1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

trojan - cannot load programs .exe is gone

Discussion in 'Virus & Other Malware Removal' started by spqr05, Jan 24, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    Hi there, my sister was sent an email from FedEx, a new one that's been going around. She now cannot load any program. Any time you click on a program .exe has been removed and ask me to choose which program I want to load. This is running Win 7, has Eset smart security and really needs some help. Please have a look at this files and let me know what I have to do to clean this up.

    The only way for me to run any of the programs for scanning is in safe mode. Otherwise when I try and load the file it loads, firefox and takes me to an windows shell page.

    Eset said it found a trojan file in the C: programs memory and cannot remove it. I didn't want to delete it until I had instructions.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:27:16 PM, on 1/23/2013
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16457)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Users\Mary\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com/?cid=C001B2Y
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
    O4 - HKLM\..\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
    O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files (x86)\ACT\Act for Windows\Act.Outlook.Service.exe"
    O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files (x86)\ACT\Act for Windows\ActSage.exe" -preload
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Best Buy pc app] C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
    O4 - HKCU\..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
    O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    O4 - HKCU\..\Run: [sxduwjjc] "C:\Users\Mary\AppData\Local\cslrkkho.exe"
    O4 - HKCU\..\Run: [usare] rundll32.exe "C:\Users\Mary\AppData\Roaming\usare.dll",AAuxDecode
    O4 - HKCU\..\Run: [atudta] rundll32.exe "C:\Users\Mary\AppData\Roaming\atudta.dll",StrictErrors
    O4 - HKCU\..\Run: [msrog] rundll32.exe "C:\Users\Mary\AppData\Roaming\msrog.dll",set_convert_alpha
    O4 - HKCU\..\Run: [pcdfsvc] C:\ProgramData\pcdfdata\hfcwpngx.exe /min
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')
    O4 - Startup: Dropbox.lnk = Mary\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
    O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
    O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MIB0A5~1\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files (x86)\ACT\Act for Windows\Act.Scheduler.exe
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\windows\SysWOW64\atashost.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
    O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
    O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 14188 bytes



    DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
    Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
    Run by Mary at 21:27:51 on 2013-01-23
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2807.2268 [GMT -8:00]
    .
    AV: ESET Smart Security 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET Smart Security 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\windows\System32\svchost.exe -k NetworkService
    C:\windows\SysWOW64\atashost.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k secsvcs
    C:\windows\Explorer.EXE
    C:\windows\system32\ctfmon.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
    uProxyOverride = <local>;*.local
    mWinlogon: Userinit = userinit.exe
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {D5233FCD-D258-4903-89B8-FB1568E7413D} -
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    uRun: [Best Buy pc app] C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
    uRun: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
    uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    uRun: [sxduwjjc] "C:\Users\Mary\AppData\Local\cslrkkho.exe"
    uRun: [usare] rundll32.exe "C:\Users\Mary\AppData\Roaming\usare.dll",AAuxDecode
    uRun: [atudta] rundll32.exe "C:\Users\Mary\AppData\Roaming\atudta.dll",StrictErrors
    uRun: [msrog] rundll32.exe "C:\Users\Mary\AppData\Roaming\msrog.dll",set_convert_alpha
    uRun: [pcdfsvc] C:\ProgramData\pcdfdata\hfcwpngx.exe /min
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
    mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    mRun: [Nikon Transfer Monitor] C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
    mRun: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
    mRun: [Act.Outlook.Service] "C:\Program Files (x86)\ACT\Act for Windows\Act.Outlook.Service.exe"
    mRun: [Act! Preloader] "C:\Program Files (x86)\ACT\Act for Windows\ActSage.exe" -preload
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    StartupFolder: C:\Users\Mary\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Mary\AppData\Roaming\Dropbox\bin\Dropbox.exe
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} -
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    TCP: Interfaces\{726279E5-FFB9-4CBD-9E0E-57C0DE4D647F} : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    TCP: Interfaces\{D8AE9D2D-B866-406D-8A33-671850716B6F} : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    x64-mStart Page = hxxp://start.toshiba.com/
    x64-mDefault_Page_URL = hxxp://start.toshiba.com/
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll
    x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
    x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
    x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
    x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
    x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
    x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
    x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
    x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
    x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
    x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
    x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    x64-Run: [Logitech Download Assistant] C:\windows\System32\rundll32.exe C:\windows\System32\LogiLDA.dll,LogiFetch
    x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
    x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\1xctbp1v.default\
    FF - component: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn\components\WCFirefoxExtn.dll
    FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\1xctbp1v.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
    FF - plugin: C:\Users\Mary\AppData\Roaming\Mozilla\plugins\npatgpc.dll
    FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
    FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
    FF - ExtSQL: 2013-01-23 16:50; {7e699d7c-f386-47ed-8efe-fe4e9b1ccc29}; C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\1xctbp1v.default\extensions\{7e699d7c-f386-47ed-8efe-fe4e9b1ccc29}.xpi
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R1 NEOFLTR_700_16899;Juniper Networks TDI Filter Driver (NEOFLTR_700_16899);C:\windows\System32\drivers\NEOFLTR_700_16899.SYS [2011-10-3 97912]
    R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2012-12-20 135272]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
    R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-4-20 169584]
    R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\windows\System32\drivers\LEqdUsb.sys [2010-8-24 74320]
    R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\windows\System32\drivers\LHidEqd.sys [2010-8-24 13392]
    R3 QIOMem;Generic IO & Memory Access;C:\windows\System32\drivers\QIOMem.sys [2009-6-15 12800]
    R3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2010-4-28 1109096]
    S2 ACT! Scheduler;ACT! Scheduler;C:\Program Files (x86)\ACT\Act for Windows\Act.Scheduler.exe [2009-8-24 81920]
    S2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2010-9-2 202752]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
    S2 eamonm;eamonm;C:\windows\System32\drivers\eamonm.sys [2010-9-3 170104]
    S2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2010-11-4 810144]
    S2 epfwwfp;epfwwfp;C:\windows\System32\drivers\epfwwfp.sys [2010-7-29 50624]
    S2 MSSQL$ACT7;SQL Server (ACT7);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
    S2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
    S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2012-2-2 245760]
    S3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2010-9-2 35008]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2010-9-2 239136]
    S3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
    S3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
    S3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
    S3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
    S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
    S3 SrvHsfHDA;SrvHsfHDA;C:\windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
    S3 SrvHsfV92;SrvHsfV92;C:\windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
    S3 SrvHsfWinac;SrvHsfWinac;C:\windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
