mappelsauce

Thanks for everything.

That is great. I assume the windows transfer file, copies of our two my documents folders, and recent backup files stored on an external hard drive (not currently connected) are like contaminated too and should be discarded. Is this correct?

After I reinstalled windows, the Service pack update kept failing.

Results of screen317's Security Check version 0.99.54 Windows 7 x64 (UAC is disabled!) Out of date service pack!! Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Norton Internet Security WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 Google Chrome 22.0.1229.95 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 2% ````````````````````End of Log``````````````````````

# AdwCleaner v2.006 - Logfile created 11/03/2012 at 18:43:43 # Updated 30/10/2012 by Xplode # Operating system : Windows 7 Home Premium (64 bits) # User : Jill Appel - APPELS-PC # Boot Mode : Normal # Running from : C:\Users\Jill Appel\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Google Chrome v [unable to get version] File : C:\Users\Mike Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. File : C:\Users\Jill Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [2300 octets] - [03/11/2012 16:49:46] AdwCleaner[s1].txt - [1801 octets] - [03/11/2012 18:43:43] ########## EOF - C:\AdwCleaner[s1].txt - [1861 octets] ##########

AdwCleaner v2.006 - Logfile created 11/03/2012 at 16:49:46 # Updated 30/10/2012 by Xplode # Operating system : Windows 7 Home Premium (64 bits) # User : Jill Appel - APPELS-PC # Boot Mode : Normal # Running from : C:\Users\Jill Appel\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A} Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB} Key Found : HKU\S-1-5-21-138348372-2221529854-3621718402-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B} Key Found : HKU\S-1-5-21-138348372-2221529854-3621718402-1003\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6} Key Found : HKU\S-1-5-21-138348372-2221529854-3621718402-1003\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Google Chrome v [unable to get version] File : C:\Users\Mike Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. File : C:\Users\Jill Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [2179 octets] - [03/11/2012 16:49:46] ########## EOF - C:\AdwCleaner[R1].txt - [2239 octets] ##########

doing adwcleaner now, here is the MBAM report. Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.03.08 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 Jill Appel :: APPELS-PC [administrator] 11/3/2012 1:37:16 PM mbam-log-2012-11-03 (13-37-16).txt Scan type: Full scan (C:\|D:\|E:\|F:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 496919 Time elapsed: 1 hour(s), 7 minute(s), 56 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\TDSSKiller_Quarantine\03.11.2012_09.44.45\mbr0000\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully. C:\TDSSKiller_Quarantine\03.11.2012_10.26.11\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully. (end)

Here you go. ComboFix 12-11-03.02 - Jill Appel 11/03/2012 12:31:50.4.2 - x64 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4532 [GMT -7:00] Running from: c:\users\Jill Appel\Desktop\ComboFix.exe AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\svchost.exe . . ((((((((((((((((((((((((( Files Created from 2012-10-03 to 2012-11-03 ))))))))))))))))))))))))))))))) . . 2012-11-03 19:37 . 2012-11-03 19:37 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-03 16:49 . 2012-11-03 17:27 -------- d-----w- C:\TDSSKiller_Quarantine 2012-10-31 21:41 . 2012-10-31 21:41 -------- d-----w- c:\programdata\Malwarebytes 2012-10-31 21:41 . 2012-10-31 21:41 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-10-31 21:41 . 2012-09-30 02:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-10-30 02:01 . 2012-10-31 16:38 -------- d-----w- c:\program files (x86)\FastStone Photo Resizer 2012-10-28 21:44 . 2012-10-28 21:44 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2012-10-25 20:37 . 2012-10-25 20:37 -------- d-----w- c:\program files\Google 2012-10-25 20:37 . 2012-10-25 20:38 -------- d-----w- c:\program files (x86)\Google 2012-10-25 20:37 . 2012-10-25 20:37 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-25 20:37 . 2012-10-25 20:37 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-10-25 20:37 . 2012-10-25 20:37 -------- d-----w- c:\windows\system32\Macromed 2012-10-22 10:10 . 2012-10-22 10:10 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2012-10-22 05:11 . 2012-10-22 05:11 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69 2012-10-22 04:21 . 2012-08-21 20:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-10-22 04:21 . 2012-10-22 04:21 -------- dc----w- c:\windows\system32\DRVSTORE 2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\program files\iPod 2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\program files\iTunes 2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\program files (x86)\iTunes 2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\programdata\Apple Computer 2012-10-22 04:20 . 2012-10-22 04:20 -------- d-----w- c:\program files (x86)\Apple Software Update 2012-10-22 04:20 . 2012-10-22 04:20 -------- d-----w- c:\program files\Common Files\Apple 2012-10-22 04:19 . 2012-10-22 04:19 -------- d-----w- c:\program files\Bonjour 2012-10-22 04:19 . 2012-10-22 04:19 -------- d-----w- c:\program files (x86)\Bonjour 2012-10-22 04:19 . 2012-10-22 04:21 -------- d-----w- c:\program files (x86)\Common Files\Apple 2012-10-22 04:19 . 2012-10-22 04:20 -------- d-----w- c:\programdata\Apple 2012-10-22 04:16 . 2012-10-22 04:16 -------- d-----w- c:\program files (x86)\MSECache 2012-10-22 04:09 . 2012-10-22 04:09 -------- d-----w- c:\program files (x86)\Canon 2012-10-22 04:08 . 2012-10-22 04:08 -------- d-----w- c:\program files (x86)\Common Files\Canon 2012-10-22 04:03 . 2012-10-31 16:38 -------- d-----w- c:\program files (x86)\Microsoft SkyDrive 2012-10-22 04:03 . 2012-10-22 04:03 -------- d-----w- c:\programdata\Microsoft SkyDrive 2012-10-22 02:22 . 2012-10-31 17:29 -------- d-----w- c:\users\Jill Appel 2012-10-21 22:20 . 2012-10-21 22:20 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared 2012-10-21 22:14 . 2012-10-21 22:14 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services 2012-10-21 22:14 . 2012-10-23 10:04 -------- d-----w- c:\program files (x86)\Microsoft.NET 2012-10-21 22:14 . 2012-10-21 22:14 -------- d-----w- c:\windows\PCHEALTH 2012-10-21 22:14 . 2012-10-21 22:14 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition 2012-10-21 22:12 . 2012-10-21 22:12 -------- d-----w- c:\program files\Microsoft Office 2012-10-21 22:11 . 2012-10-21 22:11 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2012-10-21 22:10 . 2012-10-23 03:40 -------- d-----w- c:\programdata\Microsoft Help 2012-10-21 22:10 . 2012-10-21 22:10 -------- d-----r- C:\MSOCache 2012-10-21 21:49 . 2012-10-21 21:49 -------- d-----w- c:\program files\Symantec 2012-10-21 21:49 . 2012-10-21 21:49 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS 2012-10-21 21:49 . 2012-10-21 21:49 -------- d-----w- c:\program files\Common Files\Symantec Shared 2012-10-21 21:48 . 2012-10-22 10:47 -------- d-----w- c:\windows\system32\drivers\NISx64 2012-10-21 21:48 . 2012-10-21 21:48 -------- d-----w- c:\program files (x86)\Norton Internet Security 2012-10-21 21:47 . 2012-10-31 16:38 -------- d-----w- c:\programdata\Norton 2012-10-21 21:45 . 