1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Search Results Redirected

Discussion in 'Virus & Other Malware Removal' started by Voltman, Jun 28, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    Help Me please. This is what happened. Recently I noticed that most times whenever I closed firefox it would close but then a message would pop up saying the firefox unexpectedly crash. I also noticed most times whenever I double clicked a file or program to open it nothing happens or it takes a long time to open. Then MOST OF ALL I noticed that when I searched in Google I would get redirected when I click on the search result. This happened in FF, IE & Chrome. Even yahoo searches got redirected sometimes.
    I ran malwarebytes and this it what it found but the redirecting continues. My AVG found nothing.

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.14.03
    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    owner :: SQUISHY-PC [administrator]
    6/14/2012 12:35:35 PM
    mbam-log-2012-06-14 (12-35-35).txt
    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 529457
    Time elapsed: 2 hour(s), 48 minute(s), 11 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 1
    C:\Users\owner\AppData\Local\Trusteer\Symantec\pqkdeuds.dll (Trojan.Happili.XGen2) -> Delete on reboot.
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Symantec (Trojan.Happili.XGen2) -> Data: rundll32.exe "C:\Users\owner\AppData\Local\Trusteer\Symantec\pqkdeuds.dll",DllRegisterServer -> Quarantined and deleted successfully.
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 3
    C:\Users\owner\AppData\Local\Trusteer\Symantec\pqkdeuds.dll (Trojan.Happili.XGen2) -> Delete on reboot.
    C:\Users\owner\AppData\Local\Temp\0.09657425341636117 (Trojan.Happili) -> Quarantined and deleted successfully.
    C:\Users\owner\AppData\Local\Temp\nseD9DC.tmp\pqkdeuds.dll (Trojan.Happili.XGen2) -> Quarantined and deleted successfully.
    (end)




    Here is the Hijackthis log.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:11:56 AM, on 6/28/2012
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16446)
    Boot mode: Normal
    Running processes:
    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
    C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe
    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
    C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files (x86)\WinZip\WZQKPICK.EXE
    C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
    C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
    C:\Users\owner\Desktop\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
    R3 - URLSearchHook: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (file missing)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: GomPicker - {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - C:\Program Files (x86)\GRETECH\GomPicker\GomPickerBHO.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe"
    O4 - HKLM\..\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [EasyTether] "C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe"
    O4 - HKCU\..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
    O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    O4 - HKCU\..\Run: [SRSHDAudioLab] "C:\Program Files\SRS Labs\SRS Audio Essentials\AudioEssentials.exe" auto
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Dropbox.lnk = C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: AVer HID Receiver.lnk = C:\Program Files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files (x86)\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVerRemote - AVerMedia - C:\Program Files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe
    O23 - Service: AVerScheduleService - Unknown owner - C:\Program Files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: Dragon Service (DragonSvc) - Nuance Communications, Inc. - C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
    O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_0dfb7520\STacSV64.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    --
    End of file - 16203 bytes

