at the command prompt (which we're trying to make go away) I ran dds.scr before explorer and the rest of Windows started up. Here's what that log showed:

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16483
    Run by christine at 23:18:09 on 2013-05-22
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.2754 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_fd9b60625db011f9\STacSV64.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\mfevtps.exe
    C:\Windows\system32\DRIVERS\o2flash.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com/
    mStart Page = hxxp://www.google.com
    mDefault_Page_URL = hxxp://www.yahoo.com
    uWinlogon: Shell = cmd.exe
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - <orphaned>
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
    mRunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
    StartupFolder: C:\Users\CHRIST~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
    StartupFolder: C:\Users\CHRIST~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
    DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} - hxxps://www.backup.com/user/webrestore.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    TCP: NameServer = 10.10.21.252 10.10.21.253
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A} : DHCPNameServer = 10.10.21.252 10.10.21.253
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\26473677966696 : DHCPNameServer = 10.1.0.153 172.20.83.10 10.1.0.251
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\642716E636963736F637 : DHCPNameServer = 192.168.2.1 192.168.1.254
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\67F63616C6372313 : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{BEF73E0B-844E-41E8-BFC5-A37C4157867A}\C696E6B6379737 : DHCPNameServer = 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Notify: SDWinLogon - SDWinLogon.dll
    SSODL: WebCheck - <orphaned>
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-mStart Page = hxxp://www.google.com
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
    x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    x64-DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-11-15 771536]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-11-2 55280]
    R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2011-11-15 340216]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-11-2 203264]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-10-18 201304]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-10-18 201304]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-10-18 201304]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-11-15 241456]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-11-15 218760]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2011-11-15 182752]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-5-21 1817560]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-5-21 1033688]
    R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-5-21 171928]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-11-2 656624]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2011-11-15 70112]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2011-11-15 309840]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2011-11-15 515968]
    R3 O2MDGRDR;O2MDGRDR;C:\Windows\System32\drivers\o2mdgx64.sys [2009-11-2 69152]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2009-11-2 172704]
    S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2012-9-30 196440]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-11-15 106552]
    S3 Passwdrenew;Passwdrenew;System32\rnpasswd.exe --> System32\rnpasswd.exe [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-21 19456]
    S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-21 57856]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-24 1255736]
    .
    =============== Created Last 30 ================
    .
    2013-05-22 05:56:06 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{462B0CDC-EF7D-46B9-AB3F-436E3262CC13}\mpengine.dll
    2013-05-22 05:56:05 278800 ------w- C:\Windows\System32\MpSigStub.exe
    2013-05-22 03:51:41 -------- d-----w- C:\Windows\CheckSur
    2013-05-22 02:04:57 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
    2013-05-22 01:49:05 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2013-05-22 01:48:08 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
    2013-05-22 01:48:02 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
    2013-05-22 01:40:12 -------- d-----w- C:\Program Files\CCleaner
    2013-05-22 01:31:42 -------- d-----w- C:\Windows\pss
    2013-05-22 01:06:27 -------- d-----w- C:\Users\christine\AppData\Roaming\Malwarebytes
    2013-05-22 01:05:52 -------- d-----w- C:\ProgramData\Malwarebytes
    2013-05-22 01:05:50 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2013-05-22 01:05:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-05-22 01:05:34 -------- d-----w- C:\Users\christine\AppData\Local\Programs
    2013-05-21 23:50:14 -------- d-----w- C:\Users\christine\AppData\Roaming\IObit
    2013-05-21 18:28:46 95744 ----a-w- C:\Windows\System32\rnpasswd.exe
    2013-05-21 01:20:14 -------- d-----w- C:\Emergency
    2013-05-15 08:02:55 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2013-05-15 08:02:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2013-05-15 02:47:37 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
    2013-05-14 23:36:30 16948616 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2013-05-08 00:11:12 -------- d-----w- C:\Users\christine\AppData\Local\LogMeIn Rescue Applet
    2013-04-24 01:54:46 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    .
    ==================== Find3M ====================
    .
    2013-05-14 23:36:44 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-05-14 23:36:44 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
    2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
    2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
    2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
    2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
    2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
    2013-04-05 01:08:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2013-04-05 01:00:30 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2013-04-05 00:59:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2013-04-05 00:56:16 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2013-04-05 00:55:47 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2013-04-04 22:11:34 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2013-04-04 22:02:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2013-04-04 22:02:17 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2013-04-04 21:58:51 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2013-04-04 21:57:45 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
    2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
    2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
    2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
    2013-02-27 06:02:44 111448 ----a-w- C:\Windows\System32\consent.exe
    2013-02-27 05:48:00 1930752 ----a-w- C:\Windows\System32\authui.dll
    2013-02-27 05:47:10 70144 ----a-w- C:\Windows\System32\appinfo.dll
    2013-02-27 04:49:24 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
    .
    ============= FINISH: 23:19:27.65 ===============​