    S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-9-2 54136]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
    S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
    S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2011-6-9 59392]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-12-7 1255736]
    .
    =============== File Associations ===============
    .
    FileExt: .exe: 4g - HKCR\Unknown\Shell=C:\windows\System32\rundll32.exe C:\windows\System32\shell32.dll,OpenAs_RunDLL %1 [default=openas]
    .
    =============== Created Last 30 ================
    .
    2013-01-24 01:14:49 146 ----a-w- C:\Users\Mary\AppData\Roaming\wmiroe.dll
    2013-01-24 01:12:32 146 ----a-w- C:\Users\Mary\AppData\Roaming\urdri.dll
    2013-01-24 01:10:15 146 ----a-w- C:\Users\Mary\AppData\Roaming\cpbts.dll
    2013-01-24 01:07:58 146 ----a-w- C:\Users\Mary\AppData\Roaming\dghbal.dll
    2013-01-24 01:07:31 95648 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
    2013-01-24 01:05:41 146 ----a-w- C:\Users\Mary\AppData\Roaming\wspig.dll
    2013-01-24 01:03:24 146 ----a-w- C:\Users\Mary\AppData\Roaming\pcati.dll
    2013-01-24 00:56:29 146 ----a-w- C:\Users\Mary\AppData\Roaming\leuip.dll
    2013-01-24 00:53:56 146 ----a-w- C:\Users\Mary\AppData\Roaming\wompip.dll
    2013-01-24 00:52:02 -------- d-----w- C:\ProgramData\pcdfdata
    2013-01-24 00:51:24 146 ----a-w- C:\Users\Mary\AppData\Roaming\audepw.dll
    2013-01-24 00:50:58 334848 ----a-w- C:\Users\Mary\AppData\Roaming\msrog.dll
    2013-01-24 00:50:35 626688 ----a-w- C:\Users\Mary\AppData\Roaming\atudta.dll
    2013-01-24 00:49:38 175616 ----a-w- C:\Users\Mary\AppData\Roaming\usare.dll
    2013-01-22 18:23:53 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A6778D3A-5971-46D0-B2F8-F66F42E4A7F3}\mpengine.dll
    2013-01-21 22:53:52 -------- d-----w- C:\Users\Mary\AppData\Local\{C099D34A-12C2-4C1D-96BA-2E445895C73C}
    2013-01-19 16:44:48 -------- d-----w- C:\Users\Mary\AppData\Local\{3B6A0E78-8B49-4C60-A9C7-5A636EB0B8B8}
    2013-01-17 00:19:36 -------- d-----w- C:\Users\Mary\AppData\Local\{D5366707-E121-4544-B423-F1A2D6D1A2B5}
    2013-01-16 02:06:44 -------- d-----w- C:\Users\Mary\AppData\Local\{902D487A-3A1A-4A77-B1AF-62AD2BF87061}
    2013-01-10 23:33:58 -------- d-----w- C:\Users\Mary\AppData\Local\{DFE7A998-A523-4560-A222-104AACCB1D01}
    2013-01-08 21:41:26 750592 ----a-w- C:\windows\System32\win32spl.dll
    2013-01-08 21:41:25 492032 ----a-w- C:\windows\SysWow64\win32spl.dll
    2013-01-08 21:38:53 424448 ----a-w- C:\windows\System32\KernelBase.dll
    2013-01-08 21:36:44 68608 ----a-w- C:\windows\System32\taskhost.exe
    2013-01-08 21:36:40 3149824 ----a-w- C:\windows\System32\win32k.sys
    2013-01-06 22:04:45 859072 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
    2013-01-06 22:00:55 959976 ----a-w- C:\windows\System32\deployJava1.dll
    2013-01-06 22:00:55 1081320 ----a-w- C:\windows\System32\npDeployJava1.dll
    2013-01-06 22:00:21 108008 ----a-w- C:\windows\System32\WindowsAccessBridge-64.dll
    2012-12-29 22:16:34 -------- d-----w- C:\Users\Mary\AppData\Local\{4236BF05-E431-4282-8909-E33F39A13854}
    2012-12-28 20:32:20 -------- d-----w- C:\Users\Mary\AppData\Local\{20E6EC19-9ECF-417B-B701-05516FBCE321}
    2012-12-26 23:41:25 -------- d-----w- C:\Users\Mary\AppData\Local\{84A31D28-0000-4D40-9A94-EBA5B8698039}
    .
    ==================== Find3M ====================
    .
    2013-01-11 00:13:49 952 --sha-w- C:\ProgramData\KGyGaAvL.sys
    2013-01-09 02:56:15 74248 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-01-09 02:56:15 697864 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-06 22:04:03 779704 ----a-w- C:\windows\SysWow64\deployJava1.dll
    2012-12-21 03:52:27 135272 ----a-w- C:\windows\SysWow64\atashost.exe
    2012-12-21 03:52:26 218216 ----a-w- C:\windows\SysWow64\atsckernel.exe
    2012-12-16 17:11:22 46080 ----a-w- C:\windows\System32\atmlib.dll
    2012-12-16 14:45:03 367616 ----a-w- C:\windows\System32\atmfd.dll
    2012-12-16 14:13:28 295424 ----a-w- C:\windows\SysWow64\atmfd.dll
    2012-12-16 14:13:20 34304 ----a-w- C:\windows\SysWow64\atmlib.dll
    2012-12-07 13:20:16 441856 ----a-w- C:\windows\System32\Wpc.dll
    2012-12-07 13:15:31 2746368 ----a-w- C:\windows\System32\gameux.dll
    2012-12-07 12:26:17 308736 ----a-w- C:\windows\SysWow64\Wpc.dll
    2012-12-07 12:20:43 2576384 ----a-w- C:\windows\SysWow64\gameux.dll
    2012-12-07 11:20:04 30720 ----a-w- C:\windows\System32\usk.rs
    2012-12-07 11:20:03 43520 ----a-w- C:\windows\System32\csrr.rs
    2012-12-07 11:20:03 23552 ----a-w- C:\windows\System32\oflc.rs
    2012-12-07 11:20:01 45568 ----a-w- C:\windows\System32\oflc-nz.rs
    2012-12-07 11:20:01 44544 ----a-w- C:\windows\System32\pegibbfc.rs
    2012-12-07 11:20:01 20480 ----a-w- C:\windows\System32\pegi-fi.rs
    2012-12-07 11:20:00 20480 ----a-w- C:\windows\System32\pegi-pt.rs
    2012-12-07 11:19:59 20480 ----a-w- C:\windows\System32\pegi.rs
    2012-12-07 11:19:58 46592 ----a-w- C:\windows\System32\fpb.rs
    2012-12-07 11:19:57 40960 ----a-w- C:\windows\System32\cob-au.rs
    2012-12-07 11:19:57 21504 ----a-w- C:\windows\System32\grb.rs
    2012-12-07 11:19:57 15360 ----a-w- C:\windows\System32\djctq.rs
    2012-12-07 11:19:56 55296 ----a-w- C:\windows\System32\cero.rs
    2012-12-07 11:19:55 51712 ----a-w- C:\windows\System32\esrb.rs
    2012-11-30 05:45:35 362496 ----a-w- C:\windows\System32\wow64win.dll
    2012-11-30 05:45:35 243200 ----a-w- C:\windows\System32\wow64.dll
    2012-11-30 05:45:35 13312 ----a-w- C:\windows\System32\wow64cpu.dll
    2012-11-30 05:45:14 215040 ----a-w- C:\windows\System32\winsrv.dll
    2012-11-30 05:43:12 16384 ----a-w- C:\windows\System32\ntvdm64.dll
    2012-11-30 04:54:00 5120 ----a-w- C:\windows\SysWow64\wow32.dll
    2012-11-30 04:53:59 274944 ----a-w- C:\windows\SysWow64\KernelBase.dll
    2012-11-30 03:23:48 338432 ----a-w- C:\windows\System32\conhost.exe
    2012-11-30 02:44:06 25600 ----a-w- C:\windows\SysWow64\setup16.exe
    2012-11-30 02:44:04 7680 ----a-w- C:\windows\SysWow64\instnm.exe
    2012-11-30 02:44:04 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
    2012-11-30 02:44:03 2048 ----a-w- C:\windows\SysWow64\user.exe