    HERE IS THE DDS TEXT REPORT

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by owner at 1:14:38 on 2012-06-28
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4085.1980 [GMT -4:00]
    .
    AV: AVG Anti-Virus 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_0dfb7520\STacSV64.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Windows\system32\agr64svc.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe
    C:\Program Files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe
    C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
    C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
    C:\Program Files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
    C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
    C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe
    C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
    C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files (x86)\WinZip\WZQKPICK.EXE
    C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
    C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
    C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\ehome\ehsched.exe
    C:\Windows\ehome\ehRecvr.exe
    C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
    uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: GretechBHO Class: {f0181c6e-9218-4792-9f3c-e8df52b2f1ac} - C:\Program Files (x86)\GRETECH\GomPicker\GomPickerBHO.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
    uRun: [EasyTether] "C:\Program Files (x86)\Mobile Stream\EasyTether\easytthr.exe"
    uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
    uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    uRun: [SRSHDAudioLab] "C:\Program Files\SRS Labs\SRS Audio Essentials\AudioEssentials.exe" auto
    uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe"
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    mRun: [<NO NAME>]
    mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
    mRun: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    mRun: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    mRun: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
    StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AVERHI~1.LNK - C:\Program Files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINZIP~1.LNK - C:\Program Files (x86)\WinZip\WZQKPICK.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 216.144.187.199 24.229.54.212 204.186.80.229
    TCP: Interfaces\{23A725DD-0DC7-45CA-8E49-C565F56F2D7B} : DhcpNameServer = 192.168.42.129
    TCP: Interfaces\{65588BBB-788F-4FB4-8D1C-5E8A234EEFB5} : DhcpNameServer = 156.12.1.22 156.12.1.21
    TCP: Interfaces\{F29983B6-476C-421B-9D98-EBA961B2AE5A} : DhcpNameServer = 8.8.8.8 8.8.4.4
    TCP: Interfaces\{F39D6BC0-09A7-4964-B002-3B4FC3DCC504} : DhcpNameServer = 216.144.187.199 24.229.54.212 204.186.80.229
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - C:\Program Files (x86)\PixiePack Codec Pack\InstallerHelper.exe
    BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn5\yt.dll
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: GretechBHO Class: {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - C:\Program Files (x86)\GRETECH\GomPicker\GomPickerBHO.dll
    BHO-X64: GomPicker - No File
    BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect - No File
    TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB-X64: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    mRun-x64: [(Default)]
    mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun-x64: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe"
    mRun-x64: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot
    mRun-x64: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
    mRun-x64: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
    mRun-x64: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff4.dll
    FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npgcplug.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npracplug.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: C:\Program Files (x86)\Real\RealArcade\Plugins\Mozilla\npracplug.dll
    FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\real\realplayer\Netscape6\nprpjplug.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: C:\Users\owner\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 0da170fd-7c58-4a20-8358-7696c1457167
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R0 RapportKE64;RapportKE64;C:\Windows\system32\Drivers\RapportKE64.sys --> C:\Windows\system32\Drivers\RapportKE64.sys [?]
    R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);C:\Windows\system32\DRIVERS\tdrpm251.sys --> C:\Windows\system32\DRIVERS\tdrpm251.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R1 RapportCerberus_34302;RapportCerberus_34302;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus64_34302.sys [2011-12-15 397520]
    R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-6-8 55096]
    R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-6-8 297048]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
    R2 afcdpsrv;Acronis Nonstop Backup service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-1-30 2326920]
    R2 AVerRemote;AVerRemote;C:\Program Files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe [2010-4-27 344064]
    R2 AVerScheduleService;AVerScheduleService;C:\Program Files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe [2010-4-27 405504]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-8-8 4433248]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
    R2 DragonSvc;Dragon Service;C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe [2010-7-23 296808]
    R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-9-15 88576]
    R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-6-8 976728]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-6-23 1153368]
    R3 afcdp;afcdp;C:\Windows\system32\DRIVERS\afcdp.sys --> C:\Windows\system32\DRIVERS\afcdp.sys [?]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    R3 easytether;easytether;C:\Windows\system32\DRIVERS\easytthr.sys --> C:\Windows\system32\DRIVERS\easytthr.sys [?]
    R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AVer7231_x64;AVerMedia 7231 capture service;C:\Windows\system32\DRIVERS\AVer7231_x64.sys --> C:\Windows\system32\DRIVERS\AVer7231_x64.sys [?]
    S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60a.sys --> C:\Windows\system32\DRIVERS\b57nd60a.sys [?]
    S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-5-17 1436424]
    S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]
    S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]
    S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-13 113120]
    S3 NETw4v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw4v64.sys --> C:\Windows\system32\DRIVERS\NETw4v64.sys [?]
    S3 PerfHost;Performance Counter DLL Host;C:\WINDOWS\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 SRS_AE_Service;SRS Audio Essentials;C:\Windows\system32\drivers\SRS_AE_amd64.sys --> C:\Windows\system32\drivers\SRS_AE_amd64.sys [?]
    S3 SRS_HDAL_Service;HD Audio Lab;C:\Windows\system32\drivers\SRS_HDAL_amd64.sys --> C:\Windows\system32\drivers\SRS_HDAL_amd64.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-18 89920]
    .
    =============== File Associations ===============
    .
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2012-06-26 04:17:42 -------- d-----w- C:\Program Files\Enigma Software Group
    2012-06-25 04:43:44 -------- d-----w- C:\Windows\18F97AF04F884494AFE25A5702E142CC.TMP
    2012-06-25 04:43:38 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
    2012-06-23 19:23:00 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2012-06-23 19:23:00 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2012-06-22 15:47:57 -------- d-----w- C:\Users\owner\AppData\Local\{12BD4A2E-0CCA-4861-B9A7-54244FDCD623}
    2012-06-22 15:47:40 -------- d-----w- C:\Users\owner\AppData\Local\{6011A543-20A9-4D34-A9A6-D0BDE50043A2}
    2012-06-20 23:55:59 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-20 23:55:59 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-19 16:39:48 -------- d-----w- C:\Users\owner\AppData\Local\Macromedia
    2012-06-14 20:14:15 -------- d-----w- C:\Windows\pss
    2012-06-14 11:49:13 -------- d-----w- C:\Program Files (x86)\Dropbox
    2012-06-14 11:28:09 -------- d-----w- C:\Program Files\iPod
    2012-06-14 11:28:00 -------- d-----w- C:\Program Files\iTunes
    2012-06-14 11:28:00 -------- d-----w- C:\Program Files (x86)\iTunes
    2012-06-14 07:48:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-06-14 04:49:59 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
    2012-06-14 04:43:08 209920 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-06-14 04:43:06 2767360 ----a-w- C:\Windows\System32\win32k.sys
    2012-06-14 04:42:05 984064 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2012-06-14 04:42:05 98304 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    2012-06-14 04:42:05 174592 ----a-w- C:\Windows\System32\cryptsvc.dll
    2012-06-14 04:42:05 133120 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2012-06-14 04:42:05 132096 ----a-w- C:\Windows\System32\cryptnet.dll
    2012-06-14 04:42:05 1267200 ----a-w- C:\Windows\System32\crypt32.dll
    2012-06-14 04:39:17 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-06-14 01:46:19 -------- d-----w- C:\Program Files (x86)\NortonInstaller
    2012-06-13 23:46:34 -------- d-----w- C:\Users\owner\AppData\Local\Real
    2012-06-07 15:28:45 -------- d-----w- C:\Users\owner\AppData\Roaming\WildTangent
    .
    ==================== Find3M ====================
    .
    2012-06-15 23:53:08 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-15 23:53:08 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-06-09 01:42:30 101400 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
    2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
    2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-02 19:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
    2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-06-02 19:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
    2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
    2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-05-07 16:35:29 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-19 00:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-04-03 08:22:15 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-03-30 12:45:03 1423744 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-06-18 23:54:22 774144 ----a-w- C:\Program Files (x86)\RngInterstitial.dll
    .
    ============= FINISH: 1:15:58.29 ===============

    Since I'm running VISTA x64 I did not download GMER per the instructions
     

    Attached Files:

  2. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi and welcome,

    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • when the window opens, click on Change Parameters
    • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
    • click OK
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Attach the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    ----------
     
  3. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    Thank you for responding so quickly.
    I ran TDSSKiller but no threats were discovered. I thought I should mention that when I'm viewing a web page, especially in IE9 (for more than 4 months now), I notice that any advertising that will be displayed on the page tends to flash (less than 1 second) on the left side of my screen. Not sure if this is relevant or a problem but I know it never used to happen last year.
     

    Attached Files:

  4. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Thanks for letting me know.

    Download Combofix from either of the links below, and save it to your desktop.
    Link 1
    Link 2

    **Note: It is important that it is saved directly to your desktop**
    If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
     
  5. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    I had some difficulty due to AVG only allowing me to turn it off for 15 mins maximum. Combo FIx went into a loop and was flashing and I had to to do a hard restart to stop it. I deleted and reinstalled combofix. This time I kept a timer and would reopen AVG at the 15 min mark and redisabled it. After combofix completed the scan my computer was automatically restarted and ComboFix generated the log at that point. Also AVG reactivated with the restart and I had to disable it again while the comboFix log was been created.

    ComboFix 12-06-28.03 - owner 06/28/2012 16:37:11.2.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4085.2301 [GMT -4:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\windows\SysWow64\pthreadVC.dll
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-28 20:59 . 2012-06-28 21:04 -------- d-----w- c:\users\owner\AppData\Local\temp
    2012-06-28 20:59 . 2012-06-28 20:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-28 06:00 . 2012-06-28 06:00 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
    2012-06-26 04:17 . 2012-06-26 04:17 -------- d-----w- c:\program files\Enigma Software Group
    2012-06-25 04:43 . 2012-06-26 05:48 -------- d-----w- c:\windows\18F97AF04F884494AFE25A5702E142CC.TMP
    2012-06-25 04:43 . 2012-06-25 04:43 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-06-23 19:23 . 2012-06-24 18:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-23 19:23 . 2012-06-23 19:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-06-20 23:55 . 2012-06-20 23:55 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-20 23:55 . 2012-06-20 23:55 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-19 16:39 . 2012-06-19 16:39 -------- d-----w- c:\users\owner\AppData\Local\Macromedia
    2012-06-14 11:49 . 2012-06-14 11:49 -------- d-----w- c:\program files (x86)\Dropbox
    2012-06-14 11:28 . 2012-06-14 11:28 -------- d-----w- c:\program files\iPod
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files\iTunes
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files (x86)\iTunes
    2012-06-14 07:48 . 2012-05-18 01:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-14 04:49 . 2012-06-14 04:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-06-14 04:43 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 04:43 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 04:42 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 04:42 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 04:39 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-14 01:46 . 2012-06-14 01:48 -------- d-----w- c:\program files (x86)\NortonInstaller
    2012-06-13 23:46 . 2012-06-13 23:46 -------- d-----w- c:\users\owner\AppData\Local\Real
    2012-06-07 15:28 . 2012-06-07 15:29 -------- d-----w- c:\users\owner\AppData\Roaming\WildTangent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-15 23:53 . 2012-04-02 02:40 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-15 23:53 . 2011-05-22 19:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-09 01:42 . 2011-04-01 15:48 101400 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2012-05-07 16:35 . 2012-04-02 03:35 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-04-03 08:22 . 2012-05-11 05:21 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-18 23:54 . 2011-06-18 23:55 774144 ----a-w- c:\program files (x86)\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
    .
    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2010-04-27 14:08 2393184 ----a-w- c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
    .
    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "EasyTether"="c:\program files (x86)\Mobile Stream\EasyTether\easytthr.exe" [2011-05-22 48648]
    "iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-23 4786048]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
    "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-06 296056]
    "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
    "DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AVer HID Receiver.lnk - c:\program files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe [2010-4-27 159744]
    WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2009-7-14 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-01-30 2326920]
    S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-01-30 250400]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 20:04 8192 ----a-w- c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000Core.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000UA.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 1021488]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
    "SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [2007-09-07 425984]
    "Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 156.12.1.22 156.12.1.21
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 0da170fd-7c58-4a20-8358-7696c1457167
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-SRSHDAudioLab - c:\program files\SRS Labs\SRS Audio Essentials\AudioEssentials.exe
    Wow6432Node-HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe
    Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
    Wow6432Node-HKLM-Run-NBKeyScan - c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)
    HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-AVerMedia MCE Encoder x64 - c:\program files (x86)\AVerMedia\AVerMedia MCE Encoder x64\uninst.exe
    AddRemove-AVerMedia Media Center Plug-ins - c:\program files (x86)\AVerMedia\AVerMedia Media Center Plug-ins\uninst.exe
    AddRemove-AVerRadio - c:\program files (x86)\AVerMedia\AVerRadio\uninst.exe
    AddRemove-Yahoo! Mail - c:\windows\system32\regsvr32
    AddRemove-YInstHelper - c:\windows\system32\regsvr32
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe
    c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
    c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    c:\program files (x86)\Common Files\Nuance\dgnsvc.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files (x86)\Internet Explorer\IELowutil.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-28 17:15:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-28 21:15
    .
    Pre-Run: 40,086,958,080 bytes free
    Post-Run: 39,871,234,048 bytes free
    .
    - - End Of File - - 19DCFC3934BEA75361318E4B3ED45AB9
     
  6. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    I would like you to know that while I while I was looking at the Malwarebyte quarantine log I can see that the happili trojan is still there, quarantined. Should I delete it now? Malwarebyte also crashed while I was viewing this log. This is not the first time that malwarebyte has unxepectedly crashed in the last 2 weeks.

    Trojan.Happili.XGen2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Symantec
    Trojan.Happili.XGen2 C:\Users\Owner\AppData\local\Trusteer\Symantec\pqkdeuds.dll
    Trojan.Happili C:\Users\Owner\AppData\local\Temp\0.09657425341636117
    Trojan.Happili.XGen2 C:\Users\Owner\AppData\local\Temp\nseD9DC.tmp\pqkdeuds.dll
     
  7. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      DDS::
      uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
      uURLSearchHooks: H - No File
      mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
      BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
      TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
      TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
      mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - C:\Program Files (x86)\PixiePack Codec Pack\InstallerHelper.exe
      BHO-X64: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
      TB-X64: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
      TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
      
      Registry::
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
      "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"=-
      [-HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
      
      RegLock::
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  8. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    Here's the next log


    ComboFix 12-06-28.03 - owner 06/28/2012 19:20:33.3.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4085.2135 [GMT -4:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\owner\Desktop\CFScript.txt
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-28 23:41 . 2012-06-28 23:48 -------- d-----w- c:\users\owner\AppData\Local\temp
    2012-06-28 23:41 . 2012-06-28 23:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-06-28 23:41 . 2012-06-28 23:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-28 06:00 . 2012-06-28 06:00 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
    2012-06-26 04:17 . 2012-06-26 04:17 -------- d-----w- c:\program files\Enigma Software Group
    2012-06-25 04:43 . 2012-06-26 05:48 -------- d-----w- c:\windows\18F97AF04F884494AFE25A5702E142CC.TMP
    2012-06-25 04:43 . 2012-06-25 04:43 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-06-23 19:23 . 2012-06-24 18:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-23 19:23 . 2012-06-23 19:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-06-20 23:55 . 2012-06-20 23:55 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-20 23:55 . 2012-06-20 23:55 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-19 16:39 . 2012-06-19 16:39 -------- d-----w- c:\users\owner\AppData\Local\Macromedia
    2012-06-14 11:49 . 2012-06-14 11:49 -------- d-----w- c:\program files (x86)\Dropbox
    2012-06-14 11:28 . 2012-06-14 11:28 -------- d-----w- c:\program files\iPod
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files\iTunes
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files (x86)\iTunes
    2012-06-14 07:48 . 2012-05-18 01:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-14 04:49 . 2012-06-14 04:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-06-14 04:43 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 04:43 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 04:42 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 04:42 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 04:39 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-14 01:46 . 2012-06-14 01:48 -------- d-----w- c:\program files (x86)\NortonInstaller
    2012-06-13 23:46 . 2012-06-13 23:46 -------- d-----w- c:\users\owner\AppData\Local\Real
    2012-06-07 15:28 . 2012-06-07 15:29 -------- d-----w- c:\users\owner\AppData\Roaming\WildTangent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-15 23:53 . 2012-04-02 02:40 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-15 23:53 . 2011-05-22 19:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-09 01:42 . 2011-04-01 15:48 101400 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2012-05-07 16:35 . 2012-04-02 03:35 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-04-03 08:22 . 2012-05-11 05:21 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-18 23:54 . 2011-06-18 23:55 774144 ----a-w- c:\program files (x86)\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-28_21.04.09 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2012-06-28 21:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-06-28 23:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-06-28 23:44 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-06-28 23:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-06-28 23:47 98188 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2012-06-28 21:01 . 2012-06-28 21:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-06-28 23:44 . 2012-06-28 23:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-06-28 23:44 . 2012-06-28 23:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-06-28 21:01 . 2012-06-28 21:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 15:45 . 2012-06-28 23:47 120252 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2011-01-12 08:22 . 2012-06-28 20:59 459828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-01-12 08:22 . 2012-06-28 23:42 459828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-06-05 16:25 . 2012-06-28 21:00 27315012 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2300085172-2201734295-733428362-1000-4096.dat
    + 2011-06-05 16:25 . 2012-06-28 23:42 27315012 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2300085172-2201734295-733428362-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "EasyTether"="c:\program files (x86)\Mobile Stream\EasyTether\easytthr.exe" [2011-05-22 48648]
    "iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-23 4786048]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
    "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-06 296056]
    "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
    "DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AVer HID Receiver.lnk - c:\program files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe [2010-4-27 159744]
    WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2009-7-14 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-01-30 2326920]
    S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-01-30 250400]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
    2008-06-18 20:04 8192 ----a-w- c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000Core.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000UA.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 1021488]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
    "SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [2007-09-07 425984]
    "Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 156.12.1.22 156.12.1.21
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 0da170fd-7c58-4a20-8358-7696c1457167
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe
    c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
    c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    c:\program files (x86)\Common Files\Nuance\dgnsvc.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-28 19:57:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-28 23:57
    ComboFix2.txt 2012-06-28 21:15
    .
    Pre-Run: 39,900,184,576 bytes free
    Post-Run: 39,587,995,648 bytes free
    .
    - - End Of File - - 9D73DA1F9440F6DB8FB407E4DEB30DDB
     
  9. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe
      
      Registry::
      [-HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  10. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    ComboFix 12-06-28.03 - owner 06/28/2012 20:43:41.4.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4085.2180 [GMT -4:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\owner\Desktop\CFScript.txt
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-29 01:05 . 2012-06-29 01:10 -------- d-----w- c:\users\owner\AppData\Local\temp
    2012-06-29 01:05 . 2012-06-29 01:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-06-29 01:05 . 2012-06-29 01:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-28 06:00 . 2012-06-28 06:00 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
    2012-06-26 04:17 . 2012-06-26 04:17 -------- d-----w- c:\program files\Enigma Software Group
    2012-06-25 04:43 . 2012-06-26 05:48 -------- d-----w- c:\windows\18F97AF04F884494AFE25A5702E142CC.TMP
    2012-06-25 04:43 . 2012-06-25 04:43 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-06-23 19:23 . 2012-06-24 18:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-23 19:23 . 2012-06-23 19:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-06-20 23:55 . 2012-06-20 23:55 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-20 23:55 . 2012-06-20 23:55 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-19 16:39 . 2012-06-19 16:39 -------- d-----w- c:\users\owner\AppData\Local\Macromedia
    2012-06-14 11:49 . 2012-06-14 11:49 -------- d-----w- c:\program files (x86)\Dropbox
    2012-06-14 11:28 . 2012-06-14 11:28 -------- d-----w- c:\program files\iPod
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files\iTunes
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files (x86)\iTunes
    2012-06-14 07:48 . 2012-05-18 01:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-14 04:49 . 2012-06-14 04:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-06-14 04:43 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 04:43 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 04:42 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 04:42 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 04:39 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-14 01:46 . 2012-06-14 01:48 -------- d-----w- c:\program files (x86)\NortonInstaller
    2012-06-13 23:46 . 2012-06-13 23:46 -------- d-----w- c:\users\owner\AppData\Local\Real
    2012-06-07 15:28 . 2012-06-07 15:29 -------- d-----w- c:\users\owner\AppData\Roaming\WildTangent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-15 23:53 . 2012-04-02 02:40 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-15 23:53 . 2011-05-22 19:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-09 01:42 . 2011-04-01 15:48 101400 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2012-05-07 16:35 . 2012-04-02 03:35 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-04-03 08:22 . 2012-05-11 05:21 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-18 23:54 . 2011-06-18 23:55 774144 ----a-w- c:\program files (x86)\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-28_21.04.09 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2012-06-28 21:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-06-29 01:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2012-06-29 01:07 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-06-29 01:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-06-29 01:09 98268 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-04-03 12:49 . 2012-06-29 01:10 26554 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2300085172-2201734295-733428362-1000_UserData.bin
    - 2012-06-28 21:01 . 2012-06-28 21:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-06-29 01:07 . 2012-06-29 01:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-06-29 01:07 . 2012-06-29 01:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-06-28 21:01 . 2012-06-28 21:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 15:45 . 2012-06-29 01:09 120276 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-12 08:22 . 2012-06-29 01:05 459828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-01-12 08:22 . 2012-06-28 20:59 459828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-06-05 16:25 . 2012-06-28 23:42 27315012 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2300085172-2201734295-733428362-1000-4096.dat
    - 2011-06-05 16:25 . 2012-06-28 21:00 27315012 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2300085172-2201734295-733428362-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "EasyTether"="c:\program files (x86)\Mobile Stream\EasyTether\easytthr.exe" [2011-05-22 48648]
    "iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-23 4786048]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
    "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-06 296056]
    "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
    "DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AVer HID Receiver.lnk - c:\program files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe [2010-4-27 159744]
    WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2009-7-14 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-01-30 2326920]
    S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-01-30 250400]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000Core.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000UA.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 1021488]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
    "SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [2007-09-07 425984]
    "Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 156.12.1.22 156.12.1.21
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 0da170fd-7c58-4a20-8358-7696c1457167
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe
    c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
    c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    c:\program files (x86)\Common Files\Nuance\dgnsvc.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files (x86)\AVG\AVG2012\avgui.exe
    c:\program files (x86)\AVG\AVG2012\avgcfgex.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-28 21:20:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-29 01:20
    ComboFix2.txt 2012-06-28 23:57
    ComboFix3.txt 2012-06-28 21:15
    .
    Pre-Run: 39,629,819,904 bytes free
    Post-Run: 39,485,816,832 bytes free
    .
    - - End Of File - - AB4A029C04F11BAE8FE77E0DC324C96D
     
  11. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Malwarebytes

    I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
    ----------

    Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
    ----------

    In your next reply please post the logs made by Malwarebytes and ESET. :)
     
  12. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    I think the ESETScanner did not run exactly as the directions indicate.
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start (At this point the scan started and lasted 03:24:38)
    • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
    • Click Scan (This scan can take several hours, so please be patient) (I never saw this option)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • I found it on C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt. This log.txt did not seem to have much info in it but I'll let you be the judge of that. Here it is.
    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK


    I noticed that ESET scan result showed infected Files: 13
    It gave an option to view list of found threats and to export to text file so I went ahead and exported the results to a text file and this is the result:
    C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
    C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
    C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
    C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
    C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\background.html Win32/BHO.OEI trojan
    C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\ContentScript.js Win32/BHO.OEI trojan
    C:\Users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\gadget.html JS/Agent.NCA trojan
    C:\Users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\settings.html JS/Agent.NCA trojan
    C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\extensions\[email protected] JS/Redirector.NBX trojan
    C:\Users\owner\Downloads\Nero8.exe Win32/Toolbar.AskSBar application
    C:\Users\owner\Downloads\winamp5581_full_bundle_emusic-7plus_en-us.exe Win32/OpenCandy application
    C:\Users\owner\Downloads\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application
    C:\Users\owner\Downloads\backups\backup-20120624-140959-475.dll a variant of Win32/Adware.Yontoo.A application

    Here is the Malwarebytes Report
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.06.23.06
    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    owner :: SQUISHY-PC [administrator]
    6/28/2012 9:38:36 PM
    mbam-log-2012-06-28 (21-38-36).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 224625
    Time elapsed: 5 minute(s), 56 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  13. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Good job getting that. :)
    -------------

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll 
      C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
      C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll 
      C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
      C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\background.html 
      C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\ContentScript.js 
      C:\Users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\gadget.html 
      C:\Users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\settings.html 
      C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\ex tensions\[email protected] 
      C:\Users\owner\Downloads\Nero8.exe 
      C:\Users\owner\Downloads\winamp5581_full_bundle_emusic-7plus_en-us.exe 
      C:\Users\owner\Downloads\winamp5621_full_emusic-7plus_all.exe 
      C:\Users\owner\Downloads\backups\backup-20120624-140959-475.dll 
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    In your next reply please post the new ComboFix log and let me know how your system is running. :)
     
  14. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    ComboFix 12-06-28.03 - owner 06/29/2012 8:07.5.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4085.1814 [GMT -4:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\owner\Desktop\CFScript.txt
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll"
    "c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
    "c:\users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll"
    "c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
    "c:\users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\background.html"
    "c:\users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\ContentScript.js"
    "c:\users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\gadget.html"
    "c:\users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\settings.html"
    "c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\ex tensions\[email protected]"
    "c:\users\owner\Downloads\backups\backup-20120624-140959-475.dll"
    "c:\users\owner\Downloads\Nero8.exe"
    "c:\users\owner\Downloads\winamp5581_full_bundle_emusic-7plus_en-us.exe"
    "c:\users\owner\Downloads\winamp5621_full_emusic-7plus_all.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
    c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    c:\users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
    c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    c:\users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\background.html
    c:\users\owner\AppData\Local\Google\Chrome\User Data\Default\Default\aagddadegfdadagcdegcdfgcdegfgedb\ContentScript.js
    c:\users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\gadget.html
    c:\users\owner\AppData\Local\Microsoft\Windows Sidebar\Gadgets\AVerRadio.Gadget\settings.html
    c:\users\owner\Downloads\backups\backup-20120624-140959-475.dll
    c:\users\owner\Downloads\Nero8.exe
    c:\users\owner\Downloads\winamp5581_full_bundle_emusic-7plus_en-us.exe
    c:\users\owner\Downloads\winamp5621_full_emusic-7plus_all.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-29 12:29 . 2012-06-29 12:34 -------- d-----w- c:\users\owner\AppData\Local\temp
    2012-06-29 12:29 . 2012-06-29 12:29 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-06-29 12:29 . 2012-06-29 12:29 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-29 01:47 . 2012-06-29 01:47 -------- d-----w- c:\program files (x86)\ESET
    2012-06-28 06:00 . 2012-06-28 06:00 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
    2012-06-26 04:17 . 2012-06-26 04:17 -------- d-----w- c:\program files\Enigma Software Group
    2012-06-25 04:43 . 2012-06-26 05:48 -------- d-----w- c:\windows\18F97AF04F884494AFE25A5702E142CC.TMP
    2012-06-25 04:43 . 2012-06-25 04:43 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-06-23 19:23 . 2012-06-24 18:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-23 19:23 . 2012-06-23 19:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2012-06-20 23:55 . 2012-06-20 23:55 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
    2012-06-20 23:55 . 2012-06-20 23:55 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
    2012-06-19 16:39 . 2012-06-19 16:39 -------- d-----w- c:\users\owner\AppData\Local\Macromedia
    2012-06-14 11:49 . 2012-06-14 11:49 -------- d-----w- c:\program files (x86)\Dropbox
    2012-06-14 11:28 . 2012-06-14 11:28 -------- d-----w- c:\program files\iPod
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files\iTunes
    2012-06-14 11:28 . 2012-06-14 11:29 -------- d-----w- c:\program files (x86)\iTunes
    2012-06-14 07:48 . 2012-05-18 01:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-14 04:49 . 2012-06-14 04:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-06-14 04:43 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-14 04:43 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
    2012-06-14 04:42 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-14 04:42 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-14 04:42 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-14 04:42 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-14 04:39 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-14 01:46 . 2012-06-14 01:48 -------- d-----w- c:\program files (x86)\NortonInstaller
    2012-06-13 23:46 . 2012-06-13 23:46 -------- d-----w- c:\users\owner\AppData\Local\Real
    2012-06-07 15:28 . 2012-06-07 15:29 -------- d-----w- c:\users\owner\AppData\Roaming\WildTangent
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-15 23:53 . 2012-04-02 02:40 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-06-15 23:53 . 2011-05-22 19:52 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-09 01:42 . 2011-04-01 15:48 101400 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2012-05-07 16:35 . 2012-04-02 03:35 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-04-03 08:22 . 2012-05-11 05:21 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-18 23:54 . 2011-06-18 23:55 774144 ----a-w- c:\program files (x86)\RngInterstitial.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-28_21.04.09 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 03:20 . 2012-06-29 12:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-06-29 12:31 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2012-06-29 12:31 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2012-06-28 21:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2012-06-29 12:33 98380 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-04-03 12:49 . 2012-06-29 12:33 26578 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2300085172-2201734295-733428362-1000_UserData.bin
    + 2012-06-29 12:31 . 2012-06-29 12:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-06-28 21:01 . 2012-06-28 21:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-06-28 21:01 . 2012-06-28 21:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-06-29 12:31 . 2012-06-29 12:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-03-27 13:55 . 2012-06-29 02:55 511952 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2006-11-02 15:45 . 2012-06-29 12:33 120324 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-12 08:22 . 2012-06-29 12:30 459828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2011-01-12 08:22 . 2012-06-28 20:59 459828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-06-05 16:25 . 2012-06-29 12:30 27658628 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2300085172-2201734295-733428362-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "EasyTether"="c:\program files (x86)\Mobile Stream\EasyTether\easytthr.exe" [2011-05-22 48648]
    "iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-23 4786048]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440]
    "AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-12-06 296056]
    "TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
    "DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AVer HID Receiver.lnk - c:\program files (x86)\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe [2010-4-27 159744]
    WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2009-7-14 106560]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2011-01-30 2326920]
    S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-01-30 250400]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000Core.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2300085172-2201734295-733428362-1000UA.job
    - c:\users\owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-13 20:36]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\owner\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 1021488]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
    "SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [2007-09-07 425984]
    "Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 216.144.187.199 24.229.54.212 204.186.80.229
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\5ey6g09o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 0da170fd-7c58-4a20-8358-7696c1457167
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerRemote.exe
    c:\program files (x86)\Common Files\AVerMedia\Service\AVerScheduleService.exe
    c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
    c:\program files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
    c:\program files (x86)\Common Files\Nuance\dgnsvc.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    c:\program files\Camera Assistant Software for Gateway\CEC_MAIN.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
    c:\program files (x86)\AVG\AVG2012\avgui.exe
    c:\program files (x86)\AVG\AVG2012\avgcfgex.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-29 08:44:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-29 12:44
    ComboFix2.txt 2012-06-29 01:20
    ComboFix3.txt 2012-06-28 23:57
    ComboFix4.txt 2012-06-28 21:15
    .
    Pre-Run: 39,335,677,952 bytes free
    Post-Run: 39,108,255,744 bytes free
    .
    - - End Of File - - 2F6FD34630305D8916B1E5B5F2DD9204
     
  15. Voltman

    Voltman Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    29
    My system is still not normal. Firefox google searches are still getting redirected.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1058865