    I can't help but notice this process "cscript.exe" running. I don't know much about it, but could this be throwing that cmd before windows starts?
     
  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    This is the entry that is causing cmd to run at start up: uWinlogon: Shell = cmd.exe, cscript.exe is a legitimate file.

    We now need to run another tool and then we will use it to remove the bad entry. ADWCleaner took out a bunch of Adware and hijacks from your browser, RogueKiller found a bad entry which needs to be dealt with. RKill found and removed a proxy setting. Please run fresh scans with both ADWCleaner and RogueKiller and post the new logs.

    Then continue with running this:

    STEP 1
    NOTE: If you have already used Combofix please delete the icon from your desktop.

    • Please download DeFogger and save it to your desktop.
    • Once downloaded, double-click on the DeFogger icon to start the tool.
    • The application window will appear.
    • You should now click on the Disable button to disable your CD Emulation drivers.
    • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
    • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.



    STEP 2
    Please download ComboFix [​IMG] from one of the locations below and save it to your Desktop. <-Important!!!


    Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix

    Vista/Windows 7 users can skip the Recovery Console instructions and use the Windows DVD to boot into the Vista Recovery Environment or Windows 7 System Recovery Options if something goes awry. If you do not have a Windows 7 DVD then please create a Windows 7 Repair Disc. XP users need to install the Recovery Console first, just follow the prompts when you run it.

    • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click this link to see a list of such programs and how to disable them.
    • If ComboFix detects an older version of itself, you will be asked to update the program.
    • ComboFix will begin by showing a Disclaimer. Read it and click I Agree if you want to continue.
    • Follow the prompts and click on Yes to continue scanning for malware.
    • If using Windows 7 or Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
    • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
    • Be sure to re-enable your anti-virus and other security programs.

    -- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
    -- ComboFix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
    -- ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


    If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier. Those instructions only apply to XP, for Vista and Windows 7 go here: Internet connection repair

    NOTE: if you see a message like this when you attempt to open anything after the reboot "Illegal Operation attempted on a registry key that has been marked for deletion" please reboot the system again and the warning should not return.

     
  13. bsimon

    bsimon Thread Starter

    Joined:
    Apr 16, 2013
    Messages:
    38
    Whatever ComboFix did fixed it, consider this thread solved.

    For good measure, here are the other logs as requested:

    AdwCleaner
    # AdwCleaner v2.301 - Logfile created 05/24/2013 at 18:45:37
    # Updated 16/05/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : christine - CHRISTINE-PC
    # Boot Mode : Normal
    # Running from : E:\EXTRA PROGRAMS\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****

    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16483
    [OK] Registry is clean.
    -\\ Google Chrome v [Unable to get version]
    File : C:\Users\christine\AppData\Local\Google\Chrome\User Data\Default\Preferences
    [OK] File is clean.
    *************************
    AdwCleaner[S1].txt - [8018 octets] - [22/05/2013 18:12:36]
    AdwCleaner[S2].txt - [735 octets] - [24/05/2013 18:45:37]
    ########## EOF - C:\AdwCleaner[S2].txt - [794 octets] ##########