    2012-11-30 02:38:59 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 02:38:59 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 02:38:59 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 02:38:59 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-11-22 05:44:23 800768 ----a-w- C:\windows\System32\usp10.dll
    2012-11-22 04:45:03 626688 ----a-w- C:\windows\SysWow64\usp10.dll
    2012-11-20 05:48:49 307200 ----a-w- C:\windows\System32\ncrypt.dll
    2012-11-20 04:51:09 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll
    2012-11-14 06:11:44 2312704 ----a-w- C:\windows\System32\jscript9.dll
    2012-11-14 06:04:11 1392128 ----a-w- C:\windows\System32\wininet.dll
    2012-11-14 06:02:49 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
    2012-11-14 05:57:46 599040 ----a-w- C:\windows\System32\vbscript.dll
    2012-11-14 05:57:35 173056 ----a-w- C:\windows\System32\ieUnatt.exe
    2012-11-14 05:52:40 2382848 ----a-w- C:\windows\System32\mshtml.tlb
    2012-11-14 02:09:22 1800704 ----a-w- C:\windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- C:\windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 2048 ----a-w- C:\windows\System32\tzres.dll
    2012-11-09 04:42:49 2048 ----a-w- C:\windows\SysWow64\tzres.dll
    2012-11-02 05:59:11 478208 ----a-w- C:\windows\System32\dpnet.dll
    2012-11-02 05:11:31 376832 ----a-w- C:\windows\SysWow64\dpnet.dll
    2012-11-01 05:43:42 2002432 ----a-w- C:\windows\System32\msxml6.dll
    2012-11-01 05:43:42 1882624 ----a-w- C:\windows\System32\msxml3.dll
    2012-11-01 04:47:54 1389568 ----a-w- C:\windows\SysWow64\msxml6.dll
    2012-11-01 04:47:54 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
    .
    ============= FINISH: 21:29:19.19 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/6/2010 12:57:53 AM
    System Uptime: 1/23/2013 9:20:36 PM (0 hours ago)
    .
    Motherboard: AMD Corp. | | Guam
    Processor: AMD Turion(tm) II P540 Dual-Core Processor | Socket S1G4 | 2394/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 287 GiB total, 208.959 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Security Processor Loader Driver
    Device ID: ROOT\LEGACY_SPLDR\0000
    Manufacturer:
    Name: Security Processor Loader Driver
    PNP Device ID: ROOT\LEGACY_SPLDR\0000
    Service: spldr
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: ehdrv
    Device ID: ROOT\LEGACY_EHDRV\0000
    Manufacturer:
    Name: ehdrv
    PNP Device ID: ROOT\LEGACY_EHDRV\0000
    Service: ehdrv
    .
    ==== System Restore Points ===================
    .
    RP264: 1/2/2013 9:21:19 AM - Windows Update
    RP265: 1/6/2013 1:59:11 PM - Installed Java 7 Update 10 (64-bit)
    RP266: 1/6/2013 2:03:46 PM - Installed Java 7 Update 10
    RP267: 1/8/2013 1:34:34 PM - Windows Update
    RP268: 1/9/2013 11:12:05 AM - Windows Update
    RP269: 1/15/2013 1:14:52 PM - Windows Update
    RP270: 1/18/2013 1:49:52 PM - Windows Update
    RP271: 1/22/2013 10:22:15 AM - Windows Update
    RP272: 1/23/2013 5:04:28 PM - Installed Java 7 Update 11
    .
    ==== Installed Programs ======================
    .
    ACT! by Sage 2010
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Amazon MP3 Downloader 1.0.15
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    ATI Catalyst Install Manager
    Best Buy pc app
    Bonjour
    Brother MFL-Pro Suite MFC-495CW
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Cisco Powerline AV Utility
    Cisco WebEx Meetings
    Conexant HD Audio
    D3DX10
    Dropbox
    eReg
    ESET Smart Security
    File Uploader
    GoToMeeting 5.1.0.880
    HL-2270DW
    iCloud
    iTunes
    Java 7 Update 10 (64-bit)
    Java 7 Update 11
    Java Auto Updater
    Java(TM) 6 Update 24
    Juniper Networks Network Connect 7.0.0
    Juniper Networks Secure Application Manager
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Junk Mail filter update
    [email protected] 1.0
    Logitech SetPoint 6.20
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Office Starter 2010 - English
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (ACT7)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MobileMe Control Panel
    Mozilla Firefox 18.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nikon Message Center
    Nikon Transfer
    PDF Settings
    Picture Control Utility
    PlayReady PC Runtime amd64
    QuickTime
    Realtek USB 2.0 Card Reader
    REALTEK Wireless LAN Driver
    Realtek WLAN Driver
    ROAM Data J2SE Player
    Safari
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Skype Click to Call
    Skype™ 5.10
    Stamps.com
    Stamps.com Application Support for Microsoft Outlook 2000-2010
    Stamps.com support for Microsoft Outlook 2000-2010
    Synaptics Pointing Device Driver
    TOSHIBA Application Installer
    TOSHIBA Assist
    Toshiba Book Place
    TOSHIBA Bulletin Board
    TOSHIBA Disc Creator
    TOSHIBA eco Utility
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    TOSHIBA Media Controller
    TOSHIBA Media Controller Plug-in
    TOSHIBA PC Health Monitor
    TOSHIBA Quality Application
    TOSHIBA Recovery Media Creator
    TOSHIBA ReelTime
    TOSHIBA Service Station
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    ToshibaRegistration
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    ViewNX
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/23/2013 9:23:52 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    1/23/2013 9:23:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/23/2013 9:23:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/23/2013 9:23:50 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    1/23/2013 9:23:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/23/2013 9:23:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/23/2013 9:21:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ehdrv spldr Wanarpv6
    1/23/2013 9:21:12 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
    1/23/2013 5:02:51 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}. The error: "5" Happened while starting this command: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -Embedding
    1/18/2013 1:38:39 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The pipe has been ended.
    1/18/2013 1:38:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "109" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
    .
    ==== End Of File ===========================




