TD_Mak
-
Posts
11 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by TD_Mak
-
-
I posted a topic here a few days ago about MBAM repeatedly blocking chrome.exe from accessing 208.73.210.29, and I was being helped by Gringo. I ran Security Check, AdwCleaner, RogueKiller, ComboFix (once plain, once with a script), CCleaner, MBAM, and HijackThis (I still have the logs if needed). I also uninstalled and re-installed Java Update and JavaFX. The next step was to run ESET scanner, which I just did. The resulting log is below.
Thanks!
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=aafa3e21c1f973419ebe9e9a9027c372
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-04 05:34:13
# local_time=2012-11-04 01:34:13 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 70629261 103545802 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=216859
# found=6
# cleaned=0
# scan_time=4922
C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\FRST\Quarantine\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000004.@ Win64/Conedex.C trojan (unable to clean) 00000000000000000000000000000000 I
C:\FRST\Quarantine\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000032.@ a variant of Win32/Sirefef.FD trojan (unable to clean) 00000000000000000000000000000000 I
C:\FRST\Quarantine\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000064.@ Win64/Sirefef.AN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sarah M\Downloads\soundeffects.exe a variant of Win32/InstallIQ application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sarah M\Downloads\winamp558_full_emusic-7plus_en-us.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
-
I'm posting the MBAM log below. Computer seems to be running fine--no pop-ups or redirects, no longer messing with the layout of my desktop, and Chrome seems happy. MS Security Essentials is telling me the "the specified service does not exist as an installed service" when I try to run it... I'm guess that could be fixed with a reinstall. I'll also re-install the Adobe products and Java.
Thank you so much for your help, and especially for the prompt replies. Made my day (and week) a lot better.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.25.07
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Sarah M :: JOLLYGREENGIANT [administrator]
7/25/2012 2:48:42 PM
mbam-log-2012-07-25 (14-48-42).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197585
Time elapsed: 2 minute(s), 44 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
CombcFix.txt:
ComboFix 12-07-26.03 - Sarah M 07/25/2012 13:40:34.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3891.2058 [GMT -4:00]
Running from: c:\users\Sarah M\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-25 19:20 . 2012-07-25 19:20 -------- d-----w- C:\FRST
2012-07-25 18:17 . 2012-07-25 18:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-25 02:57 . 2012-07-25 03:54 -------- d-----w- c:\users\Sarah M\AppData\Roaming\GetRightToGo
2012-07-25 00:36 . 2012-07-25 00:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-22 20:55 . 2012-07-22 20:55 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-22 17:18 . 2012-07-22 17:18 -------- d-----w- c:\users\Sarah M\AppData\Roaming\Ad-Aware Antivirus
2012-07-22 02:52 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0F930B5F-602B-40DC-B531-16393F82D83C}\mpengine.dll
2012-07-20 00:13 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-18 20:17 . 2012-07-18 20:17 -------- d-----w- c:\program files\iPod
2012-07-18 20:17 . 2012-07-18 20:18 -------- d-----w- c:\program files\iTunes
2012-07-18 20:17 . 2012-07-18 20:18 -------- d-----w- c:\program files (x86)\iTunes
2012-07-12 13:17 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 03:02 . 2012-07-11 03:02 -------- d--h--w- c:\programdata\CanonIJSDU
2012-07-06 13:25 . 2012-07-06 13:25 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-07-04 17:33 . 2012-02-11 23:45 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B9D123A4-7336-4AE3-8072-AFBCA5F08F75}\gapaengine.dll
2012-07-01 03:18 . 2012-07-01 03:18 -------- d-----w- c:\program files\Microsoft Silverlight
2012-07-01 03:18 . 2012-07-01 03:18 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-07-01 02:30 . 2012-07-01 02:30 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-01 02:30 . 2012-07-01 02:30 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 13:10 . 2010-08-22 01:12 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-03 17:46 . 2011-11-06 22:23 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-22 12:36 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 12:36 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 12:36 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 12:36 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 12:36 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 12:36 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 12:36 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-22 12:35 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-22 12:35 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-17 13:50 . 2012-05-15 02:50 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2012-05-15 03:56 . 2012-06-13 23:12 1197568 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:52 . 2012-06-13 23:12 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:08 . 2012-06-13 23:12 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-06 01:20 . 2012-05-06 01:20 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 10:52 . 2012-06-13 23:12 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:08 . 2012-06-13 23:12 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:08 . 2012-06-13 23:12 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-02 05:32 . 2012-06-13 23:12 208896 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:50 . 2012-06-13 23:11 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-09 39408]
"boincmgr"="c:\program files (x86)\BOINC\boincmgr.exe" [2008-11-17 3916544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"QuickFinder Scheduler"="c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE" [1996-10-16 46080]
"boinctray"="c:\program files (x86)\BOINC\boinctray.exe" [2008-11-17 58112]
"MaxMenuMgr"="c:\program files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-25 185640]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-06-04 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\Sarah M\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Corel Desktop Application Director.LNK - c:\program files (x86)\Corel\Dad7\QUICK.EXE [2010-8-1 165888]
DING!.lnk - c:\program files (x86)\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OpenOffice.org 3.4.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-4-19 1199104]
PerfectPrint.LNK - c:\program files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE [2010-8-1 282624]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2010-2-15 1135560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\gearaspisys.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 135664]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-14 9728]
R3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 135664]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-01 113120]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-01-20 315664]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-02 1255736]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2010-03-06 482384]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-14 166400]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-14 128512]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-04-07 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-04-07 271872]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2010-05-18 164464]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2009-12-18 36760]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]
.
2012-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001Core.job
- c:\users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001UA.job
- c:\users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-30 00:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Sarah M\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-07 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-07 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-07 413720]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-01-20 1926928]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.4.1
FF - ProfilePath - c:\users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.spacesynth.net/forum/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.http - 189.71.26.9
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
------- File Associations -------
.
JSEFile=c:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
SafeBoot-MsMpSvc
Toolbar-Locked - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\BOINC\boinc.exe
.
**************************************************************************
.
Completion time: 2012-07-25 14:24:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-25 18:24
.
Pre-Run: 331,761,242,112 bytes free
Post-Run: 333,182,971,904 bytes free
.
- - End Of File - - 4BD55D82996563A3CB60814D6DE02A77
-
ComboFix is telling me that Lavasoft Ad-Watch Live! is running on my PC, but all I had was on-demand Ad-Aware scanning. There's nothing about Lavasoft or Ad-Aware in the process list in the Task Manager that I can find, and I even just uninstalled Ad-Aware, with no leftover programs labelled as "Ad-Aware" or Lavasoft (other than "threatwork", which is not currently running). I don't know why ComboFix thinks it's running, but I'm hesitant to move it forward while it's throwing warnings.
-
Fixlog.txt:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 12:00:58 Run:1
Running from F:\
==============================================
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
-
FRST.txt and Search.txt:
Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 25-07-2012 11:20:37
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [] [x]
HKLM\...\Run: [igfxTray] C:\windows\system32\igfxtray.exe [166424 2010-04-07] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [391192 2010-04-07] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [413720 2010-04-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [896032 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-25] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1489760 2010-04-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1926928 2010-01-19] (Intel® Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2782096 2010-07-25] (CANON INC.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2009-12-25] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2010-03-04] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [352256 2010-02-22] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]
HKLM-x32\...\Run: [QuickFinder Scheduler] c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE [46080 1996-10-15] (Novell, Inc.)
HKLM-x32\...\Run: [boinctray] "C:\Program Files (x86)\BOINC\boinctray.exe" [58112 2008-11-17] (Space Sciences Laboratory)
HKLM-x32\...\Run: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [185640 2009-09-25] (Seagate LLC)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1213848 2010-09-14] (CANON INC.)
HKLM-x32\...\Run: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE [452016 2010-09-09] (CANON INC.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot [296056 2012-06-04] (RealNetworks, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI [2659768 2012-02-24] (PC Tools)
HKU\Sarah M\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-04-08] (Google Inc.)
HKU\Sarah M\...\Run: [Google Update] "C:\Users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-06-29] (Google Inc.)
HKU\Sarah M\...\Run: [boincmgr] "C:\Program Files (x86)\BOINC\boincmgr.exe" /a /s [3916544 2008-11-17] (World Community Grid)
HKU\Sarah M\...\Run: [EPSON WorkForce 630 Series] C:\windows\system32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\windows\TEMP\E_S8A84.tmp" /EF "HKCU" [224768 2010-01-12] (SEIKO EPSON CORPORATION)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
ShortcutTarget: Corel Desktop Application Director.LNK -> C:\Program Files (x86)\Corel\Dad7\QUICK.EXE (Corel Corporation Limited)
Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\DING!.lnk
ShortcutTarget: DING!.lnk -> C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\OpenOffice.org 3.4.lnk
ShortcutTarget: OpenOffice.org 3.4.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Sarah M\Start Menu\Programs\Startup\PerfectPrint.LNK
ShortcutTarget: PerfectPrint.LNK -> C:\Program Files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE (Corel Corporation)
==================== Services (Whitelisted) ======
2 FreeAgentGoNext Service; "C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe" [189736 2009-09-25] (Seagate Technology LLC)
2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [137680 2010-07-27] ()
2 MSSQL$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [40999448 2008-07-10] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4737024 2008-07-29] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [315664 2010-01-19] ()
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 sdAuxService; C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [402336 2012-02-24] (PC Tools)
2 sdCoreService; C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [1117624 2012-02-24] (PC Tools)
4 SQLAgent$SQLEXPRESS; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [369688 2008-07-10] (Microsoft Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-03] (Intel Corporation)
3 BrlAPI; C:\cygwin\bin\cygrunsrv.exe [x]
2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [x]
========================== Drivers (Whitelisted) =============
3 acpials; C:\Windows\System32\Drivers\acpials.sys [9728 2009-07-13] (Microsoft Corporation)
1 GearAspiSys; C:\Windows\SysWow64\Drivers\GearAspiSys.sys [53412 2002-06-24] (GEAR Software)
3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-09-22] ()
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69376 2011-08-18] (Lavasoft AB)
0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [367912 2011-11-14] (PC Tools)
0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2011-12-01] (PC Tools)
0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096688 2011-12-01] (PC Tools)
1 PCTSD; C:\Windows\System32\Drivers\PCTSD64.sys [230952 2012-02-24] (PC Tools)
2 Thpsrv; [x]
2 TODDSrv; [x]
========================== NetSvcs (Whitelisted) ===========
============ One Month Created Files and Folders ==============
2012-07-25 11:20 - 2012-07-25 11:20 - 00000000 ____D C:\FRST
2012-07-25 06:06 - 2012-07-25 06:06 - 00004430 ____A C:\Users\Sarah M\Desktop\RKreport[2].txt
2012-07-25 06:05 - 2012-07-25 06:05 - 00004038 ____A C:\Users\Sarah M\Desktop\RKreport[1].txt
2012-07-25 06:04 - 2012-07-25 06:05 - 00000000 ____D C:\Users\Sarah M\Desktop\RK_Quarantine
2012-07-24 19:54 - 2012-07-25 05:45 - 00000000 ____D C:\Program Files (x86)\PC Tools Security
2012-07-24 19:54 - 2012-07-24 19:55 - 01946715 ____A C:\Windows\System32\Drivers\Cat.DB
2012-07-24 19:54 - 2012-07-24 19:54 - 00002097 ____A C:\Users\Public\Desktop\PC Tools Spyware Doctor with AntiVirus.lnk
2012-07-24 19:54 - 2012-07-24 19:54 - 00000000 ____D C:\Users\All Users\PC Tools
2012-07-24 19:54 - 2012-02-24 06:37 - 00092896 ____A (PC Tools) C:\Windows\System32\Drivers\pctplsg64.sys
2012-07-24 19:54 - 2012-02-24 06:36 - 00230952 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
2012-07-24 19:54 - 2012-02-24 06:35 - 00014776 ____A (PC Tools) C:\Windows\System32\Drivers\pctBTFix64.sys
2012-07-24 19:54 - 2012-02-24 06:31 - 00339608 ____A (PC Tools) C:\Windows\System32\Drivers\pctgntdi64.sys
2012-07-24 19:54 - 2012-02-24 06:31 - 00145432 ____A (PC Tools) C:\Windows\System32\Drivers\pctwfpfilter64.sys
2012-07-24 19:54 - 2011-12-01 12:07 - 01096688 ____A (PC Tools) C:\Windows\System32\Drivers\pctEFA64.sys
2012-07-24 19:54 - 2011-12-01 12:07 - 00453896 ____A (PC Tools) C:\Windows\System32\Drivers\pctDS64.sys
2012-07-24 19:54 - 2011-11-14 11:12 - 00367912 ____A (PC Tools) C:\Windows\System32\Drivers\PCTCore64.sys
2012-07-24 18:57 - 2012-07-24 19:54 - 00000000 ____D C:\Users\Sarah M\AppData\Roaming\GetRightToGo
2012-07-24 16:36 - 2012-07-24 16:36 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-07-24 16:26 - 2012-07-25 06:04 - 00000000 ____D C:\Users\Sarah M\Desktop\Fixme
2012-07-22 17:11 - 2012-07-22 17:11 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{AD799693-F8E3-413A-903D-EC1B5DB5D9A0}
2012-07-22 17:11 - 2012-07-22 17:11 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{27FD6BF6-DFDF-4538-B895-67B49B3A44FB}
2012-07-22 17:10 - 2012-07-22 17:10 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{B1D34AF4-1EC8-4344-8987-6BB700B3D003}
2012-07-22 17:10 - 2012-07-22 17:10 - 00000000 ____D C:\Users\Sarah M\AppData\Local\{A34DD1F8-FFD5-4D4F-AC8D-57EAFC9FC94A}
2012-07-22 12:55 - 2012-07-22 12:55 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-22 09:18 - 2012-07-22 09:18 - 00000000 ____D C:\Users\Sarah M\AppData\Roaming\Ad-Aware Antivirus
2012-07-21 18:46 - 2012-07-21 18:46 - 04587128 ____A (Lavasoft Limited) C:\Users\Sarah M\Downloads\Adaware_Installer.exe
2012-07-18 12:18 - 2012-07-18 12:18 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-18 12:17 - 2012-07-18 12:18 - 00000000 ____D C:\Program Files\iTunes
2012-07-18 12:17 - 2012-07-18 12:18 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-07-18 12:17 - 2012-07-18 12:17 - 00000000 ____D C:\Program Files\iPod
2012-07-12 05:17 - 2012-06-11 19:02 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 05:20 - 2012-06-08 21:30 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 05:20 - 2012-06-08 20:46 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 05:20 - 2012-06-05 21:50 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 05:20 - 2012-06-05 21:50 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 05:20 - 2012-06-05 21:09 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 05:20 - 2012-06-05 21:09 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 05:20 - 2012-06-01 21:38 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 05:20 - 2012-06-01 21:38 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 05:20 - 2012-06-01 21:37 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 05:20 - 2012-06-01 21:27 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 05:20 - 2012-06-01 21:27 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 05:20 - 2012-06-01 20:48 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 05:20 - 2012-06-01 20:48 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 05:20 - 2012-06-01 20:47 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 05:20 - 2012-06-01 20:42 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-10 19:02 - 2012-07-10 19:02 - 00000000 ___HD C:\Users\All Users\CanonIJSDU
2012-07-06 05:25 - 2012-07-06 05:25 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-06-30 20:07 - 2012-06-30 20:07 - 00000000 ____D C:\Users\Public\Documents\sun
2012-06-30 20:06 - 2012-06-30 20:06 - 00001168 ____A C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk
2012-06-30 19:18 - 2012-06-30 19:18 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2012-06-30 19:18 - 2012-06-30 19:18 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
============ 3 Months Modified Files ========================
2012-07-25 06:46 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 06:46 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 06:30 - 2010-05-15 18:31 - 01555010 ____A C:\Windows\WindowsUpdate.log
2012-07-25 06:16 - 2010-06-29 16:13 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001UA.job
2012-07-25 06:06 - 2012-07-25 06:06 - 00004430 ____A C:\Users\Sarah M\Desktop\RKreport[2].txt
2012-07-25 06:05 - 2012-07-25 06:05 - 00004038 ____A C:\Users\Sarah M\Desktop\RKreport[1].txt
2012-07-25 06:04 - 2010-06-29 16:07 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 05:24 - 2010-06-29 16:07 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 05:24 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 05:24 - 2009-07-13 20:51 - 00042538 ____A C:\Windows\setupact.log
2012-07-24 19:55 - 2012-07-24 19:54 - 01946715 ____A C:\Windows\System32\Drivers\Cat.DB
2012-07-24 19:54 - 2012-07-24 19:54 - 00002097 ____A C:\Users\Public\Desktop\PC Tools Spyware Doctor with AntiVirus.lnk
2012-07-24 18:48 - 2010-04-08 18:34 - 00211012 ____A C:\Windows\PFRO.log
2012-07-24 18:08 - 2009-07-13 21:13 - 00875576 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-23 17:41 - 2012-05-02 17:39 - 00001084 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-23 17:20 - 2010-08-18 19:58 - 00005642 ____A C:\Users\Sarah M\Desktop\To Do.txt
2012-07-22 08:34 - 2011-05-07 20:30 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-07-22 08:34 - 2011-05-07 20:30 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-07-22 08:32 - 2010-06-29 16:13 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2115260704-4282515749-2195956881-1001Core.job
2012-07-21 18:46 - 2012-07-21 18:46 - 04587128 ____A (Lavasoft Limited) C:\Users\Sarah M\Downloads\Adaware_Installer.exe
2012-07-18 12:18 - 2012-07-18 12:18 - 00001754 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-07-14 23:12 - 2011-01-05 11:38 - 00001042 ____A C:\Users\Sarah M\Desktop\Dropbox.lnk
2012-07-12 15:47 - 2009-07-13 20:45 - 00383224 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 15:31 - 2010-06-29 16:16 - 00002430 ____A C:\Users\Sarah M\Desktop\Google Chrome.lnk
2012-07-12 05:10 - 2010-08-21 17:12 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-10 19:01 - 2010-06-29 15:54 - 00095224 ____A C:\Users\Sarah M\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-06 05:25 - 2012-07-06 05:25 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-07-03 09:46 - 2011-11-06 14:23 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 20:06 - 2012-06-30 20:06 - 00001168 ____A C:\Users\Public\Desktop\OpenOffice.org 3.4.lnk
2012-06-16 17:48 - 2010-08-01 13:34 - 00001634 ____A C:\Users\Sarah M\Desktop\DivX Movies.lnk
2012-06-16 17:47 - 2012-06-16 17:47 - 00001087 ____A C:\Users\Public\Desktop\DivX Plus Player.lnk
2012-06-11 19:02 - 2012-07-12 05:17 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:30 - 2012-07-11 05:20 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:46 - 2012-07-11 05:20 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 21:50 - 2012-07-11 05:20 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:50 - 2012-07-11 05:20 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:09 - 2012-07-11 05:20 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:09 - 2012-07-11 05:20 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-04 05:31 - 2012-06-04 05:31 - 00001046 ____A C:\Users\Public\Desktop\RealPlayer.lnk
2012-06-04 05:30 - 2011-11-30 17:36 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-06-04 05:30 - 2011-11-30 17:36 - 00198832 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-06-04 05:30 - 2011-11-30 17:36 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-06-04 05:30 - 2011-11-30 17:36 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-06-02 14:19 - 2012-06-22 04:36 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 04:36 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 04:36 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 04:36 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 04:36 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-22 04:36 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-22 04:36 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 04:35 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-22 04:35 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:38 - 2012-07-11 05:20 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:38 - 2012-07-11 05:20 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:37 - 2012-07-11 05:20 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:27 - 2012-07-11 05:20 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:27 - 2012-07-11 05:20 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:48 - 2012-07-11 05:20 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:48 - 2012-07-11 05:20 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:47 - 2012-07-11 05:20 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:42 - 2012-07-11 05:20 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-30 15:28 - 2012-05-30 15:28 - 00001816 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-20 17:59 - 2012-05-20 17:59 - 00000954 ____A C:\Users\Public\Desktop\Psycle Modular Music Creation Studio.lnk
2012-05-20 17:59 - 2012-05-20 17:58 - 06750341 ____A (psycledelics ) C:\Users\Sarah M\Downloads\PsycleInstallerx86-1.10.1.exe
2012-05-20 17:53 - 2012-05-20 17:53 - 00007466 ____A C:\Users\Sarah M\Downloads\nativehost.cpp
2012-05-20 17:18 - 2012-05-20 17:18 - 06534484 ____A (psycledelics ) C:\Users\Sarah M\Downloads\PsycleInstallerx64-1.10.1.exe
2012-05-17 15:28 - 2011-01-29 11:34 - 00869966 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-05-14 19:56 - 2012-06-13 15:12 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:52 - 2012-06-13 15:12 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:08 - 2012-06-13 15:12 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:06 - 2012-06-13 15:12 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-14 18:37 - 2012-05-14 18:38 - 03264328 ____A (Microsoft Corporation) C:\Users\Sarah M\Desktop\vb_web.exe
2012-05-05 19:59 - 2012-05-05 19:59 - 06379888 ____A (BitTorrent, Inc.) C:\Users\Sarah M\Desktop\BitTorrent.exe
2012-05-05 17:20 - 2012-05-05 17:20 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-04 02:52 - 2012-06-13 15:12 - 05505392 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:08 - 2012-06-13 15:12 - 03958128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:08 - 2012-06-13 15:12 - 03902320 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 21:32 - 2012-06-13 15:12 - 00208896 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-05-01 04:51 - 2011-01-29 11:35 - 00001945 ____A C:\Windows\epplauncher.mif
2012-04-27 19:50 - 2012-06-13 15:11 - 00204800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
ZeroAccess:
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\@
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L\00000004.@
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L\201d3dde
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000004.@
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\000000cb.@
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000000.@
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000032.@
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\80000064.@
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
========================= Known DLLs (Whitelisted) ============
========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 14%
Total physical RAM: 3890.67 MB
Available physical RAM: 3317.13 MB
Total Pagefile: 3888.82 MB
Available Pagefile: 3301.96 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (TI105835W0G) (Fixed) (Total:453.83 GB) (Free:308.71 GB) NTFS ==>[system with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[system with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:14.99 GB) (Free:14.91 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 15 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 453 GB 1501 MB
Partition 3 Primary 10 GB 455 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105835W0G NTFS Partition 453 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No
There is no volume associated with this partition.
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 1140 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 14 GB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-23 20:00
======================= End Of Log ==========================
Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-25 11:23:22
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
====== End Of Search ======
-
My computer has been stuck on the "Shutting down" screen for the past 10 minutes. Should I just force it off and on with the power button?
-
There was an Adobe update the night my computer got infected. I'm not convinced it was real. I've since uninstalled Java and all Adobe products.
I don't entirely understand what you mean by "make sure system restore is running". I created a new restore point--should I now press the "System Restore" button, and reboot by going through that process?
-
I accidentally scanned while my USB was plugged in, so I unplugged the USB and scanned again, with these results:
RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Sarah M [Admin rights]
Mode: Scan -- Date: 07/25/2012 10:06:24
¤¤¤ Bad processes: 12 ¤¤¤
[sUSP PATH] wcgrid_dsfl_vina_6.25_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86 -> KILLED [TermProc]
[sUSP PATH] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[sUSP PATH] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[sUSP PATH] wcgrid_sn2s_vina_6.20_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_dsfl_vina_6.25_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_sn2s_vina_6.20_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_dsfl_vina_6.25_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcg_hpf2_rosetta_6.40_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86 -> KILLED [TermProc]
[RESIDUE] wcgrid_sn2s_vina_6.20_windows_intelx86 -- C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86 -> KILLED [TermProc]
¤¤¤ Registry Entries: 10 ¤¤¤
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Sarah M\AppData\Local\{c236b97c-3fcc-86bc-309d-418570865fa5}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowVideos (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 35cdcf2d6902b3140cbbf1e1c437dd83
[bSP] ad3169145d5a5582624fdef33b7b7fca : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464726 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954832896 | Size: 10713 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
-
Symptoms started 7/23 around 9:50 pm:
- Chrome didn't want to go to normal websites (like Facebook) because it didn't trust the certificate
- Redirects from links coming from Google searches (though not Bing)
- Random pop-ups
- Microsoft Security Essentials collapsed
Following this are the logs from my first run of MBAM, what's generally come up in subsequent runs of MBAM, and DDS.txt. I'm attaching attach.txt.
I've seen the disclaimer about the backdoor virus, and that you can't guarantee my computer will be 100% safe ever again. I think I want to get it reasonably clean as fast as possible (it's the only way I can access internet from home right now), and I'll look at reformatting when I'm less stressed.
Thank you!
MBAM take 1:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.24.01
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Sarah M :: JOLLYGREENGIANT [administrator]
7/23/2012 9:41:53 PM
mbam-log-2012-07-23 (21-41-53).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198851
Time elapsed: 5 minute(s), 33 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Users\Sarah M\AppData\Local\Temp\154335_10.49.26.TC00327000A.temp\Setup\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
(end)
MBAM take 2:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.24.01
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Sarah M :: JOLLYGREENGIANT [administrator]
7/23/2012 9:53:52 PM
mbam-log-2012-07-23 (21-53-52).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 681543
Time elapsed: 1 hour(s), 44 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\Installer\{c236b97c-3fcc-86bc-309d-418570865fa5}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
(end)
DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Sarah M at 9:29:42 on 2012-07-25
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3891.2102 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\Explorer.EXE
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\PC Tools Security\pctsGui.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\BOINC\boincmgr.exe
C:\Users\Sarah M\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIGBA.EXE
C:\Users\Sarah M\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler64.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\Corel\Dad7\QUICK.EXE
C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\BOINC\boinctray.exe
C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files (x86)\real\realplayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\splwow64.exe
C:\Program Files (x86)\BOINC\boinc.exe
C:\windows\system32\conhost.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_6.25_windows_intelx86
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_6.40_windows_intelx86
C:\windows\system32\conhost.exe
C:\windows\system32\conhost.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_6.20_windows_intelx86
C:\windows\system32\conhost.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_dsfl_vina_prod_x86.exe.6.25
C:\windows\system32\conhost.exe
C:\windows\system32\conhost.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcgrid_sn2s_vina_prod_x86.exe.6.20
C:\windows\system32\conhost.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "C:\Users\Sarah M\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [boincmgr] "C:\Program Files (x86)\BOINC\boincmgr.exe" /a /s
uRun: [EPSON WorkForce 630 Series] C:\windows\system32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\windows\TEMP\E_S8A84.tmp" /EF "HKCU"
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [QuickFinder Scheduler] c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE
mRun: [boinctray] "C:\Program Files (x86)\BOINC\boinctray.exe"
mRun: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CORELD~1.LNK - C:\Program Files (x86)\Corel\Dad7\QUICK.EXE
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DING!.lnk - C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\Users\SARAHM~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PERFEC~1.LNK - C:\Program Files (x86)\Corel\Shared\PFit7\PFPPOP70.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
LSP: mswsock.dll
TCP: Interfaces\{16D759EC-67E8-405D-B433-3A3862029BF5} : DhcpNameServer = 194.90.1.5 212.143.212.143
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887} : DhcpNameServer = 130.132.1.9 130.132.1.10 130.132.1.11
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\2535D696C656D2031323 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\37369656E647563686 : DhcpNameServer = 192.168.4.1
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\9516C6567457563747 : DhcpNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\9716C6560277962756C6563737 : DhcpNameServer = 130.132.1.9 130.132.1.10 130.132.1.11
TCP: Interfaces\{C2C22A28-2F18-469B-95DA-F88D79E9F887}\D41676964637F6E684F6D656 : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO-X64: Winamp Toolbar Loader - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO-X64: Canon Easy-WebPrint EX BHO - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRun-x64: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun-x64: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [QuickFinder Scheduler] c:\program files (x86)\Corel\Shared\QFinder7\QFSCHED.EXE
mRun-x64: [boinctray] "C:\Program Files (x86)\BOINC\boinctray.exe"
mRun-x64: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun-x64: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun-x64: [iJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [iSTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.spacesynth.net/forum/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.http - 189.71.26.9
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 0
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: C:\Users\Sarah M\AppData\Roaming\Mozilla\Firefox\Profiles\qpf73dfj.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\nprjplug.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Sarah M\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\windows\system32\DRIVERS\Lbd.sys --> C:\windows\system32\DRIVERS\Lbd.sys [?]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]
R0 PCTCore;PCTools KDS;C:\windows\system32\drivers\PCTCore64.sys --> C:\windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\windows\system32\drivers\pctDS64.sys --> C:\windows\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File Attributes;C:\windows\system32\drivers\pctEFA64.sys --> C:\windows\system32\drivers\pctEFA64.sys [?]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 PCTSD;PC Tools Spyware Doctor Driver;C:\windows\system32\Drivers\PCTSD64.sys --> C:\windows\system32\Drivers\PCTSD64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2011-12-26 166400]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2011-12-26 128512]
R2 FreeAgentGoNext Service;Seagate Service;C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-9-25 189736]
R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2012-7-24 402336]
R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2012-7-24 1117624]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-5-15 2320920]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETw5s64.sys --> C:\windows\system32\DRIVERS\NETw5s64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-5-15 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
R3 wdkmd;Intel WiDi KMD;C:\windows\system32\DRIVERS\WDKMD.sys --> C:\windows\system32\DRIVERS\WDKMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-29 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" --> C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S3 acpials;ALS Sensor Filter;C:\windows\system32\DRIVERS\acpials.sys --> C:\windows\system32\DRIVERS\acpials.sys [?]
S3 BrlAPI;BrlAPI;C:\cygwin\bin\cygrunsrv.exe --> C:\cygwin\bin\cygrunsrv.exe [?]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-29 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-9-22 17152]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-12 113120]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-1-19 315664]
S3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-7-10 47128]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-7-10 369688]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
JSEFile=C:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
VBEFile=C:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
VBSFile=C:\windows\SysWow64\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
=============== Created Last 30 ================
.
2012-07-25 03:54:42 453896 ----a-w- C:\windows\System32\drivers\pctDS64.sys
2012-07-25 03:54:42 1096688 ----a-w- C:\windows\System32\drivers\pctEFA64.sys
2012-07-25 03:54:41 339608 ----a-w- C:\windows\System32\drivers\pctgntdi64.sys
2012-07-25 03:54:41 145432 ----a-w- C:\windows\System32\drivers\pctwfpfilter64.sys
2012-07-25 03:54:34 367912 ----a-w- C:\windows\System32\drivers\PCTCore64.sys
2012-07-25 03:54:32 230952 ----a-w- C:\windows\System32\drivers\PCTSD64.sys
2012-07-25 03:54:32 14776 ----a-w- C:\windows\System32\drivers\pctBTFix64.sys
2012-07-25 03:54:30 92896 ----a-w- C:\windows\System32\drivers\pctplsg64.sys
2012-07-25 03:54:21 -------- d-----w- C:\ProgramData\PC Tools
2012-07-25 03:54:21 -------- d-----w- C:\Program Files (x86)\PC Tools Security
2012-07-25 03:54:21 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-07-25 02:57:23 -------- d-----w- C:\Users\Sarah M\AppData\Roaming\GetRightToGo
2012-07-25 00:36:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-23 01:11:37 -------- d-----w- C:\Users\Sarah M\AppData\Local\{AD799693-F8E3-413A-903D-EC1B5DB5D9A0}
2012-07-23 01:11:15 -------- d-----w- C:\Users\Sarah M\AppData\Local\{27FD6BF6-DFDF-4538-B895-67B49B3A44FB}
2012-07-23 01:10:30 -------- d-----w- C:\Users\Sarah M\AppData\Local\{B1D34AF4-1EC8-4344-8987-6BB700B3D003}
2012-07-23 01:10:00 -------- d-----w- C:\Users\Sarah M\AppData\Local\{A34DD1F8-FFD5-4D4F-AC8D-57EAFC9FC94A}
2012-07-22 20:55:19 -------- d-sh--w- C:\windows\SysWow64\%APPDATA%
2012-07-22 17:18:49 -------- d-----w- C:\Users\Sarah M\AppData\Roaming\Ad-Aware Antivirus
2012-07-22 02:52:24 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0F930B5F-602B-40DC-B531-16393F82D83C}\mpengine.dll
2012-07-20 00:13:18 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-18 20:17:17 -------- d-----w- C:\Program Files\iPod
2012-07-18 20:17:15 -------- d-----w- C:\Program Files\iTunes
2012-07-18 20:17:15 -------- d-----w- C:\Program Files (x86)\iTunes
2012-07-12 13:17:26 3147264 ----a-w- C:\windows\System32\win32k.sys
2012-07-11 03:02:07 -------- d--h--w- C:\ProgramData\CanonIJSDU
2012-07-04 17:33:35 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B9D123A4-7336-4AE3-8072-AFBCA5F08F75}\gapaengine.dll
2012-07-01 02:30:28 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-01 02:30:28 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
.
==================== Find3M ====================
.
2012-07-03 17:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-06 05:50:50 2003968 ----a-w- C:\windows\System32\msxml6.dll
2012-06-06 05:50:50 1880064 ----a-w- C:\windows\System32\msxml3.dll
2012-06-06 05:09:46 1389568 ----a-w- C:\windows\SysWow64\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-02 05:38:26 95088 ----a-w- C:\windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24 152432 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45 459216 ----a-w- C:\windows\System32\drivers\cng.sys
2012-06-02 05:27:02 340992 ----a-w- C:\windows\System32\schannel.dll
2012-06-02 05:27:00 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-06-02 04:48:39 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2012-06-02 04:48:35 225280 ----a-w- C:\windows\SysWow64\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2012-05-15 03:56:59 1197568 ----a-w- C:\windows\System32\wininet.dll
2012-05-15 03:08:48 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2012-05-06 01:20:16 8744608 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 10:52:22 5505392 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-04 10:08:16 3958128 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:08:15 3902320 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-05-02 05:32:43 208896 ----a-w- C:\windows\System32\profsvc.dll
2012-04-28 03:50:40 204800 ----a-w- C:\windows\System32\drivers\rdpwd.sys
.
============= FINISH: 9:31:41.75 ===============
Continuation of 208.73.210.29 blocking
in Resolved Malware Removal Logs
Posted
Thanks for your help. I've read the post and cleaned stuff up.