April_Singer
-
Posts
10 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by April_Singer
-
-
Hi Jeff. All done - just uninstalled ComboFix and I'll change my passwords. Thanks for all of the great tips. We run a firewall and anti-virus here on our network. I think what happened was that I installed a new version of Adobe FrameMaker and then I was trying to track down updated versions of some third-party plug-ins that I rely on and in the process, I downloaded something I didn't intend to. I wasn't paying attention because I was trying to do several things at once and when my anti-virus app asked if I wanted to run the installer I affirmed it without really looking at what it was alerting me to. It was right after that when claro-search showed up in my browser, so I'm pretty sure that is what happened. I know better and this is the first time I've gotten "bit" like that. I'm usually extremely careful. Lesson learned though. What a pain! But it was great comfort to have someone who understands this stuff working with me. Thanks again for your guidance and attentiveness. Hopefully all is good now. Take care, and Happy Thanksgiving to you. April
-
OK...that took a long time - two hours. It scanned my internal drive (C:) as well as an external drive, which is good. No infected files, no threats. So it sounds like I'm in the clear, yes?
-
Here is the latest Malwarebytes log (still working through the remaining steps):
Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org
Database version: v2012.11.19.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
asinger :: APRIL-WIN7 [administrator]
Protection: Enabled
11/19/2012 11:28:53 AM
mbam-log-2012-11-19 (11-28-53).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253408
Time elapsed: 2 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Whew! What a relief! When I launch IE now, I'm no longer being redirected to claro-search so it looks like that took care of it. I normally use Chrome but I had uninstalled it, so I will install it again now. I was not aware of any other effects of this malware, only that it hi-jacked my browser. If there is anything in particular I should check, please advise. Following is the contents fo the AdwCleaner log. Can you tell what it was that I downloaded that introduced this to my system? Thanks so much Jeff!
--------------------------------------------------------------------------------------------------------------------------------
# AdwCleaner v2.008 - Logfile created 11/19/2012 at 10:25:29
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : asinger - APRIL-WIN7
# Boot Mode : Normal
# Running from : C:\Users\asinger\Desktop\adwcleaner.exe
# Option [Delete]
***** [services] *****
Stopped & Deleted : Browser Manager
***** [Files / Folders] *****
Deleted on reboot : C:\ProgramData\Browser Manager
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\asinger\AppData\Roaming\Babylon
Folder Deleted : C:\Users\asinger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
***** [Registry] *****
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~3\browse~1\23796~1.11\{16cdf~1\browsemngr.dll
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]
***** [internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.claro-search.com/?affID=116695&tt=4612_8&babsrc=HP_ss&mntrId=3a7bf0df000000000000180373e7248d --> hxxp://www.google.com
Deleted : [HKCU\Software\Microsoft\Internet Explorer\Main - bProtector Start Page]
*************************
AdwCleaner[R1].txt - [2160 octets] - [19/11/2012 09:34:45]
AdwCleaner[R2].txt - [2220 octets] - [19/11/2012 09:37:59]
AdwCleaner[s1].txt - [2207 octets] - [19/11/2012 10:25:29]
########## EOF - C:\AdwCleaner[s1].txt - [2267 octets] ##########
-
contents of the ComboFix log:
----------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 12-11-16.02 - asinger 11/19/2012 9:42.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8149.4488 [GMT -7:00]
Running from: c:\users\asinger\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\asinger\AppData\Local\assembly\tmp
c:\users\fworstell\AppData\Local\assembly\tmp
c:\users\jwainwright\AppData\Local\assembly\tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-10-19 to 2012-11-19 )))))))))))))))))))))))))))))))
.
.
2012-11-19 16:47 . 2012-11-19 16:47 -------- d-----w- c:\users\jwainwright\AppData\Local\temp
2012-11-19 16:31 . 2012-11-19 16:37 -------- d-----w- c:\program files (x86)\Google
2012-11-16 00:23 . 2012-11-16 00:23 -------- d-----w- c:\programdata\AMD
2012-11-16 00:23 . 2012-11-16 00:23 -------- d-----w- c:\program files (x86)\AMD AVT
2012-11-16 00:23 . 2012-11-16 00:23 -------- d-----w- c:\program files (x86)\AMD APP
2012-11-16 00:23 . 2012-11-16 00:23 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-11-16 00:23 . 2012-11-16 00:23 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-11-16 00:21 . 2012-11-16 00:23 -------- d-----w- c:\program files\ATI Technologies
2012-11-16 00:21 . 2012-11-16 00:21 -------- d-----w- c:\program files\ATI
2012-11-16 00:20 . 2012-11-16 00:20 -------- d-----w- C:\AMD
2012-11-15 22:53 . 2012-11-15 22:53 -------- d-----w- c:\users\jwainwright\AppData\Local\CrashDumps
2012-11-15 20:32 . 2012-11-15 20:32 -------- d-----w- c:\users\jwainwright\AppData\Roaming\Realtime Soft
2012-11-15 20:00 . 2012-08-31 18:19 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-11-15 20:00 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-11-15 20:00 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-11-15 20:00 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-11-15 20:00 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2012-11-15 19:59 . 2012-10-18 18:25 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-15 19:57 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-11-15 19:57 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-11-15 19:57 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-15 19:57 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-11-15 19:57 . 2012-08-30 18:03 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-11-15 19:57 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-11-15 19:57 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-11-15 19:55 . 2012-08-20 18:48 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2012-11-15 19:54 . 2012-10-03 17:44 70656 ----a-w- c:\windows\system32\nlaapi.dll
2012-11-15 19:54 . 2012-10-03 17:44 18944 ----a-w- c:\windows\system32\netevent.dll
2012-11-15 19:54 . 2012-10-03 17:44 216576 ----a-w- c:\windows\system32\ncsi.dll
2012-11-15 19:54 . 2012-10-03 16:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll
2012-11-15 19:54 . 2012-10-03 16:42 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2012-11-15 19:54 . 2012-10-03 16:07 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-11-15 19:54 . 2012-01-13 07:12 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll
2012-11-15 19:54 . 2012-10-03 17:56 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-11-15 19:54 . 2012-10-03 17:44 303104 ----a-w- c:\windows\system32\nlasvc.dll
2012-11-15 19:54 . 2012-10-03 17:44 246272 ----a-w- c:\windows\system32\netcorehc.dll
2012-11-15 19:54 . 2012-10-03 17:42 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-11-15 19:54 . 2012-10-03 16:42 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
2012-11-15 19:50 . 2012-09-14 19:19 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-15 19:50 . 2012-09-14 18:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-15 19:49 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-15 19:49 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-15 19:49 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-15 19:49 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-15 19:49 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-15 19:49 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-15 19:49 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-15 19:49 . 2012-08-11 00:56 715776 ----a-w- c:\windows\system32\kerberos.dll
2012-11-15 19:49 . 2012-08-10 23:56 542208 ----a-w- c:\windows\SysWow64\kerberos.dll
2012-11-15 19:49 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-11-15 19:49 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll
2012-11-15 19:47 . 2012-06-02 05:41 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-11-15 19:47 . 2012-06-02 05:41 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-11-15 19:47 . 2012-06-02 05:41 1464320 ----a-w- c:\windows\system32\crypt32.dll
2012-11-15 19:47 . 2012-06-02 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-11-15 19:47 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-11-15 19:47 . 2012-06-02 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-11-14 17:45 . 2012-11-14 17:45 -------- d-----w- c:\users\asinger\AppData\Roaming\Realtime Soft
2012-11-14 17:42 . 2012-11-14 17:42 -------- d-----w- c:\windows\SysWow64\searchplugins
2012-11-14 17:42 . 2012-11-14 17:42 -------- d-----w- c:\windows\SysWow64\Extensions
2012-11-14 17:42 . 2012-11-14 17:42 -------- d-----w- c:\programdata\Browser Manager
2012-11-14 17:42 . 2012-11-14 17:42 -------- d-----w- c:\users\asinger\AppData\Roaming\Babylon
2012-11-14 17:42 . 2012-11-14 17:42 -------- d-----w- c:\programdata\Babylon
2012-11-14 17:09 . 2012-11-18 00:11 -------- d-----w- c:\users\asinger\AppData\Roaming\Skype
2012-11-14 17:09 . 2012-11-14 17:09 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-11-14 17:09 . 2012-11-14 17:09 -------- d-----r- c:\program files (x86)\Skype
2012-11-14 17:09 . 2012-11-14 17:09 -------- d-----w- c:\programdata\Skype
2012-11-14 15:31 . 2012-09-25 06:16 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-13 23:56 . 2012-11-13 23:56 -------- d-----w- c:\program files\Symantec
2012-11-13 23:56 . 2012-11-13 23:56 156008 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-11-13 23:56 . 2012-11-13 23:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-11-13 23:56 . 2012-11-13 23:56 -------- d-----w- c:\program files (x86)\Symantec AntiVirus
2012-11-13 23:44 . 2012-11-13 23:44 -------- d-----w- c:\users\jwainwright\AppData\Roaming\Apple Computer
2012-11-13 23:44 . 2012-11-13 23:47 -------- d-----w- c:\users\jwainwright\AppData\Local\Adobe
2012-11-13 22:56 . 2012-11-13 22:56 -------- d-----w- c:\users\asinger\AppData\Roaming\Malwarebytes
2012-11-13 22:56 . 2012-11-13 22:56 -------- d-----w- c:\programdata\Malwarebytes
2012-11-13 22:56 . 2012-11-16 14:35 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-13 22:56 . 2012-09-30 02:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-13 22:54 . 2012-11-16 00:19 -------- d-----w- C:\Temp
2012-11-13 22:49 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C0A7F1C-9CE9-4388-96A6-522912C5D675}\mpengine.dll
2012-11-12 19:35 . 2012-11-14 21:53 -------- d-----w- C:\Workspace
2012-11-12 17:14 . 2012-11-12 17:17 -------- d-----w- c:\users\asinger\AppData\Local\Microsoft Games
2012-11-12 16:47 . 2012-11-12 16:47 -------- d-----w- c:\users\asinger\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
2012-11-12 14:37 . 2012-11-12 14:37 -------- d-----w- c:\users\asinger\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-11-12 14:35 . 2012-11-12 14:35 -------- d-----w- c:\program files (x86)\Adobe Download Assistant
2012-11-09 16:55 . 2012-11-09 16:55 -------- d-----w- c:\users\asinger\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 04:04 . 2012-03-29 17:05 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-10-03 13:33 . 2012-07-11 15:08 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-10-03 13:33 . 2012-03-27 00:20 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-09-28 22:37 . 2012-09-28 22:37 221696 ----a-w- c:\windows\system32\clinfo.exe
2012-09-28 22:36 . 2012-09-28 22:36 75776 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-09-28 22:36 . 2012-09-28 22:36 65536 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-09-28 22:36 . 2012-09-28 22:36 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-09-28 22:36 . 2012-09-28 22:36 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-09-28 22:36 . 2012-09-28 22:36 32635904 ----a-w- c:\windows\system32\amdocl64.dll
2012-09-28 22:32 . 2012-09-28 22:32 27341824 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-09-28 22:28 . 2012-09-28 22:28 54784 ----a-w- c:\windows\system32\OpenCL.dll
2012-09-28 22:28 . 2012-09-28 22:28 50176 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-09-28 02:23 . 2012-03-27 01:41 5557928 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-09-28 02:21 . 2012-09-28 02:21 10697216 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-09-28 02:05 . 2012-09-28 02:05 70144 ----a-w- c:\windows\system32\coinst_9.002.dll
2012-09-28 02:03 . 2012-09-28 02:03 163840 ----a-w- c:\windows\system32\atiapfxx.exe
2012-09-28 02:02 . 2012-09-28 02:02 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-09-28 02:02 . 2012-09-28 02:02 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-09-28 02:02 . 2012-09-28 02:02 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-09-28 02:02 . 2012-09-28 02:02 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-09-28 02:02 . 2012-09-28 02:02 16082432 ----a-w- c:\windows\system32\aticaldd64.dll
2012-09-28 01:59 . 2012-09-28 01:59 23825920 ----a-w- c:\windows\system32\atio6axx.dll
2012-09-28 01:57 . 2012-09-28 01:57 13703168 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-09-28 01:43 . 2012-03-27 01:41 935424 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-09-28 01:41 . 2012-03-27 01:41 1120768 ----a-w- c:\windows\system32\aticfx64.dll
2012-09-28 01:41 . 2012-09-28 01:41 19624960 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-09-28 01:39 . 2012-09-28 01:39 6536192 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-09-28 01:39 . 2012-09-28 01:39 442368 ----a-w- c:\windows\system32\atidemgy.dll
2012-09-28 01:39 . 2012-09-28 01:39 538112 ----a-w- c:\windows\system32\atieclxx.exe
2012-09-28 01:38 . 2012-09-28 01:38 239616 ----a-w- c:\windows\system32\atiesrxx.exe
2012-09-28 01:36 . 2012-09-28 01:36 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-09-28 01:36 . 2012-09-28 01:36 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-09-28 01:36 . 2012-09-28 01:36 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-09-28 01:36 . 2012-09-28 01:36 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-09-28 01:31 . 2012-03-27 01:41 3127296 ----a-w- c:\windows\system32\atiumd6a.dll
2012-09-28 01:25 . 2012-03-27 01:41 6704640 ----a-w- c:\windows\system32\atiumd64.dll
2012-09-28 01:22 . 2012-03-27 01:41 7167488 ----a-w- c:\windows\system32\atidxx64.dll
2012-09-28 01:22 . 2012-03-27 01:41 2691584 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-09-28 01:13 . 2012-03-27 01:41 595456 ----a-w- c:\windows\system32\atiadlxx.dll
2012-09-28 01:13 . 2012-09-28 01:13 405504 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-09-28 01:13 . 2012-09-28 01:13 17920 ----a-w- c:\windows\system32\atig6pxx.dll
2012-09-28 01:13 . 2012-09-28 01:13 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-09-28 01:13 . 2012-09-28 01:13 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-09-28 01:13 . 2012-09-28 01:13 41984 ----a-w- c:\windows\system32\atig6txx.dll
2012-09-28 01:13 . 2012-09-28 01:13 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-09-28 01:12 . 2012-09-28 01:12 56320 ----a-w- c:\windows\system32\atimpc64.dll
2012-09-28 01:12 . 2012-09-28 01:12 56320 ----a-w- c:\windows\system32\amdpcom64.dll
2012-09-28 01:12 . 2012-09-28 01:12 460288 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-09-28 01:12 . 2012-09-28 01:12 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-09-28 01:12 . 2012-09-28 01:12 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-09-28 01:11 . 2012-03-27 01:41 129536 ----a-w- c:\windows\system32\atiuxp64.dll
2012-09-28 01:11 . 2012-09-28 01:11 109568 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-09-28 01:11 . 2012-03-27 01:41 103424 ----a-w- c:\windows\system32\atiu9p64.dll
2012-09-28 01:10 . 2012-03-27 01:41 82944 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-09-28 01:09 . 2012-09-28 01:09 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-09-24 03:43 . 2012-09-24 03:43 55432 ----a-w- c:\windows\system32\AdobePDF.dll
2012-09-24 03:43 . 2012-09-24 03:43 26768 ----a-w- c:\windows\system32\AdobePDFUI.dll
2012-08-22 18:12 . 2012-10-02 21:03 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 18:12 . 2012-10-02 21:02 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 18:12 . 2012-10-02 21:02 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 21:01 . 2012-10-02 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-11-09 17877168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-08-09 112408]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-18 336384]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2012-09-24 3477640]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"vptray"="c:\progra~2\SYMANT~1\VPTray.exe" [2006-12-14 134808]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snagit 10.lnk - c:\program files (x86)\TechSmith\Snagit 10\Snagit32.exe [2010-4-13 7046984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll c:\progra~3\browse~1\23796~1.11\{16cdf~1\browsemngr.dll
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-29 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-09-28 239616]
S2 Browser Manager;Browser Manager;c:\programdata\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [2012-10-11 2312216]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-06-29 171688]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-09 2656536]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2011-07-01 1600000]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-18 138912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3444609460-1490733976-1733244792-1000Core.job
- c:\users\fworstell\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-29 20:27]
.
2012-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3444609460-1490733976-1733244792-1000UA.job
- c:\users\fworstell\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-29 20:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-05-27 22:46 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-05-27 22:46 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2010-10-04 2907240]
"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2011-05-27 257392]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.claro-search.com/?affID=116695&tt=4612_8&babsrc=HP_ss&mntrId=3a7bf0df000000000000180373e7248d
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.210.11.44 10.210.11.41
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Symantec AntiVirus\DefWatch.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\Symantec AntiVirus\Rtvscan.exe
c:\program files (x86)\Symantec AntiVirus\VPTray.exe
c:\program files (x86)\TechSmith\Snagit 10\TSCHelp.exe
c:\program files (x86)\TechSmith\Snagit 10\SnagPriv.exe
c:\program files (x86)\TechSmith\Snagit 10\snagiteditor.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-11-19 09:53:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-19 16:53
.
Pre-Run: 413,010,370,560 bytes free
Post-Run: 413,193,805,824 bytes free
.
- - End Of File - - 2A0CDB0B5A47C094092841DE4253AB7D
-
AdwCleaner log contents:
# AdwCleaner v2.008 - Logfile created 11/19/2012 at 09:37:59
# Updated 17/11/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : asinger - APRIL-WIN7
# Boot Mode : Normal
# Running from : C:\Users\asinger\Downloads\adwcleaner.exe
# Option [search]
***** [services] *****
Found : Browser Manager
***** [Files / Folders] *****
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\Browser Manager
Folder Found : C:\Users\asinger\AppData\Roaming\Babylon
Folder Found : C:\Users\asinger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
***** [Registry] *****
Data Found : HKLM\..\Windows [AppInit_DLLs] = c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\DataMngr_Toolbar
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]
***** [internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.claro-search.com/?affID=116695&tt=4612_8&babsrc=HP_ss&mntrId=3a7bf0df000000000000180373e7248d
[HKCU\Software\Microsoft\Internet Explorer\Main - bProtector Start Page] = hxxp://www.claro-search.com/?affID=116695&tt=4612_8&babsrc=HP_ss&mntrId=3a7bf0df000000000000180373e7248d
*************************
AdwCleaner[R1].txt - [2160 octets] - [19/11/2012 09:34:45]
AdwCleaner[R2].txt - [2091 octets] - [19/11/2012 09:37:59]
########## EOF - C:\AdwCleaner[R2].txt - [2151 octets] ##########
-
Jeff - Following is the content of the awwMBR.txt file produced by the above steps:
------------------------------------------------------------------------------------------------------------
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-19 07:50:39
-----------------------------
07:50:39.362 OS Version: Windows x64 6.1.7601 Service Pack 1
07:50:39.362 Number of processors: 4 586 0x2A07
07:50:39.362 ComputerName: APRIL-WIN7 UserName: asinger
07:50:40.797 Initialize success
07:57:49.559 The log file has been saved successfully to "C:\Users\asinger\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-19 07:50:39
-----------------------------
07:50:39.362 OS Version: Windows x64 6.1.7601 Service Pack 1
07:50:39.362 Number of processors: 4 586 0x2A07
07:50:39.362 ComputerName: APRIL-WIN7 UserName: asinger
07:50:40.797 Initialize success
07:57:49.559 The log file has been saved successfully to "C:\Users\asinger\Desktop\aswMBR.txt"
07:59:29.691 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:59:29.691 Disk 0 Vendor: Hitachi_ JF3O Size: 476940MB BusType: 8
07:59:29.707 Disk 0 MBR read successfully
07:59:29.707 Disk 0 MBR scan
07:59:29.707 Disk 0 Windows VISTA default MBR code
07:59:29.707 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
07:59:29.723 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 13468 MB offset 81920
07:59:29.723 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463428 MB offset 27664384
07:59:29.754 Disk 0 scanning C:\Windows\system32\drivers
07:59:37.663 Service scanning
07:59:52.296 Modules scanning
07:59:52.296 Disk 0 trace - called modules:
07:59:52.343 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
07:59:52.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009306060]
07:59:52.343 3 CLASSPNP.SYS[fffff88001bc543f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80075a3050]
07:59:52.358 Scan finished successfully
08:00:10.860 Disk 0 MBR has been saved successfully to "C:\Users\asinger\Desktop\MBR.dat"
08:00:10.860 The log file has been saved successfully to "C:\Users\asinger\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-19 07:50:39
-----------------------------
07:50:39.362 OS Version: Windows x64 6.1.7601 Service Pack 1
07:50:39.362 Number of processors: 4 586 0x2A07
07:50:39.362 ComputerName: APRIL-WIN7 UserName: asinger
07:50:40.797 Initialize success
07:57:49.559 The log file has been saved successfully to "C:\Users\asinger\Desktop\aswMBR.txt"
07:59:29.691 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:59:29.691 Disk 0 Vendor: Hitachi_ JF3O Size: 476940MB BusType: 8
07:59:29.707 Disk 0 MBR read successfully
07:59:29.707 Disk 0 MBR scan
07:59:29.707 Disk 0 Windows VISTA default MBR code
07:59:29.707 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
07:59:29.723 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 13468 MB offset 81920
07:59:29.723 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463428 MB offset 27664384
07:59:29.754 Disk 0 scanning C:\Windows\system32\drivers
07:59:37.663 Service scanning
07:59:52.296 Modules scanning
07:59:52.296 Disk 0 trace - called modules:
07:59:52.343 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
07:59:52.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009306060]
07:59:52.343 3 CLASSPNP.SYS[fffff88001bc543f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80075a3050]
07:59:52.358 Scan finished successfully
08:00:10.860 Disk 0 MBR has been saved successfully to "C:\Users\asinger\Desktop\MBR.dat"
08:00:10.860 The log file has been saved successfully to "C:\Users\asinger\Desktop\aswMBR.txt"
08:01:49.861 Disk 0 MBR has been saved successfully to "C:\Users\asinger\Desktop\MBR.dat"
08:01:49.861 The log file has been saved successfully to "C:\Users\asinger\Desktop\aswMBR.txt"
-
Jeff - I'm back in the office and will act on your reply asap today. Will report back. Thank you for your assistance. April
-
After downloading a couple of Framemaker plug-ins and some desktop icons I noticed that my browser had been hi-jacked by claro-search. Didn't realize it was malware at first. Disabled the search in Chrome (my usual browser) then uninstalled it from the Programs Control Panel in Windows 7. No extensions were found in Chrome. Still had the problem.
Downloaded the free version of Malwarebytes and ran both a Quick Scan and a Full Scan. Neither detected any problems/files. Perhaps because I had uninstalled claro though obviously it still resides at some level.
Uninstalled Chrome tried IE. Same problem with IE (of course, this I know now).
Ran dds.com as instructed. Have pasted the contents of dds.txt below and attached attach.txt.
This is my computer at work. I can check the forum for responses from home later if I don't get a response before I leave but I won't be able to do anything on the work computer until I resume work Monday morning. I will watch for responses in case someone does pick this up before I leave work for the day. I am in the GMT -7 timezone (presently 11:36 a.m. as I post this).
Thank you for any help that is offered.
------------------------------------------------------------------------------------------------------------------------------------------
DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.9.2
Run by asinger at 11:13:07 on 2012-11-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8149.5297 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe
C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe
C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
C:\Program Files (x86)\TechSmith\Snagit 10\TSCHelp.exe
C:\Program Files (x86)\TechSmith\Snagit 10\SnagPriv.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\TechSmith\Snagit 10\snagiteditor.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.claro-search.com/?affID=116695&tt=4612_8&babsrc=HP_ss&mntrId=3a7bf0df000000000000180373e7248d
mWinlogon: Userinit = userinit.exe
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: WinZip Courier BHO: {A8FB70FA-0FDF-4601-9DC4-BFA1B357204F} - C:\Program Files (x86)\WinZip Courier\wzwmcie.dll
BHO: Adobe Acrobat Create PDF Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: DisableCAD = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 10.210.11.44 10.210.11.41
TCP: Interfaces\{B4064349-3C78-4D77-9BC7-05794C2D7B92} : DHCPNameServer = 10.210.11.44 10.210.11.41
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages = msv1_0 wvauth
x64-BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
x64-Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
x64-Run: [DBRMTray] C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-RunOnce: [DBRMTray] C:\Dell\DBRM\Reminder\TrayApp.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: spba - C:\Program Files\Common Files\SPBA\homefus2.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-3-26 55856]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-27 239616]
R2 Browser Manager;Browser Manager;C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.exe [2012-11-14 2312216]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-3-26 13336]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2012-3-26 171688]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-23 212944]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-13 399432]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-13 676936]
R2 Symantec AntiVirus;Symantec AntiVirus;C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe [2006-12-13 1962136]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-3-26 2656536]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2011-7-1 1600000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-11-13 138912]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-13 25928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-15 19456]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-15 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-15 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-29 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
ShellExec: FrameMaker11.exe: Edit="C:\Program Files (x86)\Adobe\AdobeFrameMaker11\FrameMaker.exe" -ie "%1"
.
=============== Created Last 30 ================
.
2012-11-16 00:23:54 -------- d-----w- C:\ProgramData\AMD
2012-11-16 00:23:53 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-11-16 00:23:50 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-11-16 00:23:47 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-11-16 00:23:47 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2012-11-16 00:21:08 -------- d-----w- C:\Program Files\ATI Technologies
2012-11-16 00:21:06 -------- d-----w- C:\Program Files\ATI
2012-11-16 00:20:23 -------- d-----w- C:\AMD
2012-11-15 20:00:28 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-11-15 20:00:05 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-11-15 20:00:05 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-11-15 20:00:05 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-11-15 20:00:05 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-11-15 19:59:43 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-15 19:57:37 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-11-15 19:57:37 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-11-15 19:57:37 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-11-15 19:57:37 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-15 19:57:15 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-11-15 19:57:14 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-11-15 19:57:14 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-11-15 19:55:33 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-15 19:54:37 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-11-15 19:54:37 52224 ----a-w- C:\Windows\SysWow64\nlaapi.dll
2012-11-15 19:54:37 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-11-15 19:54:37 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-11-15 19:54:37 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-11-15 19:54:37 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-11-15 19:54:37 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-11-15 19:54:36 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-11-15 19:54:36 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-11-15 19:54:36 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-11-15 19:54:36 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-11-15 19:54:36 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-11-15 19:50:55 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-15 19:50:55 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-15 19:49:23 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2012-11-15 19:49:23 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2012-11-15 19:49:23 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2012-11-15 19:49:23 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2012-11-15 19:49:22 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2012-11-15 19:49:22 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2012-11-15 19:49:22 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2012-11-15 19:49:17 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-11-15 19:49:17 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-11-15 19:49:10 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-11-15 19:49:10 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-11-15 19:47:48 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-11-15 19:47:48 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2012-11-15 19:47:48 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-11-15 19:47:48 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-11-15 19:47:48 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-11-15 19:47:48 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-11-14 17:45:17 -------- d-----w- C:\Users\asinger\AppData\Roaming\Realtime Soft
2012-11-14 17:42:39 -------- d-----w- C:\Windows\SysWow64\searchplugins
2012-11-14 17:42:39 -------- d-----w- C:\Windows\SysWow64\Extensions
2012-11-14 17:42:38 -------- d-----w- C:\ProgramData\Browser Manager
2012-11-14 17:42:07 -------- d-----w- C:\Users\asinger\AppData\Roaming\Babylon
2012-11-14 17:42:07 -------- d-----w- C:\ProgramData\Babylon
2012-11-14 17:09:45 -------- d-----r- C:\Program Files (x86)\Skype
2012-11-14 15:31:43 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-13 23:56:56 156008 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-11-13 23:56:56 -------- d-----w- C:\Program Files\Symantec
2012-11-13 23:56:51 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-11-13 23:56:49 -------- d-----w- C:\Program Files (x86)\Symantec AntiVirus
2012-11-13 22:56:58 -------- d-----w- C:\Users\asinger\AppData\Roaming\Malwarebytes
2012-11-13 22:56:50 -------- d-----w- C:\ProgramData\Malwarebytes
2012-11-13 22:56:49 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-11-13 22:56:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-13 22:54:24 -------- d-----w- C:\Temp
2012-11-13 22:49:49 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2C0A7F1C-9CE9-4388-96A6-522912C5D675}\mpengine.dll
2012-11-12 19:35:06 -------- d-----w- C:\Workspace
2012-11-12 17:14:45 -------- d-----w- C:\Users\asinger\AppData\Local\Microsoft Games
2012-11-12 16:47:00 -------- d-----w- C:\Users\asinger\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
2012-11-12 14:37:59 -------- d-----w- C:\Users\asinger\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-11-12 14:35:06 -------- d-----w- C:\Program Files (x86)\Adobe Download Assistant
2012-11-09 16:55:15 -------- d-----w- C:\Users\asinger\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-10-19 19:40:52 -------- d-----w- C:\Users\asinger\AppData\Roaming\NetLibCache
2012-10-19 18:57:42 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2012-10-19 18:55:53 -------- d-----w- C:\Program Files\Saxonica
2012-10-19 18:53:18 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2012-10-19 18:53:18 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2012-10-19 18:52:39 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
.
==================== Find3M ====================
.
2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-10-03 13:33:29 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-10-03 13:33:29 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-28 22:37:02 221696 ----a-w- C:\Windows\System32\clinfo.exe
2012-09-28 22:36:44 75776 ----a-w- C:\Windows\System32\OpenVideo64.dll
2012-09-28 22:36:40 65536 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-09-28 22:36:36 63488 ----a-w- C:\Windows\System32\OVDecode64.dll
2012-09-28 22:36:34 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-09-28 22:36:24 32635904 ----a-w- C:\Windows\System32\amdocl64.dll
2012-09-28 22:32:16 27341824 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-09-28 22:28:46 54784 ----a-w- C:\Windows\System32\OpenCL.dll
2012-09-28 22:28:42 50176 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-09-28 02:23:00 5557928 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-09-28 02:21:20 10697216 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-09-28 02:05:38 70144 ----a-w- C:\Windows\System32\coinst_9.002.dll
2012-09-28 02:03:52 163840 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-09-28 02:02:30 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-09-28 02:02:28 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-09-28 02:02:22 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-09-28 02:02:20 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-09-28 02:02:08 16082432 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-09-28 01:59:56 23825920 ----a-w- C:\Windows\System32\atio6axx.dll
2012-09-28 01:57:20 13703168 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-09-28 01:43:28 935424 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-09-28 01:41:40 1120768 ----a-w- C:\Windows\System32\aticfx64.dll
2012-09-28 01:41:14 19624960 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-09-28 01:39:36 6536192 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-09-28 01:39:14 442368 ----a-w- C:\Windows\System32\atidemgy.dll
2012-09-28 01:39:08 538112 ----a-w- C:\Windows\System32\atieclxx.exe
2012-09-28 01:38:16 239616 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-09-28 01:36:50 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-09-28 01:36:36 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-09-28 01:36:30 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-09-28 01:36:26 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-09-28 01:31:26 3127296 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-09-28 01:25:24 6704640 ----a-w- C:\Windows\System32\atiumd64.dll
2012-09-28 01:22:42 7167488 ----a-w- C:\Windows\System32\atidxx64.dll
2012-09-28 01:22:30 2691584 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-09-28 01:13:40 595456 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-09-28 01:13:30 405504 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-09-28 01:13:16 17920 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-09-28 01:13:12 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-09-28 01:13:12 14848 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-09-28 01:13:08 41984 ----a-w- C:\Windows\System32\atig6txx.dll
2012-09-28 01:13:00 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-09-28 01:12:58 56320 ----a-w- C:\Windows\System32\atimpc64.dll
2012-09-28 01:12:58 56320 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-09-28 01:12:52 460288 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-09-28 01:12:48 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-09-28 01:12:48 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-09-28 01:11:22 129536 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-09-28 01:11:16 109568 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-09-28 01:11:08 103424 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-09-28 01:10:58 82944 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-09-28 01:09:48 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-09-24 03:43:48 55432 ----a-w- C:\Windows\System32\AdobePDF.dll
2012-09-24 03:43:42 26768 ----a-w- C:\Windows\System32\AdobePDFUI.dll
2012-08-24 18:13:17 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-08-24 18:09:34 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 18:05:03 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-08-24 18:04:18 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-08-24 18:03:09 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 16:57:40 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-08-24 16:57:40 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-08-24 16:57:37 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-08-24 16:53:35 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-08-23 14:13:11 243200 ----a-w- C:\Windows\System32\rdpudd.dll
2012-08-23 14:10:20 19456 ----a-w- C:\Windows\System32\drivers\rdpvideominiport.sys
2012-08-23 14:08:26 30208 ----a-w- C:\Windows\System32\drivers\TsUsbGD.sys
2012-08-23 14:07:35 57856 ----a-w- C:\Windows\System32\drivers\TsUsbFlt.sys
2012-08-23 13:47:20 46592 ----a-w- C:\Windows\SysWow64\MsRdpWebAccess.dll
2012-08-23 13:46:20 16896 ----a-w- C:\Windows\SysWow64\wksprtPS.dll
2012-08-23 13:41:52 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2012-08-23 13:40:56 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2012-08-23 13:24:57 15360 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2012-08-23 13:20:40 54272 ----a-w- C:\Windows\System32\MsRdpWebAccess.dll
2012-08-23 13:18:14 37376 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2012-08-23 13:17:54 18432 ----a-w- C:\Windows\System32\wksprtPS.dll
2012-08-23 13:06:58 43520 ----a-w- C:\Windows\System32\TsUsbGDCoInstaller.dll
2012-08-23 12:52:53 44032 ----a-w- C:\Windows\System32\tsgqec.dll
2012-08-23 11:20:06 62976 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2012-08-23 11:15:57 269312 ----a-w- C:\Windows\SysWow64\aaclient.dll
2012-08-23 11:14:09 384000 ----a-w- C:\Windows\System32\wksprt.exe
2012-08-23 11:12:17 192000 ----a-w- C:\Windows\SysWow64\rdpendp_winip.dll
2012-08-23 10:54:24 322560 ----a-w- C:\Windows\System32\aaclient.dll
2012-08-23 10:51:14 228864 ----a-w- C:\Windows\System32\rdpendp_winip.dll
2012-08-23 10:39:24 1048064 ----a-w- C:\Windows\SysWow64\mstsc.exe
.
============= FINISH: 11:13:45.48 ===============
claro-search infection: Windows 7, Chrome & IE
in Resolved Malware Removal Logs
Posted
thanks