supernaut

January 12, 2013

Thank you so much! I really appreciate it gringo. Thanks for putting up with what must have been some of the dumbest questions you've read. Means the world! I guess you can lock this up now, or delete the thread - however it works.

Cheers,

Brian

January 12, 2013

Hello again. Thanks for all of your help. I must admit that I am still a bit stupid with regard to the program I purchased. Specifically, there is a MBAM icon in my bottom right tray. Double-clicking either the tray icon or the desktop shortcut will launch MBAM Pro. Again, anytime I run MBAM Pro I am greeted with a dialogue box, " Do you want to allow the following program to make changes to this computer? It's as if I'm installing it for the first time every time I open the program. This does not happen with other programs that I have.

The 'real time' aspect confuses me ... how can MBAM Pro assess anything in Real Time if the application is not running??? The only program that runs continuously is mbamgui.exe You noted that it should start automatically and there is nothing I need to do - but the only time MBAM PRO runs is when I click on it (that said - there is a logfile for everyday so far). Before buying the Pro version, MBAM would often display moving small dialogue box - the small box would translate horizontally from right to left - it would show up on the terminal right side of the screen, move left, and then stop. A typical message would be something like "... threats blocked" or "...bad website, etc" - I've not seen any of these dialogue boxes since buying the Pro, which is a good and bad.

I'll stop here as my PC is running fine now. If you can help clarify my MBAM Pro issues I would be very grateful.

Thank you soooo much G!

cheers,

Brian

January 11, 2013

Hello again,

sorry for my late reply. I was very sick yesterday and could not attend to anything. Ok, I think we are almost finished. I have deleted the applications that were not deleted by OTCleanit

From what I can ascertain, there are no problems with my PC. The servads pop-ups have completely stopped. I haven't had any messages as to "Low Memory" - sometimes my PC would indicate that memory is very low and that I should take action. But when I opened up task manager, I couldn't find anything taking up a lot of memory.

There was one file that puzzled me ... explorer.exe (Windows Explorer) ... under processes, said file would often approach or exceed 100,000 K - this was the largest thing that I could find. Now, after your generous help, this file currently shows a memory of ~ 25,000 K .... does this sound about right to you? Would you like me to copy the contents under Processes and paste them?

with MBAM you will always get that so it runs with admin privileges - always allow it for MBAM

My last important question: Must I have MBAM Pro running all the time? I am a bit confused how the real time aspect works. Currently, when I open Task Manager and select processes, I notice that there are 81 total processes and the physical memory is 26% - is that too high? One process is mbam.exe *32 and has a memory of 98,928 K; the only other Malwarebytes Anti-Malware process is mbamgui.exe *32 and has a memory of just 3,148 K (I'm not quite sure what mbamgui.exe is)

Do I simply run mbam.exe on a desired schedule to check for malware OR must this application be running at all times?

I have d/l MSE for my AV program; and, already purchased MBAM Pro a couple days ago. Many thanks for further reading and general advice. If you can please help address the questions raised in this post I would be ever so grateful. I already made a donation. But you have been very helpful, and as such I will donate some more! I can't thank you enough.

Looking forward to your reply (hopefully last one! I hate bothering you with question).

Thanks in advance,

Brian

January 10, 2013

:The programs you can keep:
Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.
Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls
CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner
Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

Hi again. I successfully followed your instructions. However, OTCleanIt did not remove all of the malware tools. OTCleanIt did delete itself after running the program. However the following 3 programs are still on my computer:

SecurityCheck

ADWCleaner

HiJackThis

What should I do? Can I simply delete them? Important Question: I purchased MBAM Pro, which includes the real-time protection...But I cannot ascertain if it is actually working in real time. Any time I click on the shortcut I am immediately greeted with a dialogue box, " Do you want to allow the following program to make changes to this computer?"

What am I doing wrong? Thanks in advance!!!

hopelessly confused,

Brian

January 9, 2013

Greetings
I just purchased MBAM Pro the other day. How do I make Windows recognize that I do have an AV program - MBAM is an Antispyware program it is made to work WITH an antivirus program but not as a substitute - I will help you get a good antivirus program on here when we finish the cleanup
These logs are looking very good, we are almost done!!! Just one more scan to go.

Thanks again! I must admit that I feel rather stupid, as I thought MBAM Pro was an anti-virus tool. However, I am happy to read that you can set me up with an Anti-Virus Program when this is done.

I followed all of your instructions. ESET found 8 threats. I hope this isn't a significant setback. Nonetheless, the "list of threats found" is shown below.

ESET SCAN

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\Backup\DSLUpdate\hstart.exe.bak a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\Backup\DSLUpdate\hstart.exe.bk1 a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\hstart.exe a variant of Win32/HiddenStart.A application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application

C:\Users\The One\Downloads\7zip_installer_d162802.exe a variant of Win32/InstallIQ application

C:\Users\The One\Downloads\YouTubeDownloaderSetup35.exe probably a variant of Win32/Toolbar.Widgi application

-------

Ok G, what next? As always, I am indebted to you.

Cheers,

Brian

January 9, 2013

Gringo,

One last note ... I was speaking earlier about whether my MBAM Pro is actively functioning. I have 2 important PC messages. One refers to the fact that Windows defender is not on, which is something I can easily change. The other issue in the action center states, "Find an antivirus program online (Important)" I just purchased MBAM Pro the other day. How do I make Windows recognize that I do have an AV program. According to Windows, my pc attempted to find an AV program, yet stated that there are no AV programs on my computer. Is MBAM Pro not considered an AV program? I was under the impression that it was . . . if not, can you recommend a complimentary program for MBAM Pro? I'm very confused. I am extremely grateful for your input and advice!

best,

brian

January 9, 2013

G, my PC wanted to reboot to install Windows updates . . . I walked out of my room, and when I came back, Windows was starting up. There was dialogue stating that Windows was "configurating," which happened very quickly. I haven't noticed anything bad. So far, no popups or redirects!

For what it's worth, I ran a quick scan with MBAM Pro after the computer restarted itself. It might be useless, but one never knows

Most recent MBAM Pro Quick Scan log

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.09.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

The One :: THEONE-PC [administrator]

Protection: Enabled

1/9/2013 4:29:00 AM

mbam-log-2013-01-09 (04-29-00).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 210361

Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

January 9, 2013

Oh, and so far, the PC is behaving properly. No popups or redirects whatsoever (I hope I don't jinx myself). Again, I am concerned about a rootkit infection/problem. Do you think I have a rootkit problem?

thanks again!

January 9, 2013

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

Bing Rewards Client Installer
DefaultTab
Java™ 6 Update 27 (64-bit)
Java™ 6 Update 37
[*]

Hi again. I can't tell you how much I appreciate everything. Of the programs listed above, only the Java programs were present. I did not see "Default Tab" or "Bing Rewards Client Installer. As you noted, some of the programs may not appear. I hope this is the case.

Below are the logs from my MBAM Pro (I did a full system scan instead of a Quick scan. Sorry about that. Please let me know if a Quick Scan somehow has more of a benefit, and I will run it. The 2nd log is that from HiJackThis.

Please review at your leisure.

Last, at the risk of sounding completely stupid...how do I know if MBAM Pro is currently running and protecting - I assume it is, as I performed a scan. Basically, please help make sure I have correctly restored Windows Defender/MBAM Pro; and anything else.

Thank you soooo much!!!!

MBAM Pro Full System Scan Log

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.09.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

The One :: THEONE-PC [administrator]

Protection: Enabled

1/9/2013 3:29:26 AM

mbam-log-2013-01-09 (03-29-26).txt

Scan type: Full scan (C:\|)

Scan options disabled: P2P

Objects scanned: 319930

Time elapsed: 27 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

HiJack This Log

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:58:43 AM, on 1/9/2013

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16457)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

C:\Users\The One\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

O4 - HKLM\..\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - Startup: Dropbox.lnk = The One\AppData\Roaming\Dropbox\bin\Dropbox.exe

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab

O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package 2) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab

O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\AESTSr64.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)

O23 - Service: Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service (AMPPALR3) - Intel Corporation - C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe

O23 - Service: Bluetooth Device Monitor - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

O23 - Service: Bluetooth Media Service - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe

O23 - Service: Bluetooth OBEX Service - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe

O23 - Service: Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service (BTHSSecurityMgr) - Intel® Corporation - C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)

O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)

O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)

O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe

O23 - Service: Intel® Turbo Boost Technology Monitor 2.0 (TurboBoost) - Intel® Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)

O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 12475 bytes

Thank you G!!!!!!!!!!!

Best,

Brian

January 9, 2013

G, sorry about that. I didn't intend on wasting your time. So far, I haven't had any problems. My PC runs smoothly with the exception of pop-ups or redirects. But I haven't been surfing the web for fear of another virus. But I did visit reputable sites . . . I also signed into Chrome. the PC appears a bit faster... and no pop-ups/redirects. Things are good thus far. I think things are better after running the script/combofix ... but how can I be sure? What am I looking for in terms of script help?

I must say that I really appreciate your helpful and courteous advice.

Combofix log below

ComboFix 13-01-08.01 - The One 01/09/2013 2:18.2.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.6326 [GMT -5:00]

Running from: c:\users\The One\Desktop\ComboFix.exe

Command switches used :: c:\users\The One\Desktop\CFScript.txt.txt

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 )))))))))))))))))))))))))))))))

.

2013-01-09 07:21 . 2013-01-09 07:21 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-29 03:31 . 2012-12-29 03:31 -------- d-----w- c:\users\The One\AppData\Local\Programs

2012-12-27 11:19 . 2012-12-27 11:23 -------- d-----w- c:\users\The One\AppData\Roaming\Systweak

2012-12-27 11:19 . 2012-12-10 17:01 19896 ----a-w- c:\windows\system32\roboot64.exe

2012-12-27 09:53 . 2013-01-08 21:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-27 09:53 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-25 18:41 . 2012-12-25 18:41 -------- d-----w- c:\users\The One\AppData\Roaming\Malwarebytes

2012-12-25 18:41 . 2012-12-25 18:41 -------- d-----w- c:\programdata\Malwarebytes

2012-12-25 17:12 . 2012-12-26 04:50 -------- d-----w- c:\users\The One\AppData\Roaming\Anvisoft

2012-12-25 17:12 . 2012-12-25 17:12 -------- d-----w- c:\programdata\Anvisoft

2012-12-25 17:12 . 2012-12-26 04:50 -------- d-----w- c:\program files (x86)\Anvisoft

2012-12-21 08:00 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 08:00 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 08:00 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-12 05:01 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-12 05:01 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-12 05:01 . 2012-10-04 17:45 215040 ----a-w- c:\windows\system32\winsrv.dll

2012-12-12 05:01 . 2012-10-04 17:41 424960 ----a-w- c:\windows\system32\KernelBase.dll

2012-12-12 05:01 . 2012-10-04 17:41 1161216 ----a-w- c:\windows\system32\kernel32.dll

2012-12-12 05:01 . 2012-10-04 16:47 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll

2012-12-12 05:01 . 2012-10-04 15:21 338432 ----a-w- c:\windows\system32\conhost.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-12 08:02 . 2012-01-20 14:22 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-12 01:08 . 2012-04-15 13:06 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-12 01:08 . 2012-01-16 00:46 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-01 20:35 . 2012-11-25 20:29 253256 ----a-w- c:\windows\system32\drivers\PCTSD64.sys

2012-10-18 03:37 . 2012-10-18 03:37 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll

2012-10-18 03:37 . 2012-10-18 03:37 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2012-10-18 03:37 . 2012-10-18 03:37 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll

2012-10-18 03:37 . 2012-10-18 03:37 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-10-16 08:38 . 2012-11-27 20:03 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-27 20:03 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-27 20:03 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2011-08-12 520330]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

c:\users\The One\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\The One\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-12-28 28539392]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer4"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2011-05-19 995392]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-08-08 299008]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2011-05-19 1335360]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-03-24 34200]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-07-28 340240]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-10-30 250984]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-03 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]

S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-08 1166848]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-05-19 921664]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-11-29 16120]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-06 2655768]

S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-08-08 299008]

S3 btmaudio;Intel Bluetooth Audio Service;c:\windows\system32\drivers\btmaud.sys [2011-05-19 51712]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-05-19 53248]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-07-19 282624]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2011-06-16 176000]

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-07-19 59904]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-03-24 25496]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-10-26 406632]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-09 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 01:08]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05 02:54]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05 02:54]

.

2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2744314548-308834006-1895804017-1000Core.job

- c:\users\The One\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:14]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2744314548-308834006-1895804017-1000UA.job

- c:\users\The One\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:14]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\The One\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-20 168216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-20 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-20 416024]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-25 525312]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-04-12 609144]

"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]

"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-07-28 1935120]

"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2011-05-19 10365952]

"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2012-02-01 2195824]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.gmail.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uSearchAssistant = hxxp://www.google.com

TCP: DhcpNameServer = 192.168.1.1

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-09 02:22:58

ComboFix-quarantined-files.txt 2013-01-09 07:22

ComboFix2.txt 2013-01-09 05:25

.

Pre-Run: 559,029,059,584 bytes free

Post-Run: 558,738,624,512 bytes free

.

- - End Of File - - C94A687C725629B80F14769481D550B0

Please tell me if you notice things that aren't quite right. Someone told me that this redirect crap is actually a rootkit infection. I am not familiar with rootkit nomenclature. What do you think about this?

Again, many thanks for the help, the speed of your replies, and your courteousness ... it is a pleasure chatting with you.

Cheers,

Brian

January 9, 2013

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.
:Run CFScript:

G, sorry for my lack of computer prowess, however, how do I run the noted CF Script? Do I d/l this script? If so, I don't know where to find it. I didn't find any links in your most recent post. Did I miss something?

Thanks in advance!

January 9, 2013

Ok, I have done everything as instructed. Upon installing Google Chrome, a window opened for syncing. I did not do anything for fear that syncing might be deleterious. When the Chrome browser opened, it only opened with 1 tab ... normally there would be 3. Technically, a second tab was present, however, it was a Google Chrome "Getting Started" instruction page.

Let me know if I should sync, which I am not sure exactly where to do that. I am following your instructions exactly as written. I don't make any actions before reading your instructions. So there may be some simple things to do. For example, I have not turned on MW Pro or Windows Defender, as you did not mention if it was ok to do so after running ComboFix. Should I turn MW Pro back on, and Windows Defender? Later, please advise on how to set up Windows Defender.

Ok, now what?

Many many thanks!

Brian

January 9, 2013

Hi again ... and thanks again!

I ran Combofix, and the log is below. In response to your query regarding computer health, I would say that my PC runs very well. I have no problems except for these popups; also, when I use Google Chrome, my selected homepage browser would appear, however, there would always be two extra tabs. One tab was an a fake advertisement urging me to run a free computer scan, the final tab would vary as to content. I figured out a way around it, but if I revert to original use, a total of 3 tabs appear when I click on Chrome.

I still get a lot of popups. Many come from malware bytes pages. Instead of seeing "servads" before the redirect; the URL initially contains a string of numbers, which are mostly 1's and 0's.....it then quickly redirects me to some advertisement page - usually, these adverts are for things close to where I live.

I disabled all anti-malware programs before running Combofix.exe But, I honestly don't know what superfluous AV programs I have. I didn't even know about Windows Defender - I disabled with the instructions found in the link you provided. I also disabled my recently purchased MWBytes Pro. I hope the log generated by Combofix.exe is not compromised by a program which I have no knowledge of.

Thank you soo much again!

Log from ComboFix

ComboFix 13-01-08.01 - The One 01/09/2013 0:20.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.6344 [GMT -5:00]

Running from: c:\users\The One\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\PCDr\6032\AddOnDownloaded\18d25bc5-acbb-424f-a6c6-d04a97765094.dll

c:\programdata\PCDr\6032\AddOnDownloaded\2d2ff7e2-f0f8-4f32-a28e-e44234dd3300.dll

c:\programdata\PCDr\6032\AddOnDownloaded\62089595-46e8-4c4f-9d7b-48be969390bb.dll

c:\programdata\PCDr\6032\AddOnDownloaded\65a823a3-a5fc-440a-b276-153555251042.dll

c:\programdata\PCDr\6032\AddOnDownloaded\918ee45c-eb0a-4e61-97ad-c1849c2623ee.dll

c:\programdata\PCDr\6032\AddOnDownloaded\b0654984-096d-4244-a127-3364577b6279.dll

c:\programdata\PCDr\6032\AddOnDownloaded\b967e9c4-897a-42c8-96d2-4ceb543f8cdb.dll

c:\programdata\PCDr\6032\AddOnDownloaded\db33b903-f6ef-4bdd-adf8-db57372a45ec.dll

c:\programdata\PCDr\6032\AddOnDownloaded\ea058b56-dc30-479c-af0f-bcf27aed08df.dll

c:\programdata\PCDr\6032\AddOnDownloaded\f4d48f15-9f33-4b3f-a84f-bc8b2800e772.dll

c:\programdata\Roaming

.

((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 )))))))))))))))))))))))))))))))

.

2013-01-09 05:23 . 2013-01-09 05:23 -------- d-----w- c:\users\Default\AppData\Local\temp