1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

conduit connect dlc 5 hijack + other nasties

Discussion in 'Virus & Other Malware Removal' started by MacsVista, Nov 3, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    came up with the 'conduit connect' browser hijack.
    posting logs below for

    hjt
    attach
    gmer

    also a gmer.txt where i think i did it wrong - not sure about gmer
    ____________________________________________________________________

    background in reverse sequence: (read from bottom up may make more sense)

    using avast free for 2 yrs

    i ran malwarebytes today and found 51 bad files. fixed according to mwb

    -was looking for free vpn to watch F1 races, as expat shield began charging for that.

    tried 2 vpns, no joy.

    and neglected to uncheck add-ons using standard install. warn others to check custom install, and slow down when going for these 'free' services.

    -previous freeze (2 days ago) using chrome on local govt gis service. unplug and reboot failed. nothing would work, not repair, not even safe mode..
    had to pay tech guy $70 to come over and repair vista with his cd.
    all good, working fine. made fresh back up

    -previously other take-in shop was gonna say hd was failing and charge $80.
    they put hd back in (crooks) lucky to get out of there for $15.
    belarc says hd smart is healthy. never had hd syptoms, only corrupt vista.
    however hd data recovery could be lucrative for them.

    -previously win explorer was giving numerous 'ownership' errors (see previous posts)
    and win explorer quirks (corrupt)

    -vista sucks anyway
     

    Attached Files:

  2. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    also have 'OkayFreedomSevice' in processes

    under 'locate file location'
    there is a folder in 'program files' with 3 subfolders

    all of which give error message 'you need permission to perform this action'

    aka~ delete this file
     
  3. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    i've run avast 'browser cleanup' tool and firefox seems to be rid of conduit connect

    however cannot remove 'conduit' folder from 'program files'
     
  4. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    TBVerifier.dll is in folder

    program files>conduit>ct3306061>plugins

    delete
    you need permission to perform this action
     
  5. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    TBVerifier.dll

    was able to rename file to '~'
    but still unable to delete
     
  6. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,870
    Click on this link to download : ADWCleaner Click on the Download Now button and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and double click on this icon on your desktop:

    [​IMG]

    You will then see the screen below, click on the Scan button (as indicated), accept any prompts that appear and allow it to run, it may take several minutes to complete, when it is done click on the Clean button, accept any prompts that appear and allow the system to reboot. You will then be presented with the report, Copy & Paste it into your next post.


    [​IMG]
     
  7. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    thanks for your help

    ran adwcleaner. pasted below
    it seems to have deleted quite a bit of stuff

    got this ms windows notice after reboot
    'rndlresolversvc.exe stopped working and was closed'
    'a problem caused ... to stop working properly...'

    also got virus alert from avast during cleaner run saying something about adwcleaner..?


    ---------------------log--------------
    # AdwCleaner v3.011 - Report created 04/11/2013 at 13:42:28
    # Updated 03/11/2013 by Xplode
    # Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
    # Username : Adele S - MOSQUITOCREEK3
    # Running from : C:\Users\Adele S\Desktop\Virus Nov 2013\AdwCleaner(1).exe
    # Option : Clean

    ***** [ Services ] *****

    Service Deleted : vToolbarUpdater17.0.12

    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\Babylon
    Folder Deleted : C:\ProgramData\Conduit
    Folder Deleted : C:\Program Files\Conduit
    Folder Deleted : C:\Program Files\Searchprotect
    Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
    Folder Deleted : C:\Users\Adele S\AppData\Local\Conduit
    Folder Deleted : C:\Users\ADELES~1\AppData\Local\Temp\hotspot shield
    Folder Deleted : C:\Users\Adele S\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Adele S\AppData\Roaming\Babylon
    Folder Deleted : C:\Users\Adele S\AppData\Roaming\DSite
    Folder Deleted : C:\Users\Adele S\AppData\Roaming\Searchprotect
    Folder Deleted : C:\Program Files\Mozilla Firefox\Extensions\[email protected]
    File Deleted : C:\END
    File Deleted : C:\Users\ADELES~1\AppData\Local\Temp\Uninstall.exe
    File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\.autoreg
    File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\bProtector_extensions.rdf
    File Deleted : C:\Program Files\Mozilla Firefox\Components\AskSearch.js
    File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\invalidprefs.js
    File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\searchplugins\Conduit.xml
    File Deleted : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\user.js
    File Deleted : C:\Users\Adele S\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0259D296-5BC7-4DD6-99F9-69EF035B7733}
    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{025A481A-2069-45BC-8775-47B2A983C95B}
    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0B098167-18AB-44C0-AE1F-92B9E9B4BC50}
    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{13E86AB5-238D-47E1-92E6-34470347E16B}
    [#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{805BA885-45A6-4160-8743-D31546043FCA}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
    Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1
    Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
    Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
    Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
    Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
    Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
    Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
    Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
    Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
    Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
    Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
    Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
    Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
    Key Deleted : HKLM\SOFTWARE\84df8cb438ea47
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2549263
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3306061
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Key Deleted : HKCU\Software\BabSolution
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\DataMngr
    [#] Key Deleted : HKCU\Software\DataMngr_Toolbar
    Key Deleted : HKCU\Software\Delta
    Key Deleted : HKCU\Software\dsiteproducts
    Key Deleted : HKCU\Software\InstallCore
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
    Key Deleted : HKLM\Software\AVG Security Toolbar
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\DataMngr
    Key Deleted : HKLM\Software\Delta
    Key Deleted : HKLM\Software\TENCENT
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab

    ***** [ Browsers ] *****

    -\\ Internet Explorer v9.0.8112.16514

    Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl [Default]

    -\\ Mozilla Firefox v24.0 (en-US)

    [ File : C:\Users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\prefs.js ]