    GMER 2.0.18444 - http://www.gmer.net
    Rootkit scan 2013-01-23 21:38:39
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545032B9A300 rev.PB3OC64G 298.09GB
    Running: jo9juojr.exe; Driver: C:\Users\Mary\AppData\Local\Temp\pgrdykob.sys


    ---- Threads - GMER 2.0 ----

    Thread C:\windows\System32\svchost.exe [1464:1536] 000007fef9e79688
    ---- Processes - GMER 2.0 ----

    Library ? (*** suspicious ***) @ C:\windows\System32\svchost.exe [1464] 000007fefe290000

    ---- EOF - GMER 2.0 ----
     
  2. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    I posted on the 23rd but have not had any assistance. Can I get some assistance on this please???
     
  3. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Just replying, grabbing this one :)


    Will read thru it now, bear with me ;)
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Hiya

    This is actually not a rare thing, I get many a week, and I can see how they grab you. However, they're not Word documents, actually exe's. Been having a look at them in detail, so lets get her pc clean again :)


    One thing I will ask, which I just asked in the other thread, are you using the same router?

    --------------------

    Okay, had a look, and yes, its a large infection. So, lets begin :)


    As you're in SafeMode only, can you see if you can get this tool, and run as follows:


    Please download exeHelper to your desktop.
    If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan)
    Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ).

    In your next reply, please submit:
    exehelperlog.txt



    ---

    I'll be home at 5pm GMT time tomorrow, so will have a look then :)

    eddie
     
  5. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    FYI I ran MalawareBytes Anti-Malaware and SuperAntiSpyware after the previous post. We haven't used this computer and it is on the same router as others. You just worked on mine, plus I have my fathers and another one. All are off while this one is used. I appreciate your help but if you can let me know a good time to be available to work on this a little quicker I will try and sure would appreciate it. Thanks again for your help. I don't know if this log is correct as it doesn't say much.

    exeHelper by Raktor
    Build 20100414
    Run at 20:33:06 on 02/04/13
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Yep, no problem :)

    Weekends I try and be here, but its a busy time mostly :( Weekdays I'm here most nights, the exception being Fridays :)

    Just checked, and you're in the US, so there is a delay in time (I'm UK). However, I'll look as soon as I get home, and stay on from 5pm to 11pm GMT tomorrow :)

    When you ran the other two programs, did it remove anything? If so, can you post the logs they're created :)


    I'm assuming exe files are working, as although the above log is small, it looks like it worked.
    ---

    Can you also do the following for me, as you'll probaly do this when I'm asleep ;)


    Delete any copies of Combofix that you have.

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Remember to re-enable the protection again afterwards before connecting to the Internet.
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    ----------------

    Download OTL to your Desktop

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Select
      All Users
      LOP Check
      Purity Check
    • Under the Standard Registry box change it to All
    • Please copy the text in the code box below and paste it in the Custom Scans/Fixes box in OTL:

      Code:
      netsvcs
      activex
      msconfig
      %SYSTEMDRIVE%\*.
      %PROGRAMFILES%\*.exe
      %LOCALAPPDATA%\*.exe
      %windir%\Installer\*.*
      %windir%\system32\tasks\*.*
      %windir%\system32\tasks\*.* /64
      %systemroot%\Fonts\*.exe
      %systemroot%\*. /mp /s
      /md5start
      consrv.dll
      explorer.exe
      winlogon.exe
      regedit.exe
      Userinit.exe
      svchost.exe
      services.exe
      user32.dll
      ATAPI.SYS
      /md5stop
      C:\Windows\assembly\tmp\U\*.* /s
      %Temp%\smtmp\1\*.*
      %Temp%\smtmp\2\*.*
      %Temp%\smtmp\3\*.*
      %Temp%\smtmp\4\*.*
      CREATERESTOREPOINT
      
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic


    eddie
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Oh, and just to let you know, once this one is clean (I'll keep on this one the most), we'll finish up on yours and then have a look at the other two, if you prefer to check them :)
     
  8. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    FYI programs still will not load .exe. I have to run as admin in normal windows versus safe mode. FYI I will look at this everyday to make sure I don't miss this anymore.