2012-10-22 10:45 -------- d-----w- c:\program files (x86)\NortonInstaller 2012-10-21 21:35 . 2012-10-21 21:35 -------- d-----w- c:\windows\SysWow64\Macromed 2012-10-21 21:22 . 2012-05-02 05:32 208896 ----a-w- c:\windows\system32\profsvc.dll 2012-10-21 21:05 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll 2012-10-21 21:05 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll 2012-10-21 21:00 . 2012-09-28 07:18 65309168 ----a-w- c:\windows\system32\MRT.exe 2012-10-21 20:53 . 2009-09-10 06:28 311808 ----a-w- c:\windows\system32\msv1_0.dll 2012-10-21 20:53 . 2009-09-10 05:52 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll 2012-10-21 20:45 . 2009-10-10 03:17 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys 2012-10-21 20:42 . 2009-11-25 19:47 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll 2012-10-21 20:42 . 2009-11-25 19:47 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll 2012-10-21 20:42 . 2009-11-25 19:47 48960 ----a-w- c:\windows\system32\netfxperf.dll 2012-10-21 20:42 . 2009-11-25 19:47 297808 ----a-w- c:\windows\SysWow64\mscoree.dll 2012-10-21 20:42 . 2009-11-25 19:47 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe 2012-10-21 20:42 . 2009-11-25 19:47 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll 2012-10-21 20:42 . 2009-11-25 19:47 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll 2012-10-21 20:42 . 2009-11-25 19:47 444752 ----a-w- c:\windows\system32\mscoree.dll 2012-10-21 20:42 . 2009-11-25 19:47 320352 ----a-w- c:\windows\system32\PresentationHost.exe 2012-10-21 20:42 . 2009-11-25 19:47 1942856 ----a-w- c:\windows\system32\dfshim.dll 2012-10-21 20:33 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-10-21 20:33 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll 2012-10-21 20:33 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll 2012-10-21 20:33 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll 2012-10-21 20:33 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2012-10-21 20:32 . 2010-03-04 04:32 243712 ----a-w- c:\windows\system32\drivers\ks.sys 2012-10-21 20:30 . 2010-08-04 07:07 552960 ----a-w- c:\windows\system32\msdri.dll 2012-10-21 20:29 . 2012-08-02 17:55 574464 ----a-w- c:\windows\system32\d3d10level9.dll 2012-10-21 20:23 . 2012-10-21 20:23 -------- d-----w- c:\programdata\ATI 2012-10-21 15:45 . 2012-10-21 15:45 -------- d-----w- c:\program files (x86)\ATI Technologies 2012-10-21 15:45 . 2012-10-25 20:49 -------- d-sh--w- c:\windows\Installer 2012-10-21 15:45 . 2012-10-21 15:46 -------- d-----w- c:\program files\ATI Technologies 2012-10-21 15:45 . 2012-10-21 15:45 -------- d-----w- c:\program files\ATI 2012-10-21 15:10 . 2010-08-26 04:39 109056 ----a-w- c:\windows\SysWow64\t2embed.dll 2012-10-21 15:09 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll 2012-10-21 15:08 . 2011-02-19 06:36 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-10-21 15:07 . 2012-04-28 03:50 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-10-21 15:07 . 2010-10-12 05:05 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll 2012-10-21 15:07 . 2010-10-12 05:00 516096 ----a-w- c:\program files\Windows Mail\wab.exe 2012-10-21 15:07 . 2010-10-12 04:25 516096 ----a-w- c:\program files (x86)\Windows Mail\wab.exe 2012-10-21 15:07 . 2011-12-28 03:59 499200 ----a-w- c:\windows\system32\drivers\afd.sys 2012-10-21 15:07 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys 2012-10-21 15:07 . 2012-08-11 00:53 714752 ----a-w- c:\windows\system32\kerberos.dll 2012-10-21 15:07 . 2012-08-10 23:54 541184 ----a-w- c:\windows\SysWow64\kerberos.dll 2012-10-21 15:07 . 2010-08-31 04:32 954752 ----a-w- c:\windows\SysWow64\mfc40.dll 2012-10-21 15:07 . 2010-08-31 04:32 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll 2012-10-21 15:07 . 2009-08-29 07:50 46592 ----a-w- c:\windows\system32\msasn1.dll 2012-10-21 15:07 . 2009-08-29 06:57 34816 ----a-w- c:\windows\SysWow64\msasn1.dll 2012-10-21 15:05 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll 2012-10-21 15:00 . 2012-10-17 09:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{50E72EB9-27A7-4662-A045-C45457455A0A}\mpengine.dll 2012-10-21 15:00 . 2012-05-31 19:25 279656 ------w- c:\windows\system32\MpSigStub.exe 2012-10-21 15:00 . 2010-08-27 06:14 236032 ----a-w- c:\windows\system32\srvsvc.dll 2012-10-21 15:00 . 2010-08-27 05:46 9728 ----a-w- c:\windows\SysWow64\sscore.dll 2012-10-21 15:00 . 2012-06-02 05:25 1462784 ----a-w- c:\windows\system32\crypt32.dll 2012-10-21 15:00 . 2012-06-02 05:25 182272 ----a-w- c:\windows\system32\cryptsvc.dll 2012-10-21 15:00 . 2012-06-02 05:25 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-10-21 15:00 . 2012-06-02 04:45 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-10-21 15:00 . 2012-06-02 04:45 1157632 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-10-21 15:00 . 2012-06-02 04:45 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-10-21 15:00 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll 2012-10-21 15:00 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll 2012-10-21 14:58 . 2012-10-21 14:58 -------- d-----w- c:\windows\SysWow64\Wat 2012-10-21 14:58 . 2012-10-21 14:58 -------- d-----w- c:\windows\system32\Wat 2012-10-21 04:15 . 2012-10-21 03:52 -------- d-----w- c:\windows\Panther 2012-10-21 04:14 . 2012-10-21 04:14 -------- d-----w- C:\Boot 2012-10-21 03:56 . 2012-02-15 06:27 1031680 ----a-w- c:\windows\system32\rdpcore.dll 2012-10-21 03:56 . 2010-01-09 07:19 139264 ----a-w- c:\windows\system32\cabview.dll 2012-10-21 03:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\SysWow64\cabview.dll 2012-10-21 03:34 . 2012-10-21 03:34 0 ----a-w- c:\windows\ativpsrm.bin . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-21 15:44 . 2009-05-05 19:30 16440 ----a-w- c:\windows\system32\drivers\AtiPcie.sys 2012-08-21 20:01 . 2012-08-21 20:01 125872 ----a-w- c:\windows\system32\GEARAspi64.dll 2012-08-21 20:01 . 2012-08-21 20:01 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll 2012-08-18 11:19 . 2012-10-21 20:30 44032 ----a-w- c:\windows\apppatch\acwow64.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-26 98304] "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "ConsentPromptBehaviorAdmin"= 0 (0x0) "EnableLUA"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-21 1255736] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309000.009\SYMDS64.SYS [2011-07-26 451192] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS [2012-05-22 1129120] S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20121005.002\BHDrvx64.sys [2012-10-05 1385632] S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309000.009\ccSetx64.sys [2012-06-07 167072] S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20121102.001\IDSvia64.sys [2012-10-19 513184] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309000.009\Ironx64.SYS [2012-04-18 190072] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS [2012-04-18 405624] S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [2012-06-16 138272] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-22 138912] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 04356378 *NewlyCreated* - 08827532 *NewlyCreated* - 77690075 *Deregistered* - 04356378 *Deregistered* - 08827532 *Deregistered* - 77690075 . Contents of the 'Scheduled Tasks' folder . 2012-11-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-25 20:37] . 2012-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-25 20:37] . 2012-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-25 20:37] . . --------- X64 Entries ----------- . . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 . - - - - ORPHANS REMOVED - - - - . SafeBoot-30892894.sys SafeBoot-77690075.sys ShellIconOverlayIdentifiers-{F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file) ShellIconOverlayIdentifiers-{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file) ShellIconOverlayIdentifiers-{BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file) . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS] "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8, 7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de "{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39, 64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c "{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40, 69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18 "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96, 76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0, b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47, 2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85 . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:3e,17,81,9e,d5,b0,cd,01 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-11-03 12:38:56 ComboFix-quarantined-files.txt 2012-11-03 19:38 ComboFix2.txt 2012-11-03 01:37 ComboFix3.txt 2012-11-02 03:02 . Pre-Run: 84,894,474,240 bytes free Post-Run: 84,624,404,480 bytes free . - - End Of File - - AB5D8DDE63729C68E5393AC4ED028FA0

ok, I reran it a second time and it did not detect anything malicious and did not appear to generate any new logs.

right at the end I got a norton warning. The disable of my Norton IS must have timed out. I am going to redisable it and run it again, but here are the first set of logs anyway in case it was sucessful. TDSSKiller.2.8.15.0_03.11.2012_09.41.50_log.txt TDSSKiller.2.8.15.0_03.11.2012_09.44.43_log.txt TDSSKiller.2.8.15.0_03.11.2012_09.51.48_log.txt

Here is the first step, still working on the next. ListParts by Farbar Version: 30-10-2012 Ran by Jill Appel (administrator) on 03-11-2012 at 09:37:32 Windows 7 (X64) Running From: C:\Users\Jill Appel\Desktop Language: 0409 ************************************************************ ========================= Memory info ====================== Percentage of memory in use: 30% Total physical RAM: 5887.11 MB Available physical RAM: 4066.95 MB Total Pagefile: 11772.37 MB Available Pagefile: 9842.88 MB Total Virtual: 8192 MB Available Virtual: 8191.89 MB ======================= Partitions ========================= 1 Drive c: () (Fixed) (Total:232.88 GB) (Free:78.69 GB) NTFS ==>[Drive with boot components (obtained from BCD)] 2 Drive d: (Backup Drive) (Fixed) (Total:298.09 GB) (Free:77.1 GB) NTFS 3 Drive e: (New Volume) (Fixed) (Total:931.51 GB) (Free:209.47 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 232 GB 8 MB Disk 1 Online 298 GB 0 B Disk 2 Online 931 GB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 232 GB 31 KB ====================================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 C NTFS Partition 232 GB Healthy System (partition with boot components) ====================================================================================================== Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 298 GB 31 KB ====================================================================================================== Disk: 1 Partition 1 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 D Backup Driv NTFS Partition 298 GB Healthy ====================================================================================================== Partitions of Disk 2: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 931 GB 1024 KB ====================================================================================================== Disk: 2 Partition 1 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E New Volume NTFS Partition 931 GB Healthy ====================================================================================================== ========================================================== TDL4: custom:26000022 ****** End Of Log ******

Report below. RogueKiller V8.2.2 [11/03/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : Jill Appel [Admin rights] Mode : Scan -- Date : 11/03/2012 08:22:21 ¤¤¤ Bad processes : 1 ¤¤¤ [sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 8 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD2500KS-00MJB0 ATA Device +++++ --- User --- [MBR] e03033be7262a85c0995db46000c40de [bSP] 3cde355c19231ec0ce123e48a15ac90a : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] daabf44f9e5c593f462a9e9f69e7c07a [bSP] 3cde355c19231ec0ce123e48a15ac90a : Windows 7 MBR Code Partition table: 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo +++++ PhysicalDrive1: WDC WD3200AAKS-00B3A0 ATA Device +++++ --- User --- [MBR] 59003f5262d1acbda3b8193be15030f3 [bSP] 0e3be7ad91b65ffdc9a4ae56c1811206 : Standard MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305245 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: WDC WD10EARS-00Y5B1 ATA Device +++++ --- User --- [MBR] b15c5c5114b7b13005eaa9cd7f1fcf7e [bSP] 6e6e81725fea04fbed8fbe0a7b129bcd : Windows 7 MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_11032012_02d0822.txt >> RKreport[1]_S_11032012_02d0822.txt

After repeated bluescreens I recently rebuilt my computer. Even after the rebuild I was having trouble. I used malwarebytes and it says I have two trojans than it cant fix. I ran the attached DDS and attached logs. At this point I wouldn't care if I had to rebuild the machine again, but since it still came back I figure it wouldn't help. attach.txtdds.txt