    Line Deleted : user_pref("CT3306061.FF19Solved", "true");
    Line Deleted : user_pref("CT3306061.UserID", "UN69504611632361824");
    Line Deleted : user_pref("CT3306061.browser.search.defaultthis.engineName", "true");
    Line Deleted : user_pref("CT3306061.fullUserID", "UN69504611632361824.IN.20131103135351");
    Line Deleted : user_pref("CT3306061.installDate", "03/11/2013 13:53:56");
    Line Deleted : user_pref("CT3306061.installSessionId", "{EF16BAB0-99F2-43BB-A8F9-B6C630D527A8}");
    Line Deleted : user_pref("CT3306061.installSp", "TRUE");
    Line Deleted : user_pref("CT3306061.installerVersion", "1.8.0.14");
    Line Deleted : user_pref("CT3306061.keyword", "true");
    Line Deleted : user_pref("CT3306061.originalHomepage", "about:home");
    Line Deleted : user_pref("CT3306061.originalSearchAddressUrl", "");
    Line Deleted : user_pref("CT3306061.originalSearchEngine", "");
    Line Deleted : user_pref("CT3306061.originalSearchEngineName", "");
    Line Deleted : user_pref("CT3306061.searchRevert", "true");
    Line Deleted : user_pref("CT3306061.searchUserMode", "2");
    Line Deleted : user_pref("CT3306061.smartbar.homepage", "true");
    Line Deleted : user_pref("CT3306061.toolbarInstallDate", "03-11-2013 13:53:51");
    Line Deleted : user_pref("CT3306061.versionFromInstaller", "10.21.1.7");
    Line Deleted : user_pref("CT3306061.xpeMode", "0");
    Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
    Line Deleted : user_pref("browser.search.defaultthis.engineName", "Connect DLC 5 Customized Web Search");
    Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN69504611632361824&UM=2&SearchSource=3&q={searchTerms}");
    Line Deleted : user_pref("extensions.delta.admin", false);
    Line Deleted : user_pref("extensions.delta.aflt", "babsst");
    Line Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
    Line Deleted : user_pref("extensions.delta.autoRvrt", "false");
    Line Deleted : user_pref("extensions.delta.dfltLng", "en");
    Line Deleted : user_pref("extensions.delta.excTlbr", false);
    Line Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
    Line Deleted : user_pref("extensions.delta.id", "c21e046600000000000000ffa8239fe3");
    Line Deleted : user_pref("extensions.delta.instlDay", "15948");
    Line Deleted : user_pref("extensions.delta.instlRef", "sst");
    Line Deleted : user_pref("extensions.delta.newTab", false);
    Line Deleted : user_pref("extensions.delta.prdct", "delta");
    Line Deleted : user_pref("extensions.delta.prtnrId", "delta");
    Line Deleted : user_pref("extensions.delta.rvrt", "false");
    Line Deleted : user_pref("extensions.delta.smplGrp", "none");
    Line Deleted : user_pref("extensions.delta.tlbrId", "base");
    Line Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
    Line Deleted : user_pref("extensions.delta.vrsn", "1.8.24.6");
    Line Deleted : user_pref("extensions.delta.vrsnTs", "1.8.24.616:52:59");
    Line Deleted : user_pref("extensions.delta.vrsni", "1.8.24.6");
    Line Deleted : user_pref("extensions.delta_i.babExt", "");
    Line Deleted : user_pref("extensions.delta_i.babTrack", "affID=119351&tsp=4991");
    Line Deleted : user_pref("extensions.delta_i.srcExt", "ss");
    Line Deleted : user_pref("extensions.enabledItems", "[email protected]:1.0,{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}:1.0,{ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0,[email protected]:20110101,{23fcfd51-4958-4f00-80a3-[...]
    Line Deleted : user_pref("extensions.helperbar.DockingPositionDown", false);
    Line Deleted : user_pref("extensions.helperbar.LastHiddenTime", 22477203);
    Line Deleted : user_pref("extensions.helperbar.SmartbarDisabled", true);
    Line Deleted : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);
    Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3306061");
    Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3306061&CUI=UN69504611632361824&UM=2&SearchSource=13");
    Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&SearchSource=2&CUI=UN69504611632361824&UM=2&q=");
    Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3306061");
    Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3306061");
    Line Deleted : user_pref("smartbar.machineId", "75JLUVWRJBM8SKQHQ3XRDJD+DMS3A6N2NKBFRC9IQK9+F741M13I7OOIVFGUHMT0689DBBAP/W3TO8JZKFX7PG");

    -\\ Google Chrome v30.0.1599.101

    [ File : C:\Users\Adele S\AppData\Local\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [90067 octets] - [04/11/2013 13:41:06]
    AdwCleaner[S0].txt - [11981 octets] - [04/11/2013 13:42:28]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [12042 octets] ##########
     
  8. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    conduit folder is gone

    but okayfreedom folder still in program files
    can't delete
    not showing in ad/remove programs
     
  9. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    ended process okayfreedom (task mgr)

    was then able to delete okay freedom folder
     
  10. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,870
    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully
    Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

    Download ComboFix from Hereto your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on renamed combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

    Please tell us if it has cured the problems or if there are any outstanding issues

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...
     
  11. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    below is the combo fix log

    it seems to have deleted 5 gigs of something

    when i tried to turn off windows defender i got an error message ?


    ComboFix 13-11-03.02 - Adele S 11/04/2013 16:47:56.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3453.2387 [GMT -5:00]
    Running from: c:\users\Adele S\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\SetupDWGTrueView2013_32bit.exe
    C:\Thumbs.db
    c:\windows\pkunzip.pif
    c:\windows\pkzip.pif
    c:\windows\system32\drivers\etc\hosts.ics
    c:\windows\system32\Temp
    c:\windows\system32\Temp\DWFmonitor3.inf
    c:\windows\system32\Temp\DWFPortMon3.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-10-04 to 2013-11-04 )))))))))))))))))))))))))))))))
    .
    .
    2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Adele S\AppData\Local\temp
    2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Public\AppData\Local\temp
    2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Kyl\AppData\Local\temp
    2013-11-04 22:03 . 2013-11-04 22:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2013-11-04 18:40 . 2013-11-04 19:17 -------- d-----w- C:\AdwCleaner
    2013-11-04 02:26 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D01154A-6815-4442-93CA-BBD04F5DA357}\mpengine.dll
    2013-11-03 19:01 . 2013-11-04 03:06 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos VPN
    2013-11-03 18:59 . 2013-11-03 18:59 -------- d-----w- c:\program files\Common Files\Steganos
    2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\NativeMessaging
    2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\CRE
    2013-11-03 18:53 . 2013-11-03 21:32 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos
    2013-11-01 15:46 . 2013-11-01 15:46 -------- d-----w- c:\users\Adele S\AppData\Roaming\Oracle
    2013-11-01 05:00 . 2013-11-01 05:00 -------- d-----w- c:\programdata\Oracle
    2013-11-01 05:00 . 2013-10-08 11:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-10-22 03:32 . 2013-10-22 03:35 -------- d-----w- c:\users\Adele S\MiTek
    2013-10-22 02:37 . 2013-10-22 02:37 -------- d-----w- c:\program files\MiTek
    2013-10-22 02:35 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
    2013-10-10 04:37 . 2013-07-12 09:04 73344 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
    2013-10-10 04:37 . 2013-06-26 23:01 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2013-10-10 04:37 . 2013-06-04 01:49 293376 ----a-w- c:\windows\system32\atmfd.dll
    2013-10-10 04:37 . 2013-06-04 04:16 34304 ----a-w- c:\windows\system32\atmlib.dll
    2013-10-10 04:37 . 2013-07-04 04:21 532480 ----a-w- c:\windows\system32\comctl32.dll
    2013-10-10 04:37 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2013-10-10 04:37 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-10-08 23:04 . 2012-08-09 02:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-10-08 23:04 . 2012-07-11 01:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-10-02 13:53 . 2013-04-10 21:13 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-09-03 19:35 . 2009-10-02 19:35 238872 ------w- c:\windows\system32\MpSigStub.exe
    2013-08-30 07:48 . 2013-03-14 00:00 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2013-08-30 07:48 . 2011-04-21 01:41 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2013-08-30 07:48 . 2011-04-21 01:41 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2013-08-30 07:48 . 2013-03-14 00:00 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
    2013-08-30 07:48 . 2011-04-21 01:41 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2013-08-30 07:48 . 2011-04-21 01:41 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-08-30 07:48 . 2011-04-21 01:41 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2013-08-30 07:48 . 2011-04-21 01:41 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2013-08-30 07:47 . 2011-04-21 01:40 41664 ----a-w- c:\windows\avastSS.scr
    2013-08-30 07:47 . 2011-04-21 01:40 229648 ----a-w- c:\windows\system32\aswBoot.exe
    2013-08-22 12:40 . 2013-08-22 12:40 35288 ----a-w- c:\windows\system32\drivers\tap0901.sys
    2013-08-20 04:03 . 2013-08-20 04:03 3477508 ----a-w- c:\programdata\SPL2307.tmp
    2013-01-21 18:11 . 2013-01-21 18:09 31181592 ----a-w- c:\program files\DWFWriter4Setup.exe
    1999-03-25 01:06 . 2013-01-12 16:15 45056 ----a-w- c:\program files\ACETUTIL.ARX
    1999-03-25 01:06 . 2013-01-12 16:15 16384 ----a-w- c:\program files\ACETUTIL.DLL
    1999-03-18 15:17 . 2013-01-12 16:15 492032 ----a-w- c:\program files\SCRIPTPRO.EXE
    1999-03-06 11:25 . 2013-01-12 16:15 274 ----a-w- c:\program files\SAMPLE-DWFOUT.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-SAVEAS-2000.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-DXFOUT-2000.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R14.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R13.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R14.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R13.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R12.SCR
    2010-02-06 03:13 . 2013-07-02 22:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
    @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
    [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
    @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
    [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
    @="{A759AFF6-5851-457D-A540-F4ECED148351}"
    [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
    @="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
    [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
    "Akamai NetSession Interface"="c:\users\Adele S\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "chromium"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-10-09 844752]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-13 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "LXCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 106496]
    "lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2007-05-11 205744]
    "EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2007-05-11 103344]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
    "ADSK DLMSession"="c:\program files\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-15 1632216]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-04 295512]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Users^Adele S^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2006-11-10 20:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    Akamai REG_MULTI_SZ Akamai
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-10-18 03:25 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 23:04]
    .
    2013-11-04 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-21 18:31]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001Core.job
    - c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001UA.job
    - c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
    .
    2011-01-16 c:\windows\Tasks\User_Feed_Synchronization-{53808186-85FD-435C-B61C-8FEB50FCB859}.job
    - c:\windows\system32\msfeedssync.exe [2012-05-05 01:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com
    mSearch Bar =
    uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>;*.local
    uSearchAssistant = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{A8239FE3-DA45-4589-940D-16A3CBCA005B}: NameServer = 8.8.8.8
    FF - ProfilePath - c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
    FF - ExtSQL: 2013-11-03 13:31; {6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}; c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\extensions\{6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
    FF - ExtSQL: !HIDDEN! 2009-06-28 18:46; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADScriptFile
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-AdobeBridge - (no file)
    HKCU-Run-OKAYFREEDOM_Agent - c:\program files\OkayFreedom\OkayFreedomClient.exe
    c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TunesNINJA.lnk - c:\users\Adele S\AppData\Roaming\TunesNINJA\TunesNINJA.exe
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MetroFax Printer.lnk - (no file)
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-11-04 17:03
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCICATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????`?2??????@???x?????????
    .
    scanning hidden files ...
    .
    .
    c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TunesNINJA.lnk 917 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
    "ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2013-11-04 17:08:50
    ComboFix-quarantined-files.txt 2013-11-04 22:08
    ComboFix2.txt 2012-10-14 21:52
    .
    Pre-Run: 27,828,473,856 bytes free
    Post-Run: 32,814,706,688 bytes free
    .
    - - End Of File - - AA71F7F77E3FC052992A6E1774015992
    5B5E648D12FCADC244C1EC30318E1EB9
     
  12. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    windows defender error :

    "application failed to initialize: 0x800106ba. a problem caused this program's service to stop.
    to start this service, restart your computer or search help and support fo how to start a service manually."

    no joy with starting manually ?
     
  13. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,870
    windows defender is normally turned off when Avast or another antivirus is installed
    but lets see if it comes back on after we fix this & then reboot again
    Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
    Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
    Close any open browsers
    Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply


    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

    This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to
    http://www.bleepingcomputer.com/submit-malware.php?channel=38 and upload the file there
     

    Attached Files:

  14. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    rebooted and this:
    rndlresolversvc.exe stopped working and was closed

    then the same windows defender error above again.

    i'm going to try the script / zip instructions and repost.

    i don't know how long the defender issue has been going on, i only discovered it because of instructions to turn it off.

    i have been getting windows update errors for a few months. couldn't guess as to whether any of this is related.

    i'll post the update error codes in later post
     
  15. MacsVista

    MacsVista Thread Starter

    Joined:
    Oct 7, 2012
    Messages:
    74
    here is the new combo fix log:
    had error message part way through:
    'pev.3xe stopped working'
    process was stopped etc. etc

    ComboFix 13-11-03.02 - Adele S 11/04/2013 19:45:01.3.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.3453.2244 [GMT -5:00]
    Running from: c:\users\Adele S\Desktop\ComboFix.exe
    Command switches used :: c:\users\Adele S\Desktop\Virus Nov 2013\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\etc\hosts.ics
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-10-05 to 2013-11-05 )))))))))))))))))))))))))))))))
    .
    .
    2013-11-05 01:00 . 2013-11-05 01:11 -------- d-----w- c:\users\Adele S\AppData\Local\temp
    2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Public\AppData\Local\temp
    2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Kyl\AppData\Local\temp
    2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2013-11-05 01:00 . 2013-11-05 01:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-11-04 18:40 . 2013-11-04 19:17 -------- d-----w- C:\AdwCleaner
    2013-11-04 02:26 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D01154A-6815-4442-93CA-BBD04F5DA357}\mpengine.dll
    2013-11-03 19:01 . 2013-11-04 03:06 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos VPN
    2013-11-03 18:59 . 2013-11-03 18:59 -------- d-----w- c:\program files\Common Files\Steganos
    2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\NativeMessaging
    2013-11-03 18:55 . 2013-11-03 18:55 -------- d-----w- c:\users\Adele S\AppData\Local\CRE
    2013-11-03 18:53 . 2013-11-03 21:32 -------- d-----w- c:\users\Adele S\AppData\Roaming\Steganos
    2013-11-01 15:46 . 2013-11-01 15:46 -------- d-----w- c:\users\Adele S\AppData\Roaming\Oracle
    2013-11-01 05:00 . 2013-11-01 05:00 -------- d-----w- c:\programdata\Oracle
    2013-11-01 05:00 . 2013-10-08 11:50 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-10-22 03:32 . 2013-10-22 03:35 -------- d-----w- c:\users\Adele S\MiTek
    2013-10-22 02:37 . 2013-10-22 02:37 -------- d-----w- c:\program files\MiTek
    2013-10-22 02:35 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
    2013-10-10 04:37 . 2013-07-12 09:04 73344 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
    2013-10-10 04:37 . 2013-06-26 23:01 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2013-10-10 04:37 . 2013-06-04 01:49 293376 ----a-w- c:\windows\system32\atmfd.dll
    2013-10-10 04:37 . 2013-06-04 04:16 34304 ----a-w- c:\windows\system32\atmlib.dll
    2013-10-10 04:37 . 2013-07-04 04:21 532480 ----a-w- c:\windows\system32\comctl32.dll
    2013-10-10 04:37 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2013-10-10 04:37 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-10-08 23:04 . 2012-08-09 02:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-10-08 23:04 . 2012-07-11 01:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-10-02 13:53 . 2013-04-10 21:13 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
    2013-09-03 19:35 . 2009-10-02 19:35 238872 ------w- c:\windows\system32\MpSigStub.exe
    2013-08-30 07:48 . 2013-03-14 00:00 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
    2013-08-30 07:48 . 2011-04-21 01:41 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2013-08-30 07:48 . 2011-04-21 01:41 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2013-08-30 07:48 . 2013-03-14 00:00 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
    2013-08-30 07:48 . 2011-04-21 01:41 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2013-08-30 07:48 . 2011-04-21 01:41 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-08-30 07:48 . 2011-04-21 01:41 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2013-08-30 07:48 . 2011-04-21 01:41 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2013-08-30 07:47 . 2011-04-21 01:40 41664 ----a-w- c:\windows\avastSS.scr
    2013-08-30 07:47 . 2011-04-21 01:40 229648 ----a-w- c:\windows\system32\aswBoot.exe
    2013-08-22 12:40 . 2013-08-22 12:40 35288 ----a-w- c:\windows\system32\drivers\tap0901.sys
    2013-08-20 04:03 . 2013-08-20 04:03 3477508 ----a-w- c:\programdata\SPL2307.tmp
    2013-01-21 18:11 . 2013-01-21 18:09 31181592 ----a-w- c:\program files\DWFWriter4Setup.exe
    1999-03-25 01:06 . 2013-01-12 16:15 45056 ----a-w- c:\program files\ACETUTIL.ARX
    1999-03-25 01:06 . 2013-01-12 16:15 16384 ----a-w- c:\program files\ACETUTIL.DLL
    1999-03-18 15:17 . 2013-01-12 16:15 492032 ----a-w- c:\program files\SCRIPTPRO.EXE
    1999-03-06 11:25 . 2013-01-12 16:15 274 ----a-w- c:\program files\SAMPLE-DWFOUT.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-SAVEAS-2000.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 18 ----a-w- c:\program files\SAMPLE-DXFOUT-2000.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R14.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-SAVEAS-R13.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R14.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R13.SCR
    1999-03-06 11:25 . 2013-01-12 16:15 17 ----a-w- c:\program files\SAMPLE-DXFOUT-R12.SCR
    2010-02-06 03:13 . 2013-07-02 22:24 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
    2013-09-25 21:37 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
    @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
    [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
    @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
    [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
    @="{A759AFF6-5851-457D-A540-F4ECED148351}"
    [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
    @="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
    [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
    2013-01-24 08:02 383328 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
    "Akamai NetSession Interface"="c:\users\Adele S\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "chromium"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-10-09 844752]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-13 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
    "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "LXCICATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 106496]
    "lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2007-05-11 205744]
    "EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2007-05-11 103344]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
    "ADSK DLMSession"="c:\program files\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-15 1632216]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-04 295512]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Users^Adele S^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\Adele S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2006-11-10 20:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    Akamai REG_MULTI_SZ Akamai
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-10-18 03:25 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 23:04]
    .
    2013-11-04 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-21 18:31]
    .
    2013-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-27 01:48]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001Core.job
    - c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
    .
    2013-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-658057386-4236903089-2978409280-1001UA.job
    - c:\users\Adele S\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-13 06:01]
    .
    2011-01-16 c:\windows\Tasks\User_Feed_Synchronization-{53808186-85FD-435C-B61C-8FEB50FCB859}.job
    - c:\windows\system32\msfeedssync.exe [2012-05-05 01:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com
    mSearch Bar =
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{A8239FE3-DA45-4589-940D-16A3CBCA005B}: NameServer = 8.8.8.8
    FF - ProfilePath - c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
    FF - ExtSQL: 2013-11-03 13:31; {6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}; c:\users\Adele S\AppData\Roaming\Mozilla\Firefox\Profiles\2rhp33hm.default\extensions\{6d96bb5e-1175-4ebf-8ab5-5f56f1c79f65}.xpi
    FF - ExtSQL: !HIDDEN! 2009-06-28 18:46; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-11-04 20:10
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCICATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????`?2??????@???x?????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
    "ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5008)
    c:\users\Adele S\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    c:\program files\Common Files\Autodesk Shared\DWF Common\en-US\DWFShellExtensionRes.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Expat Shield\bin\openvpnas.exe
    c:\program files\Expat Shield\HssWPR\hsssrv.exe
    c:\program files\Expat Shield\bin\hsswd.exe
    c:\windows\system32\lxcicoms.exe
    c:\toshiba\IVP\ISM\pinger.exe
    c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe
    c:\toshiba\IVP\swupdate\swupdtmr.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Expat Shield\bin\openvpntray.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\Toshiba\ConfigFree\NDSTray.exe
    c:\program files\Synaptics\SynTP\SynToshiba.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2013-11-04 20:18:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-11-05 01:18
    ComboFix2.txt 2013-11-04 22:08
    ComboFix3.txt 2012-10-14 21:52
    .
    Pre-Run: 27,288,457,216 bytes free
    Post-Run: 27,070,464,000 bytes free
    .
    - - End Of File - - 901C91A21BCCF1811963B5805B9883FA
    5B5E648D12FCADC244C1EC30318E1EB9
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1112129