    Malwarebytes Anti-Malware (Trial) 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.24.04

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Mary :: MARYS-TOSHIBA [administrator]

    Protection: Disabled

    1/23/2013 9:54:57 PM
    mbam-log-2013-01-23 (21-54-57).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 433859
    Time elapsed: 51 minute(s), 38 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 4
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|usare (Trojan.Medfos) -> Data: rundll32.exe "C:\Users\Mary\AppData\Roaming\usare.dll",AAuxDecode -> Quarantined and deleted successfully.
    HKCR\.exe| (Rogue.PCDefenderPlus) -> Data: 4g -> Delete on reboot.
    HKCR\.exe\shell\open\command| (Rogue.PCDefenderPlus) -> Data: "C:\ProgramData\pcdfdata\hfcwpngx.exe" /ex "%1" %* -> Quarantined and deleted successfully.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run|pcdfsvc (Rogue.PCDefenderPlus) -> Data: C:\ProgramData\pcdfdata\hfcwpngx.exe /min -> Quarantined and deleted successfully.

    Registry Data Items Detected: 2
    HKCR\.exe| (Hijacked.exeFile) -> Bad: (4g) Good: (exefile) -> Quarantined and repaired successfully.
    HKCR\.exe| (PUM.HijackExefiles) -> Bad: (4g) Good: (exefile) -> Quarantined and repaired successfully.

    Folders Detected: 1
    C:\ProgramData\pcdfdata (Rogue.PCDefenderPlus) -> Quarantined and deleted successfully.

    Files Detected: 6
    C:\Users\Mary\AppData\Roaming\usare.dll (Trojan.Medfos) -> Quarantined and deleted successfully.
    C:\ProgramData\pcdfdata\defs.bin (Rogue.PCDefenderPlus) -> Quarantined and deleted successfully.
    C:\ProgramData\pcdfdata\app.ico (Rogue.PCDefenderPlus) -> Quarantined and deleted successfully.
    C:\ProgramData\pcdfdata\support.ico (Rogue.PCDefenderPlus) -> Quarantined and deleted successfully.
    C:\ProgramData\pcdfdata\uninst.ico (Rogue.PCDefenderPlus) -> Quarantined and deleted successfully.
    C:\ProgramData\pcdfdata\vl.bin (Rogue.PCDefenderPlus) -> Quarantined and deleted successfully.

    (end)


    ComboFix 13-02-07.02 - Mary 02/08/2013 16:27:22.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2807.1374 [GMT -8:00]
    Running from: c:\users\Mary\Desktop\username234.exe
    AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
    SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\D4F7DB30EE.sys
    c:\users\Mary\AppData\Roaming\atudta.dll
    c:\users\Mary\AppData\Roaming\audepw.dll
    c:\users\Mary\AppData\Roaming\cpbts.dll
    c:\users\Mary\AppData\Roaming\dghbal.dll
    c:\users\Mary\AppData\Roaming\leuip.dll
    c:\users\Mary\AppData\Roaming\msrog.dll
    c:\users\Mary\AppData\Roaming\pcati.dll
    c:\users\Mary\AppData\Roaming\urdri.dll
    c:\users\Mary\AppData\Roaming\wmiroe.dll
    c:\users\Mary\AppData\Roaming\wompip.dll
    c:\users\Mary\AppData\Roaming\wspig.dll
    c:\windows\SysWow64\Packet.dll
    c:\windows\SysWow64\pthreadVC.dll
    c:\windows\SysWow64\wpcap.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-09 to 2013-02-09 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-09 00:36 . 2013-02-09 00:36 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2013-02-09 00:36 . 2013-02-09 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-01-24 05:47 . 2013-01-24 05:47 -------- d-----w- c:\users\Mary\AppData\Local\Programs
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-09 00:48 . 2012-05-05 02:10 952 --sha-w- c:\programdata\KGyGaAvL.sys
    2013-02-09 00:47 . 2013-02-09 00:47 8 --sh--r- c:\programdata\D4F7DB30EE.sys
    2013-01-12 11:30 . 2013-01-24 01:07 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2013-01-09 19:19 . 2010-12-06 21:35 67599240 ----a-w- c:\windows\system32\MRT.exe
    2013-01-09 02:56 . 2012-04-04 20:48 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-09 02:56 . 2011-05-13 23:43 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-01-08 05:32 . 2013-01-22 18:23 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A6778D3A-5971-46D0-B2F8-F66F42E4A7F3}\mpengine.dll
    2013-01-06 22:04 . 2013-01-06 22:04 859072 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
    2013-01-06 22:04 . 2011-01-20 19:30 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2013-01-06 21:59 . 2013-01-06 22:00 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
    2013-01-06 21:59 . 2013-01-06 22:00 308200 ----a-w- c:\windows\system32\javaws.exe
    2013-01-06 21:59 . 2013-01-06 22:00 188392 ----a-w- c:\windows\system32\javaw.exe
    2013-01-06 21:59 . 2013-01-06 22:00 959976 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-06 21:59 . 2013-01-06 22:00 1081320 ----a-w- c:\windows\system32\npDeployJava1.dll
    2013-01-06 21:59 . 2013-01-06 22:00 188392 ----a-w- c:\windows\system32\java.exe
    2012-12-21 03:52 . 2012-12-21 03:52 135272 ----a-w- c:\windows\SysWow64\atashost.exe
    2012-12-21 03:52 . 2012-12-21 03:52 218216 ----a-w- c:\windows\SysWow64\atsckernel.exe
    2012-12-16 17:11 . 2012-12-20 21:29 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 14:45 . 2012-12-20 21:29 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-16 14:13 . 2012-12-20 21:29 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-16 14:13 . 2012-12-20 21:29 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-15 00:49 . 2011-05-13 21:03 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-12-07 13:20 . 2013-01-08 21:40 441856 ----a-w- c:\windows\system32\Wpc.dll
    2012-12-07 13:15 . 2013-01-08 21:40 2746368 ----a-w- c:\windows\system32\gameux.dll
    2012-12-07 12:26 . 2013-01-08 21:40 308736 ----a-w- c:\windows\SysWow64\Wpc.dll
    2012-12-07 12:20 . 2013-01-08 21:40 2576384 ----a-w- c:\windows\SysWow64\gameux.dll
    2012-12-07 11:20 . 2013-01-08 21:40 30720 ----a-w- c:\windows\system32\usk.rs
    2012-12-07 11:20 . 2013-01-08 21:40 43520 ----a-w- c:\windows\system32\csrr.rs
    2012-12-07 11:20 . 2013-01-08 21:40 23552 ----a-w- c:\windows\system32\oflc.rs
    2012-12-07 11:20 . 2013-01-08 21:40 45568 ----a-w- c:\windows\system32\oflc-nz.rs
    2012-12-07 11:20 . 2013-01-08 21:40 44544 ----a-w- c:\windows\system32\pegibbfc.rs
    2012-12-07 11:20 . 2013-01-08 21:40 20480 ----a-w- c:\windows\system32\pegi-fi.rs
    2012-12-07 11:20 . 2013-01-08 21:40 20480 ----a-w- c:\windows\system32\pegi-pt.rs
    2012-12-07 11:19 . 2013-01-08 21:40 20480 ----a-w- c:\windows\system32\pegi.rs
    2012-12-07 11:19 . 2013-01-08 21:40 46592 ----a-w- c:\windows\system32\fpb.rs
    2012-12-07 11:19 . 2013-01-08 21:40 40960 ----a-w- c:\windows\system32\cob-au.rs
    2012-12-07 11:19 . 2013-01-08 21:40 21504 ----a-w- c:\windows\system32\grb.rs
    2012-12-07 11:19 . 2013-01-08 21:40 15360 ----a-w- c:\windows\system32\djctq.rs
    2012-12-07 11:19 . 2013-01-08 21:40 55296 ----a-w- c:\windows\system32\cero.rs
    2012-12-07 11:19 . 2013-01-08 21:40 51712 ----a-w- c:\windows\system32\esrb.rs
    2012-12-07 10:46 . 2013-01-08 21:40 43520 ----a-w- c:\windows\SysWow64\csrr.rs
    2012-12-07 10:46 . 2013-01-08 21:40 30720 ----a-w- c:\windows\SysWow64\usk.rs
    2012-12-07 10:46 . 2013-01-08 21:40 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs
    2012-12-07 10:46 . 2013-01-08 21:40 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs
    2012-12-07 10:46 . 2013-01-08 21:40 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs
    2012-12-07 10:46 . 2013-01-08 21:40 23552 ----a-w- c:\windows\SysWow64\oflc.rs
    2012-12-07 10:46 . 2013-01-08 21:40 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs
    2012-12-07 10:46 . 2013-01-08 21:40 46592 ----a-w- c:\windows\SysWow64\fpb.rs
    2012-12-07 10:46 . 2013-01-08 21:40 20480 ----a-w- c:\windows\SysWow64\pegi.rs
    2012-12-07 10:46 . 2013-01-08 21:40 21504 ----a-w- c:\windows\SysWow64\grb.rs
    2012-12-07 10:46 . 2013-01-08 21:40 40960 ----a-w- c:\windows\SysWow64\cob-au.rs
    2012-12-07 10:46 . 2013-01-08 21:40 15360 ----a-w- c:\windows\SysWow64\djctq.rs
    2012-12-07 10:46 . 2013-01-08 21:40 55296 ----a-w- c:\windows\SysWow64\cero.rs
    2012-12-07 10:46 . 2013-01-08 21:40 51712 ----a-w- c:\windows\SysWow64\esrb.rs
    2012-11-30 05:45 . 2013-01-08 21:38 362496 ----a-w- c:\windows\system32\wow64win.dll
    2012-11-30 05:45 . 2013-01-08 21:38 243200 ----a-w- c:\windows\system32\wow64.dll
    2012-11-30 05:45 . 2013-01-08 21:38 13312 ----a-w- c:\windows\system32\wow64cpu.dll
    2012-11-30 05:45 . 2013-01-08 21:38 215040 ----a-w- c:\windows\system32\winsrv.dll
    2012-11-30 05:43 . 2013-01-08 21:38 16384 ----a-w- c:\windows\system32\ntvdm64.dll
    2012-11-30 05:41 . 2013-01-08 21:38 424448 ----a-w- c:\windows\system32\KernelBase.dll
    2012-11-30 05:41 . 2013-01-08 21:38 1161216 ----a-w- c:\windows\system32\kernel32.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2012-11-30 05:38 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
    2012-11-30 04:54 . 2013-01-08 21:38 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2012-11-30 04:53 . 2013-01-08 21:38 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll
    2012-11-30 04:45 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-08 21:38 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2010-10-25 1216416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
    "ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
    "TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "Nikon Transfer Monitor"="c:\program files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
    "BrMfcWnd"="c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" [2009-08-03 1167360]
    "ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-10-25 932288]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
    "Act.Outlook.Service"="c:\program files (x86)\ACT\Act for Windows\Act.Outlook.Service.exe" [2009-08-24 28672]
    "Act! Preloader"="c:\program files (x86)\ACT\Act for Windows\ActSage.exe" [2009-08-24 331776]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Mary\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R2 ACT! Scheduler;ACT! Scheduler;c:\program files (x86)\ACT\Act for Windows\Act.Scheduler.exe [2009-08-24 81920]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]
    R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-25 245760]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-09 239136]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-07 1255736]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-07-29 141264]
    S1 NEOFLTR_700_16899;Juniper Networks TDI Filter Driver (NEOFLTR_700_16899);c:\windows\system32\Drivers\NEOFLTR_700_16899.SYS [2010-10-23 97912]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-15 202752]
    S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2012-12-21 135272]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-09-03 170104]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2010-11-05 810144]
    S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-07-29 50624]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-15 398184]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-15 682344]
    S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-01-31 3289208]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]
    S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-04-20 169584]
    S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2010-08-24 74320]
    S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2010-08-24 13392]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-15 24176]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
    S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2009-06-15 12800]
    S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-01-05 1109096]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
    S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-05 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 02:56]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 162552 ----a-w- c:\users\Mary\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
    "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-11-05 2919168]
    "Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    FF - ProfilePath - c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\1xctbp1v.default\
    FF - ExtSQL: !HIDDEN! 2013-02-08 16:17; {7e699d7c-f386-47ed-8efe-fe4e9b1ccc29}; c:\users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\1xctbp1v.default\extensions\{7e699d7c-f386-47ed-8efe-fe4e9b1ccc29}.xpi
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe
    Wow6432Node-HKCU-Run-sxduwjjc - c:\users\Mary\AppData\Local\cslrkkho.exe
    Wow6432Node-HKCU-Run-atudta - c:\users\Mary\AppData\Roaming\atudta.dll
    Wow6432Node-HKCU-Run-msrog - c:\users\Mary\AppData\Roaming\msrog.dll
    Wow6432Node-HKLM-Run-<NO NAME> - (no file)
    Toolbar-Locked - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
    HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
    HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
    HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    c:\program files (x86)\Brother\ControlCenter3\brccMCtl.exe
    .
    **************************************************************************
    .
    Completion time: 2013-02-08 16:54:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-02-09 00:54
    .
    Pre-Run: 225,493,934,080 bytes free
    Post-Run: 228,827,987,968 bytes free
    .
    - - End Of File - - 9E97EFBF06F9E65B32C98BF0F87304CA
     
  9. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    Would have liked to reply at the weekend, but was installing ram and formatting this pc, as had a few issues with it lately :(

    Anyway, back now, so read what you posted above :)

    Now, I do see that both ComboFix and MBAM removed (or tried to) a program that is installed that needs to be removed.

    Read the following removal instructions here, and when you've run MBAM on a Full scan, post the detail here. Also, let me know if doing the below brings the exe's back :)

    http://www.bleepingcomputer.com/virus-removal/remove-pc-defender-plus

    eddie
     
  10. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    I don't see the full instructions for MBAM
     
  11. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,718
    If you scroll down to the section:

    Automated Removal Instructions for PC Defender Plus using Malwarebytes Anti-Malware:

    it explains using rkill, and then MBAM.

    Ah, maybe it me and my abbreviations, MBAM is Malwarebytes Anti-Malware ;)
     
  12. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    Eddie I was able to figure it out thanks for your help. NOw the exe loads at least mozilla in normal mode. Word took 30 seconds to load even the firewall config. I keep getting updates for Java the jucheck. I will now run the updates for the update program you referred me too. IN addition, I've attached a print screen of what my eset found on 1/23/13.

    Is it ok to use this system and others on the same network now?
    FYI I will update the eset to smart security 5.0 once we finish all the virus removal details. Plus I will post a scan of my fathers laptop as he was on this network and it was slowing down. If you could grab that one too, I will post some logs in the next few hours.



    Here is the MBAM
    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.02.12.02

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Mary :: MARYS-TOSHIBA [administrator]

    2/11/2013 8:49:16 PM
    mbam-log-2013-02-11 (20-49-16).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 432577
    Time elapsed: 48 minute(s), 49 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Thanks eddie.
     
  13. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    here's the eset quarantine log
     
  14. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    the log doesn't appear to be posting.
     
  15. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    FYI I have made a bunch of windows updates and program updates.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1086626

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice