mappelsauce

November 4, 2012

Thanks for everything.

November 4, 2012

That is great. I assume the windows transfer file, copies of our two my documents folders, and recent backup files stored on an external hard drive (not currently connected) are like contaminated too and should be discarded. Is this correct?

November 4, 2012

After I reinstalled windows, the Service pack update kept failing.

November 4, 2012

Results of screen317's Security Check version 0.99.54

Windows 7 x64 (UAC is disabled!)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Google Chrome 22.0.1229.95

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 2%

````````````````````End of Log``````````````````````

November 4, 2012

# AdwCleaner v2.006 - Logfile created 11/03/2012 at 18:43:43

# Updated 30/10/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : Jill Appel - APPELS-PC

# Boot Mode : Normal

# Running from : C:\Users\Jill Appel\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [unable to get version]

File : C:\Users\Mike Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Jill Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2300 octets] - [03/11/2012 16:49:46]

AdwCleaner[s1].txt - [1801 octets] - [03/11/2012 18:43:43]

########## EOF - C:\AdwCleaner[s1].txt - [1861 octets] ##########

November 3, 2012

AdwCleaner v2.006 - Logfile created 11/03/2012 at 16:49:46

# Updated 30/10/2012 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : Jill Appel - APPELS-PC

# Boot Mode : Normal

# Running from : C:\Users\Jill Appel\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}

Key Found : HKU\S-1-5-21-138348372-2221529854-3621718402-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Found : HKU\S-1-5-21-138348372-2221529854-3621718402-1003\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}

Key Found : HKU\S-1-5-21-138348372-2221529854-3621718402-1003\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [unable to get version]

File : C:\Users\Mike Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Jill Appel\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2179 octets] - [03/11/2012 16:49:46]

########## EOF - C:\AdwCleaner[R1].txt - [2239 octets] ##########

November 3, 2012

doing adwcleaner now, here is the MBAM report.

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.03.08

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Jill Appel :: APPELS-PC [administrator]

11/3/2012 1:37:16 PM

mbam-log-2012-11-03 (13-37-16).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)

Scan options disabled: P2P

Objects scanned: 496919

Time elapsed: 1 hour(s), 7 minute(s), 56 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\TDSSKiller_Quarantine\03.11.2012_09.44.45\mbr0000\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.

C:\TDSSKiller_Quarantine\03.11.2012_10.26.11\tdlfs0000\tsk0002.dta (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.

(end)

November 3, 2012

Here you go.

ComboFix 12-11-03.02 - Jill Appel 11/03/2012 12:31:50.4.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4532 [GMT -7:00]

Running from: c:\users\Jill Appel\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\svchost.exe

.

((((((((((((((((((((((((( Files Created from 2012-10-03 to 2012-11-03 )))))))))))))))))))))))))))))))

.

2012-11-03 19:37 . 2012-11-03 19:37 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-03 16:49 . 2012-11-03 17:27 -------- d-----w- C:\TDSSKiller_Quarantine

2012-10-31 21:41 . 2012-10-31 21:41 -------- d-----w- c:\programdata\Malwarebytes

2012-10-31 21:41 . 2012-10-31 21:41 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-10-31 21:41 . 2012-09-30 02:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-30 02:01 . 2012-10-31 16:38 -------- d-----w- c:\program files (x86)\FastStone Photo Resizer

2012-10-28 21:44 . 2012-10-28 21:44 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2012-10-25 20:37 . 2012-10-25 20:37 -------- d-----w- c:\program files\Google

2012-10-25 20:37 . 2012-10-25 20:38 -------- d-----w- c:\program files (x86)\Google

2012-10-25 20:37 . 2012-10-25 20:37 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-25 20:37 . 2012-10-25 20:37 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-10-25 20:37 . 2012-10-25 20:37 -------- d-----w- c:\windows\system32\Macromed

2012-10-22 10:10 . 2012-10-22 10:10 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2012-10-22 05:11 . 2012-10-22 05:11 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-10-22 04:21 . 2012-08-21 20:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2012-10-22 04:21 . 2012-10-22 04:21 -------- dc----w- c:\windows\system32\DRVSTORE

2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\program files\iPod

2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\program files\iTunes

2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\program files (x86)\iTunes

2012-10-22 04:21 . 2012-10-22 04:21 -------- d-----w- c:\programdata\Apple Computer

2012-10-22 04:20 . 2012-10-22 04:20 -------- d-----w- c:\program files (x86)\Apple Software Update

2012-10-22 04:20 . 2012-10-22 04:20 -------- d-----w- c:\program files\Common Files\Apple

2012-10-22 04:19 . 2012-10-22 04:19 -------- d-----w- c:\program files\Bonjour

2012-10-22 04:19 . 2012-10-22 04:19 -------- d-----w- c:\program files (x86)\Bonjour

2012-10-22 04:19 . 2012-10-22 04:21 -------- d-----w- c:\program files (x86)\Common Files\Apple

2012-10-22 04:19 . 2012-10-22 04:20 -------- d-----w- c:\programdata\Apple

2012-10-22 04:16 . 2012-10-22 04:16 -------- d-----w- c:\program files (x86)\MSECache

2012-10-22 04:09 . 2012-10-22 04:09 -------- d-----w- c:\program files (x86)\Canon

2012-10-22 04:08 . 2012-10-22 04:08 -------- d-----w- c:\program files (x86)\Common Files\Canon

2012-10-22 04:03 . 2012-10-31 16:38 -------- d-----w- c:\program files (x86)\Microsoft SkyDrive

2012-10-22 04:03 . 2012-10-22 04:03 -------- d-----w- c:\programdata\Microsoft SkyDrive

2012-10-22 02:22 . 2012-10-31 17:29 -------- d-----w- c:\users\Jill Appel

2012-10-21 22:20 . 2012-10-21 22:20 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared

2012-10-21 22:14 . 2012-10-21 22:14 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services

2012-10-21 22:14 . 2012-10-23 10:04 -------- d-----w- c:\program files (x86)\Microsoft.NET

2012-10-21 22:14 . 2012-10-21 22:14 -------- d-----w- c:\windows\PCHEALTH

2012-10-21 22:14 . 2012-10-21 22:14 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition

2012-10-21 22:12 . 2012-10-21 22:12 -------- d-----w- c:\program files\Microsoft Office

2012-10-21 22:11 . 2012-10-21 22:11 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services

2012-10-21 22:10 . 2012-10-23 03:40 -------- d-----w- c:\programdata\Microsoft Help

2012-10-21 22:10 . 2012-10-21 22:10 -------- d-----r- C:\MSOCache

2012-10-21 21:49 . 2012-10-21 21:49 -------- d-----w- c:\program files\Symantec

2012-10-21 21:49 . 2012-10-21 21:49 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2012-10-21 21:49 . 2012-10-21 21:49 -------- d-----w- c:\program files\Common Files\Symantec Shared

2012-10-21 21:48 . 2012-10-22 10:47 -------- d-----w- c:\windows\system32\drivers\NISx64

2012-10-21 21:48 . 2012-10-21 21:48 -------- d-----w- c:\program files (x86)\Norton Internet Security

2012-10-21 21:47 . 2012-10-31 16:38 -------- d-----w- c:\programdata\Norton

2012-10-21 21:45 . 2012-10-22 10:45 -------- d-----w- c:\program files (x86)\NortonInstaller

2012-10-21 21:35 . 2012-10-21 21:35 -------- d-----w- c:\windows\SysWow64\Macromed

2012-10-21 21:22 . 2012-05-02 05:32 208896 ----a-w- c:\windows\system32\profsvc.dll

2012-10-21 21:05 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll

2012-10-21 21:05 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll

2012-10-21 21:00 . 2012-09-28 07:18 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-10-21 20:53 . 2009-09-10 06:28 311808 ----a-w- c:\windows\system32\msv1_0.dll

2012-10-21 20:53 . 2009-09-10 05:52 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll

2012-10-21 20:45 . 2009-10-10 03:17 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2012-10-21 20:42 . 2009-11-25 19:47 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll

2012-10-21 20:42 . 2009-11-25 19:47 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll

2012-10-21 20:42 . 2009-11-25 19:47 48960 ----a-w- c:\windows\system32\netfxperf.dll

2012-10-21 20:42 . 2009-11-25 19:47 297808 ----a-w- c:\windows\SysWow64\mscoree.dll

2012-10-21 20:42 . 2009-11-25 19:47 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe

2012-10-21 20:42 . 2009-11-25 19:47 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll

2012-10-21 20:42 . 2009-11-25 19:47 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2012-10-21 20:42 . 2009-11-25 19:47 444752 ----a-w- c:\windows\system32\mscoree.dll

2012-10-21 20:42 . 2009-11-25 19:47 320352 ----a-w- c:\windows\system32\PresentationHost.exe

2012-10-21 20:42 . 2009-11-25 19:47 1942856 ----a-w- c:\windows\system32\dfshim.dll

2012-10-21 20:33 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-10-21 20:33 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll

2012-10-21 20:33 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-10-21 20:33 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll

2012-10-21 20:33 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2012-10-21 20:32 . 2010-03-04 04:32 243712 ----a-w- c:\windows\system32\drivers\ks.sys

2012-10-21 20:30 . 2010-08-04 07:07 552960 ----a-w- c:\windows\system32\msdri.dll

2012-10-21 20:29 . 2012-08-02 17:55 574464 ----a-w- c:\windows\system32\d3d10level9.dll

2012-10-21 20:23 . 2012-10-21 20:23 -------- d-----w- c:\programdata\ATI

2012-10-21 15:45 . 2012-10-21 15:45 -------- d-----w- c:\program files (x86)\ATI Technologies

2012-10-21 15:45 . 2012-10-25 20:49 -------- d-sh--w- c:\windows\Installer

2012-10-21 15:45 . 2012-10-21 15:46 -------- d-----w- c:\program files\ATI Technologies

2012-10-21 15:45 . 2012-10-21 15:45 -------- d-----w- c:\program files\ATI

2012-10-21 15:10 . 2010-08-26 04:39 109056 ----a-w- c:\windows\SysWow64\t2embed.dll

2012-10-21 15:09 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll

2012-10-21 15:08 . 2011-02-19 06:36 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-10-21 15:07 . 2012-04-28 03:50 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-10-21 15:07 . 2010-10-12 05:05 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll

2012-10-21 15:07 . 2010-10-12 05:00 516096 ----a-w- c:\program files\Windows Mail\wab.exe

2012-10-21 15:07 . 2010-10-12 04:25 516096 ----a-w- c:\program files (x86)\Windows Mail\wab.exe

2012-10-21 15:07 . 2011-12-28 03:59 499200 ----a-w- c:\windows\system32\drivers\afd.sys

2012-10-21 15:07 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-10-21 15:07 . 2012-08-11 00:53 714752 ----a-w- c:\windows\system32\kerberos.dll

2012-10-21 15:07 . 2012-08-10 23:54 541184 ----a-w- c:\windows\SysWow64\kerberos.dll

2012-10-21 15:07 . 2010-08-31 04:32 954752 ----a-w- c:\windows\SysWow64\mfc40.dll

2012-10-21 15:07 . 2010-08-31 04:32 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll

2012-10-21 15:07 . 2009-08-29 07:50 46592 ----a-w- c:\windows\system32\msasn1.dll

2012-10-21 15:07 . 2009-08-29 06:57 34816 ----a-w- c:\windows\SysWow64\msasn1.dll

2012-10-21 15:05 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll

2012-10-21 15:00 . 2012-10-17 09:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{50E72EB9-27A7-4662-A045-C45457455A0A}\mpengine.dll

2012-10-21 15:00 . 2012-05-31 19:25 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-10-21 15:00 . 2010-08-27 06:14 236032 ----a-w- c:\windows\system32\srvsvc.dll

2012-10-21 15:00 . 2010-08-27 05:46 9728 ----a-w- c:\windows\SysWow64\sscore.dll

2012-10-21 15:00 . 2012-06-02 05:25 1462784 ----a-w- c:\windows\system32\crypt32.dll

2012-10-21 15:00 . 2012-06-02 05:25 182272 ----a-w- c:\windows\system32\cryptsvc.dll

2012-10-21 15:00 . 2012-06-02 05:25 140288 ----a-w- c:\windows\system32\cryptnet.dll

2012-10-21 15:00 . 2012-06-02 04:45 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll

2012-10-21 15:00 . 2012-06-02 04:45 1157632 ----a-w- c:\windows\SysWow64\crypt32.dll

2012-10-21 15:00 . 2012-06-02 04:45 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll

2012-10-21 15:00 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll

2012-10-21 15:00 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll

2012-10-21 14:58 . 2012-10-21 14:58 -------- d-----w- c:\windows\SysWow64\Wat

2012-10-21 14:58 . 2012-10-21 14:58 -------- d-----w- c:\windows\system32\Wat

2012-10-21 04:15 . 2012-10-21 03:52 -------- d-----w- c:\windows\Panther

2012-10-21 04:14 . 2012-10-21 04:14 -------- d-----w- C:\Boot

2012-10-21 03:56 . 2012-02-15 06:27 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-10-21 03:56 . 2010-01-09 07:19 139264 ----a-w- c:\windows\system32\cabview.dll

2012-10-21 03:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\SysWow64\cabview.dll

2012-10-21 03:34 . 2012-10-21 03:34 0 ----a-w- c:\windows\ativpsrm.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-21 15:44 . 2009-05-05 19:30 16440 ----a-w- c:\windows\system32\drivers\AtiPcie.sys

2012-08-21 20:01 . 2012-08-21 20:01 125872 ----a-w- c:\windows\system32\GEARAspi64.dll

2012-08-21 20:01 . 2012-08-21 20:01 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll

2012-08-18 11:19 . 2012-10-21 20:30 44032 ----a-w- c:\windows\apppatch\acwow64.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-26 98304]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-21 1255736]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309000.009\SYMDS64.SYS [2011-07-26 451192]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309000.009\SYMEFA64.SYS [2012-05-22 1129120]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20121005.002\BHDrvx64.sys [2012-10-05 1385632]

S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309000.009\ccSetx64.sys [2012-06-07 167072]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20121102.001\IDSvia64.sys [2012-10-19 513184]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309000.009\Ironx64.SYS [2012-04-18 190072]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309000.009\SYMNETS.SYS [2012-04-18 405624]

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe [2012-06-16 138272]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-22 138912]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 04356378

*NewlyCreated* - 08827532

*NewlyCreated* - 77690075

*Deregistered* - 04356378

*Deregistered* - 08827532

*Deregistered* - 77690075

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-03 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-25 20:37]

.

2012-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-25 20:37]

.

2012-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-25 20:37]

.

--------- X64 Entries -----------

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-30892894.sys

SafeBoot-77690075.sys

ShellIconOverlayIdentifiers-{F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)

ShellIconOverlayIdentifiers-{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)

ShellIconOverlayIdentifiers-{BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.0.9\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,

7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de

"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,

64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c

"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,

69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,

76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,

2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:3e,17,81,9e,d5,b0,cd,01

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-03 12:38:56

ComboFix-quarantined-files.txt 2012-11-03 19:38

ComboFix2.txt 2012-11-03 01:37

ComboFix3.txt 2012-11-02 03:02

.

Pre-Run: 84,894,474,240 bytes free

Post-Run: 84,624,404,480 bytes free

.

- - End Of File - - AB5D8DDE63729C68E5393AC4ED028FA0

November 3, 2012

ok, I reran it a second time and it did not detect anything malicious and did not appear to generate any new logs.

November 3, 2012

right at the end I got a norton warning. The disable of my Norton IS must have timed out. I am going to redisable it and run it again, but here are the first set of logs anyway in case it was sucessful.

TDSSKiller.2.8.15.0_03.11.2012_09.41.50_log.txt

TDSSKiller.2.8.15.0_03.11.2012_09.44.43_log.txt

TDSSKiller.2.8.15.0_03.11.2012_09.51.48_log.txt

November 3, 2012

Here is the first step, still working on the next.

ListParts by Farbar Version: 30-10-2012

Ran by Jill Appel (administrator) on 03-11-2012 at 09:37:32

Windows 7 (X64)

Running From: C:\Users\Jill Appel\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 30%

Total physical RAM: 5887.11 MB

Available physical RAM: 4066.95 MB

Total Pagefile: 11772.37 MB

Available Pagefile: 9842.88 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:78.69 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (Backup Drive) (Fixed) (Total:298.09 GB) (Free:77.1 GB) NTFS

3 Drive e: (New Volume) (Fixed) (Total:931.51 GB) (Free:209.47 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 8 MB

Disk 1 Online 298 GB 0 B

Disk 2 Online 931 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 232 GB 31 KB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 232 GB Healthy System (partition with boot components)

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 298 GB 31 KB

======================================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D Backup Driv NTFS Partition 298 GB Healthy

======================================================================================================

Partitions of Disk 2:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 931 GB 1024 KB

======================================================================================================

Disk: 2

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 E New Volume NTFS Partition 931 GB Healthy

======================================================================================================

==========================================================

TDL4: custom:26000022

****** End Of Log ******

November 3, 2012

Report below.

RogueKiller V8.2.2 [11/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Jill Appel [Admin rights]

Mode : Scan -- Date : 11/03/2012 08:22:21

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500KS-00MJB0 ATA Device +++++

--- User ---

[MBR] e03033be7262a85c0995db46000c40de

[bSP] 3cde355c19231ec0ce123e48a15ac90a : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] daabf44f9e5c593f462a9e9f69e7c07a

[bSP] 3cde355c19231ec0ce123e48a15ac90a : Windows 7 MBR Code

Partition table:

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo

+++++ PhysicalDrive1: WDC WD3200AAKS-00B3A0 ATA Device +++++

--- User ---

[MBR] 59003f5262d1acbda3b8193be15030f3

[bSP] 0e3be7ad91b65ffdc9a4ae56c1811206 : Standard MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305245 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive2: WDC WD10EARS-00Y5B1 ATA Device +++++

--- User ---

[MBR] b15c5c5114b7b13005eaa9cd7f1fcf7e

[bSP] 6e6e81725fea04fbed8fbe0a7b129bcd : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_11032012_02d0822.txt >>

RKreport[1]_S_11032012_02d0822.txt

November 3, 2012

After repeated bluescreens I recently rebuilt my computer. Even after the rebuild I was having trouble. I used malwarebytes and it says I have two trojans than it cant fix. I ran the attached DDS and attached logs. At this point I wouldn't care if I had to rebuild the machine again, but since it still came back I figure it wouldn't help.

attach.txt dds.txt

Sign In

mappelsauce

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Posts posted by mappelsauce

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

svchost.exe trojan, cant get it removed

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information