    RougeKiller
    RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : christine [Admin rights]
    Mode : Scan -- Date : 05/24/2013 19:10:11
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 10 ¤¤¤
    [TASK][SUSP PATH] Funmoods : C:\Users\CHRIST~1\AppData\Roaming\Funmoods\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: ST9500420AS ATA Device +++++
    --- User ---
    [MBR] 51333bb0fa59a70b6bce5519702417e6
    [BSP] 0b035d86d359c4952cfd23d3083b4308 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    +++++ PhysicalDrive1: IVR37602 Innovera USB Device +++++
    --- User ---
    [MBR] 849d557a8163725bf8a0f5303ae49530
    [BSP] 8a0871f0339284c995fe90808f8b73e2 : MBR Code unknown
    Partition table:
    0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 1908 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!
    Finished : << RKreport[1]_S_05242013_02d1910.txt >>
    RKreport[1]_S_05242013_02d1910.txt

    ComboFix
    ComboFix 13-05-24.01 - christine 05/24/2013 20:29:57.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4085.2866 [GMT -5:00]
    Running from: c:\users\christine\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
    FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
    SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\2433f433
    c:\users\christine\AppData\Roaming\2433f433
    c:\users\christine\AppData\Roaming\656C61.dat
    c:\users\christine\AppData\Roaming\656C61.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-04-25 to 2013-05-25 )))))))))))))))))))))))))))))))
    .
    .
    2013-05-25 01:36 . 2013-05-25 01:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-05-25 01:34 . 2013-05-25 01:34 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1EC57924-1BD4-44F2-9369-0B85EF5C4195}\offreg.dll
    2013-05-24 22:50 . 2013-05-14 06:48 9460464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1EC57924-1BD4-44F2-9369-0B85EF5C4195}\mpengine.dll
    2013-05-22 05:56 . 2013-05-02 07:06 278800 ------w- c:\windows\system32\MpSigStub.exe
    2013-05-22 03:51 . 2013-05-22 03:51 -------- d-----w- c:\windows\CheckSur
    2013-05-22 02:04 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
    2013-05-22 01:49 . 2013-05-22 01:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2013-05-22 01:48 . 2009-01-25 18:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
    2013-05-22 01:48 . 2013-05-22 01:48 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
    2013-05-22 01:40 . 2013-05-22 01:40 -------- d-----w- c:\program files\CCleaner
    2013-05-22 01:06 . 2013-05-22 01:06 -------- d-----w- c:\users\christine\AppData\Roaming\Malwarebytes
    2013-05-22 01:05 . 2013-05-22 01:05 -------- d-----w- c:\programdata\Malwarebytes
    2013-05-22 01:05 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-05-22 01:05 . 2013-05-22 01:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-05-22 01:05 . 2013-05-22 01:05 -------- d-----w- c:\users\christine\AppData\Local\Programs
    2013-05-21 23:50 . 2013-05-21 23:50 -------- d-----w- c:\users\christine\AppData\Roaming\IObit
    2013-05-21 18:28 . 2013-05-21 18:28 95744 ----a-w- c:\windows\system32\rnpasswd.exe
    2013-05-21 01:20 . 2013-05-21 01:20 -------- d-----w- C:\Emergency
    2013-05-15 08:02 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll
    2013-05-15 08:02 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2013-05-15 08:02 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2013-05-15 02:47 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2013-05-14 23:36 . 2013-05-14 23:36 16948616 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2013-05-08 00:11 . 2013-05-08 03:22 -------- d-----w- c:\users\christine\AppData\Local\LogMeIn Rescue Applet
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-05-15 08:08 . 2010-10-05 01:46 75016696 ----a-w- c:\windows\system32\MRT.exe
    2013-05-14 23:36 . 2012-10-18 01:52 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-05-14 23:36 . 2011-08-04 00:43 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-04-13 05:49 . 2013-05-15 02:47 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-04-13 05:49 . 2013-05-15 02:47 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2013-04-13 05:49 . 2013-05-15 02:47 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
    2013-04-13 05:49 . 2013-05-15 02:47 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
    2013-04-13 04:45 . 2013-05-15 02:47 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2013-04-13 04:45 . 2013-05-15 02:47 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
    2013-04-12 14:45 . 2013-04-24 01:54 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2013-03-19 06:04 . 2013-04-09 22:45 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-03-19 05:46 . 2013-04-09 22:45 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2013-03-19 05:04 . 2013-04-09 22:45 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2013-03-19 05:04 . 2013-04-09 22:45 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2013-03-19 04:47 . 2013-04-09 22:45 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
    2013-03-19 03:06 . 2013-04-09 22:45 112640 ----a-w- c:\windows\system32\smss.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-26 98304]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1532992]
    "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "STToasterLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe" [2009-08-17 120048]
    .
    c:\users\christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /K:C *
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
    R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-11-04 22528]
    R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-02-19 106552]
    R3 Passwdrenew;Passwdrenew;c:\windows\system32\rnpasswd.exe [2013-05-21 95744]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-26 1124848]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-24 1255736]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-02-19 340216]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-06-25 203264]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2013-02-19 218760]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-02-19 182752]
    S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-05-16 1817560]
    S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-05-16 1033688]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-05-15 171928]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2009-08-17 656624]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-02-19 70112]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-02-19 515968]
    S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdgx64.sys [2009-05-22 69152]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-18 23:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-15 450048]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
    FontCache
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://google.com/
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.google.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.10.21.252 10.10.21.253
    DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} - hxxps://www.backup.com/user/webrestore.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-{574be437-25ae-4010-a53e-8c63b6ae02ff} - (no file)
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    Notify-SDWinLogon - SDWinLogon.dll
    HKLM_Wow6432Node-ActiveSetup-{8A69D345-D564-463c-AFF1-A69D9E530F96} - c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
    Toolbar-Locked - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-05-24 20:39:14
    ComboFix-quarantined-files.txt 2013-05-25 01:39
    .
    Pre-Run: 380,555,902,976 bytes free
    Post-Run: 379,781,083,136 bytes free
    .
    - - End Of File - - F45A5CB13CF6F6EBAF726C5D7CD67DB2
     
  14. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Ok, that is good news. There is one item in the RogueKiller log linked to Adware that should be taken out and we should check your security. We also need to clean up the tools used.


    • Quit all running programs.
    • Start RogueKiller.exe by double clicking on the icon.
    • Wait until Prescan has finished.
    • Ensure all boxes are ticked under "Report" tab.
    • Click on Scan.
    • Click on Delete when complete.
    • Click on Report when the Deletion completes. Copy/paste the contents of the report into your next reply.


    Download Security Check by screen317 from Here or Here.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.

    ==========================================================================


    To re-enable your CD Emulation drivers if you disabled them, double click DeFogger.exe to run the tool again.


    • The application window will appear.
    • Click the Re-enable button to re-enable your CD Emulation drivers.
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine...click OK.

    To uninstall ComboFix, press the WINKEY + R keys on your keyboard or click on Start [​IMG]and type Run into the search box and hit Enter.
    In the Run box type: ComboFix /Uninstall (Be sure to leave a space before the forward slash).

    [​IMG]


    • Click on OK.
    • If you encounter any problems using the switch from the Run dialog box, just rename ComboFix.exe to Uninstall.exe, then double-click on it to remove.
    • This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.
    • When it has finished you will see a dialog box stating that "ComboFix has been uninstalled".
    • After that, you can delete the ComboFix.exe program from your computer (Desktop).

    Next

    • Download OTC by OldTimer and save it to your desktop.
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose Run as Administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    -- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
    -- Any leftover folders/files related to ComboFix or other tools which OTC did not remove can be deleted manually (right-click on it and choose delete).



    Please post back when this is complete and let me know if you have had any problems.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1099409

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice