Jump to content

Need help cant remove Rootkit.0Access from computer :(


Recommended Posts

I ran malwarebytes scan about a week ago and thought I deleted it. Scanned again today and it was still there. I only really noticed it today because random music suddenly started playing on my computer. Multiple times even when I had no programs open. How can I get rid of it without having to reformat my whole system?

here is a log:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.27.02

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Amitabh :: AMITABH-PC [administrator]

6/28/2012 10:08:12 PM

mbam-log-2012-06-28 (22-08-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 314127

Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\Installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!)

Post back the report.

MrC

Link to post
Share on other sites

Run RogueKiller again and click Scan > when the scan completes > click the Files/Folders tab and put a check next to these and uncheck the rest:

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] n : c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\n --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U --> FOUND

[ZeroAccess][FILE] n : c:\users\amitabh\appdata\local\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\n --> FOUND

[ZeroAccess][FILE] @ : c:\users\amitabh\appdata\local\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\@ --> FOUND

know click Delete on the right hand side.

------------------------------------

Next........

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Combofix wont seem to install on my computer. Ive disabled all malware and anti virus programs, saved it to desktop. But when I run the installer it freezes on output C:\32788R22FWJFW

Also after a few minutes it exits out of the installer and flashes a prompt screen saying warning, however I dont know what it says because the prompt screen disappears after 2 seconds. What is going on?

Also I ran Malwarebytes again and the Rootkit is still there... plus now an additional 4 malwares are being detected, but I think its detecting rougekiller as malware. Please help.

Link to post
Share on other sites

Can you post the log from Malwarebytes.

-----------------------

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Make sure ComboFix is on your desktop.

Click Start --> Run, and enter this command exactly as shown: (copy and paste)

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now.

MrC

Link to post
Share on other sites

The log is still reading the same now after I rebooted,

it's still showing C:\Windows\Installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

My new problem now is that I did as you stated above and ran it in safe mode. But now I get 2 errors.

First error: It tells me that McAfee is running and needs to be stopped. However in Safe mode Mcafee is not running at all. I even ran task manager and killed all the services and processes related to McAfee, but it still gives me the error

Second error: Combofix still runs however when the command prompt loads it says "attempting to run Combofix" But then under that it displays the error "You do not have administrative privlages to run this, please run in admin prompt."

I also tried right clicking and running as administrator but I still received the same error.

Why cant I run combofix? And the malware still seems to be on my PC.

Link to post
Share on other sites

I managed to get combofix to run and finish successfully however it did not create a log file... it created a file in the C:\ directory called "combofix" Which I cannot seem to open. And it created a folder called Combofix23155c

But no where is there a combofix.txt file

Also another folder called Qoobox was created.

---------------------------------------------

I have attached the Rougekiller file again as you specified. As you can see from the log Im still having an infection at c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}

Everytime I delete it and reboot the rootkit just comes back... do you think its a problem with my DNS perhaps?

RKreport13.txt

Link to post
Share on other sites

Run RogueKiller again > click Scan > when the scan completes

Click on the Files/Folders tab > put a check next to this one > uncheck the rest

Now click delete on the right hand column.

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\windows\installer\{40cdcb9d-7b7f-904e-16b0-6d17c386ccc6}\U --> FOUND

-----------------------------------

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    ComboFix.txt


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

-----------------------------------------------

Take a look in the Qoobox folder, there may be a copy of the log in there.

ComboFix.txt

Let me know, MrC

Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff

Log created at 10:50 on 30/06/2012 by Amitabh

Administrator - Elevation successful

========== Filefind ==========

Searching for "ComboFix.txt"

C:\ComboFix\ComboFix.txt --a---- 555 bytes [00:44 30/06/2012] [00:44 30/06/2012] 7FAAEAA5935A8080B034A524287FED07

-= EOF =-

The log s ays its in a folder called Combofix... but there isnt a folder named that in my c drive. There is a file called combofix but when I click on that it just opens a screen that shows all my partitions and computer drives.

Also I have been runing rouge killer and deleting that file but everytime I reboot my computer it returns.

-------------------------------------------

I opened the Combofix.txt using the run command however this is all the file says

ComboFix 12-06-28.03 - Amitabh 06/29/2012 17:44:36.2.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2230 [GMT -7:00]

Running from: C:\Users\Amitabh\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Link to post
Share on other sites

Here is the combofix log, what should I do next?

---------------------------------------------------------------

ComboFix 12-06-28.03 - Amitabh 06/30/2012 12:58:45.3.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2191 [GMT -7:00]

Running from: c:\users\Amitabh\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Amitabh\Favorites\mxfilerelatedcache.mxc2

c:\users\Shalabh\Favorites\mxfilerelatedcache.mxc2

.

c:\windows\system32\Services.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-30 )))))))))))))))))))))))))))))))

.

.

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Shalabh\AppData\Local\temp

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Mcx2\AppData\Local\temp

2012-06-30 22:29 . 2012-06-30 22:29 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2012-06-29 18:55 . 2012-06-29 18:55 -------- d-----w- C:\TDSSKiller_Quarantine

2012-06-29 18:27 . 2012-06-29 18:27 -------- d-----w- c:\users\Amitabh\AppData\Local\Activision

2012-06-26 00:35 . 2012-06-26 00:35 -------- d-----w- c:\users\Shalabh\AppData\Local\Activision

2012-06-25 00:45 . 2012-06-25 00:45 -------- d-----w- c:\users\Amitabh\AppData\Roaming\NVIDIA

2012-06-24 03:35 . 2012-06-24 20:08 -------- d-----w- C:\AdobeTemp

2012-06-23 14:29 . 2012-06-23 14:29 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-06-21 06:26 . 2012-06-21 06:26 -------- d-----w- c:\users\Shalabh\A8B9466986544126BD28D0D2412CDED6.TMP

2012-06-21 00:08 . 2012-06-28 07:37 -------- d-----w- c:\users\Shalabh\AppData\Local\ApplicationHistory

2012-06-21 00:07 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\SpellEx

2012-06-21 00:04 . 2012-06-21 00:04 -------- d-----w- c:\windows\SysWow64\URTTEMP

2012-06-20 23:38 . 2012-06-20 23:38 -------- d-----w- c:\program files\DIFX

2012-06-20 23:38 . 2009-09-03 23:30 128512 ----a-w- c:\windows\system32\drivers\tiehdusb.sys

2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\TI Education

2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\TI Shared

2012-06-19 16:16 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-19 16:16 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-19 16:16 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-19 16:16 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-19 16:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-19 16:15 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll

2012-06-19 16:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-19 16:15 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll

2012-06-19 16:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-19 16:15 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll

2012-06-19 16:15 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-19 16:15 . 2012-06-02 22:19 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll

2012-06-19 16:15 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 16:15 . 2012-06-02 22:12 33792 ----a-w- c:\windows\SysWow64\wuapp.exe

2012-06-13 21:36 . 2012-06-13 21:36 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-13 21:36 . 2012-06-13 21:36 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll

2012-06-03 21:24 . 2012-05-09 01:35 32600 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2012-06-03 21:23 . 2010-11-27 01:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2012-06-03 20:41 . 2012-05-24 17:48 24448 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-06-02 19:20 . 2012-06-02 19:20 -------- d-----w- c:\users\Shalabh\AppData\Roaming\IObit

2012-06-02 19:19 . 2012-06-02 19:19 -------- d-----w- c:\programdata\IObit

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-23 02:14 . 2012-04-05 00:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-23 02:14 . 2011-05-15 13:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-15 10:48 . 2012-03-15 02:05 68928 ----a-w- c:\windows\system32\OpenCL.dll

2012-05-15 10:48 . 2012-03-15 02:05 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-05-15 10:48 . 2011-11-18 20:50 1738048 ----a-w- c:\windows\system32\nvdispco64.dll

2012-05-15 10:48 . 2011-11-18 20:50 1468224 ----a-w- c:\windows\system32\nvgenco64.dll

2012-05-15 10:48 . 2011-06-12 00:54 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-05-15 10:48 . 2011-06-12 00:54 2741568 ----a-w- c:\windows\system32\nvapi64.dll

2012-05-15 10:48 . 2011-06-12 00:54 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-05-15 10:48 . 2011-06-12 00:54 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-05-15 10:48 . 2011-06-12 00:54 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-05-15 09:29 . 2011-06-12 00:57 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-05-15 09:29 . 2011-06-12 00:57 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-05-15 09:29 . 2011-06-12 00:57 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-05-15 09:29 . 2011-06-12 00:57 3149632 ----a-w- c:\windows\system32\nvsvc64.dll

2012-05-15 09:28 . 2011-06-12 00:57 6151488 ----a-w- c:\windows\system32\nvcpl.dll

2012-05-15 09:21 . 2012-05-15 09:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-04-18 17:08 . 2012-03-15 02:05 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll

2012-04-04 22:56 . 2009-06-16 00:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BTBFirstRun"="c:\program files (x86)\Hewlett-Packard\SDP\hprun.exe" [2007-07-19 20480]

"googletalk"="c:\users\Amitabh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-09 65536]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-18 1484856]

"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]

S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-05-26 913792]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-30 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 02:14]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000Core.job

- c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000UA.job

- c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001Core.job

- c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58]

.

2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001UA.job

- c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2007-10-25 5430272]

"LXCRCATS"="c:\windows\system32\spool\DRIVERS\x64\3\LXCRtime.dll" [2006-11-21 31744]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://cm.my.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105

LSP: c:\windows\system32\wpclsp.dll

Trusted Zone: att.com

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.1.254

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Amitabh\AppData\Roaming\Mozilla\Firefox\Profiles\up9n5bpd.default\

FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

SafeBoot-WudfPf

SafeBoot-WudfRd

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]

"ImagePath"="\??\c:\program files (x86)\HP\DVDPlay\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-06-30 15:39:45

ComboFix-quarantined-files.txt 2012-06-30 22:39

.

Pre-Run: 168,491,253,760 bytes free

Post-Run: 168,349,458,432 bytes free

.

- - End Of File - - 675738E9DAA83E00203773B740229D66

Link to post
Share on other sites

Services.exe is infected, lets see if there's a good copy on your machine, also do you have the Vista cd?

You used SystemLook before but here's the whole thing........

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    Services.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

I have the 3 vista recovery disks that my computer made when I bought the computer yes.

----------------------------------

SystemLook 30.07.11 by jpshortstuff

Log created at 18:47 on 30/06/2012 by Amitabh

Administrator - Elevation successful

========== Filefind ==========

Searching for "Services.exe"

C:\Windows\System32\services.exe --a---- 384512 bytes [17:35 30/05/2009] [07:10 11/04/2009] BC81150939BD52DBC7A08C245F1FB229

C:\Windows\SysWOW64\services.exe --a---- 279552 bytes [17:34 30/05/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_294799ef88bb616c\services.exe --a---- 389632 bytes [09:10 02/11/2006] [11:16 02/11/2006] 0A87F57DFC2C0EB9BBA8BE1C87BAFE1A

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe --a---- 384512 bytes [13:21 07/06/2008] [08:00 19/01/2008] DFAC660F0F139276CC9299812DE42719

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [17:35 30/05/2009] [07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe --a---- 279552 bytes [12:21 02/11/2006] [09:45 02/11/2006] 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [13:19 07/06/2008] [07:33 19/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [17:34 30/05/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

-= EOF =-

Link to post
Share on other sites

OK, there's several good copies of services.exe on the system, we'll use ComboFix to replace the infected one:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::

C:\Windows\SysWOW64\services.exe | C:\Windows\System32\services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

ComboFix 12-06-28.03 - Amitabh 07/01/2012 13:11:13.4.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2575 [GMT -7:00]

Running from: c:\users\Amitabh\Desktop\ComboFix.exe

Command switches used :: c:\users\Amitabh\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\SysWOW64\services.exe --> c:\windows\System32\services.exe

.

((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))

.

.

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Shalabh\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Mcx2\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-01 21:18 . 2012-07-01 21:18 -------- d-----w- c:\users\Alpana\AppData\Local\temp

2012-06-29 18:55 . 2012-06-29 18:55 -------- d-----w- C:\TDSSKiller_Quarantine

2012-06-29 18:27 . 2012-06-29 18:27 -------- d-----w- c:\users\Amitabh\AppData\Local\Activision

2012-06-26 00:35 . 2012-06-26 00:35 -------- d-----w- c:\users\Shalabh\AppData\Local\Activision

2012-06-25 00:45 . 2012-06-25 00:45 -------- d-----w- c:\users\Amitabh\AppData\Roaming\NVIDIA

2012-06-24 03:35 . 2012-06-24 20:08 -------- d-----w- C:\AdobeTemp

2012-06-23 14:29 . 2012-06-23 14:29 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-06-21 06:26 . 2012-06-21 06:26 -------- d-----w- c:\users\Shalabh\A8B9466986544126BD28D0D2412CDED6.TMP

2012-06-21 00:08 . 2012-06-28 07:37 -------- d-----w- c:\users\Shalabh\AppData\Local\ApplicationHistory

2012-06-21 00:07 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\SpellEx

2012-06-21 00:04 . 2012-06-21 00:04 -------- d-----w- c:\windows\SysWow64\URTTEMP

2012-06-20 23:38 . 2012-06-20 23:38 -------- d-----w- c:\program files\DIFX

2012-06-20 23:38 . 2009-09-03 23:30 128512 ----a-w- c:\windows\system32\drivers\tiehdusb.sys

2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\TI Education

2012-06-20 23:37 . 2012-06-21 00:07 -------- d-----w- c:\program files (x86)\Common Files\TI Shared

2012-06-19 16:16 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-19 16:16 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-19 16:16 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-19 16:16 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-19 16:15 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-19 16:15 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll

2012-06-19 16:15 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-19 16:15 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll

2012-06-19 16:15 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-19 16:15 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll

2012-06-19 16:15 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-19 16:15 . 2012-06-02 22:19 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll

2012-06-19 16:15 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 16:15 . 2012-06-02 22:12 33792 ----a-w- c:\windows\SysWow64\wuapp.exe

2012-06-13 21:36 . 2012-06-13 21:36 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-13 21:36 . 2012-06-13 21:36 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll

2012-06-03 21:24 . 2012-05-09 01:35 32600 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2012-06-03 21:23 . 2010-11-27 01:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2012-06-03 20:41 . 2012-05-24 17:48 24448 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-06-02 19:20 . 2012-06-02 19:20 -------- d-----w- c:\users\Shalabh\AppData\Roaming\IObit

2012-06-02 19:19 . 2012-06-02 19:19 -------- d-----w- c:\programdata\IObit

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-23 02:14 . 2012-04-05 00:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-23 02:14 . 2011-05-15 13:21 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-15 10:48 . 2012-03-15 02:05 68928 ----a-w- c:\windows\system32\OpenCL.dll

2012-05-15 10:48 . 2012-03-15 02:05 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-05-15 10:48 . 2011-11-18 20:50 1738048 ----a-w- c:\windows\system32\nvdispco64.dll

2012-05-15 10:48 . 2011-11-18 20:50 1468224 ----a-w- c:\windows\system32\nvgenco64.dll

2012-05-15 10:48 . 2011-06-12 00:54 8105280 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-05-15 10:48 . 2011-06-12 00:54 2741568 ----a-w- c:\windows\system32\nvapi64.dll

2012-05-15 10:48 . 2011-06-12 00:54 2368832 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-05-15 10:48 . 2011-06-12 00:54 18044224 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-05-15 10:48 . 2011-06-12 00:54 15322432 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-05-15 09:29 . 2011-06-12 00:57 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-05-15 09:29 . 2011-06-12 00:57 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-05-15 09:29 . 2011-06-12 00:57 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-05-15 09:29 . 2011-06-12 00:57 3149632 ----a-w- c:\windows\system32\nvsvc64.dll

2012-05-15 09:28 . 2011-06-12 00:57 6151488 ----a-w- c:\windows\system32\nvcpl.dll

2012-05-15 09:21 . 2012-05-15 09:21 423744 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-04-18 17:08 . 2012-03-15 02:05 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll

2012-04-04 22:56 . 2009-06-16 00:15 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-06-30_22.29.47 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-02-18 02:19 . 2012-07-01 16:16 29582 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1001_UserData.bin

- 2008-02-18 02:19 . 2012-06-30 17:17 29582 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1001_UserData.bin

- 2008-02-17 20:29 . 2012-06-30 13:16 22870 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1000_UserData.bin

+ 2008-02-17 20:29 . 2012-07-01 13:26 22870 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1317974818-1678399554-1570300057-1000_UserData.bin

+ 2012-07-01 16:14 . 2012-07-01 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-06-30 17:15 . 2012-06-30 17:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-06-30 17:15 . 2012-06-30 17:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-07-01 16:14 . 2012-07-01 16:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2007-12-04 18:05 . 2012-07-01 16:16 104704 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 15:45 . 2012-07-01 16:16 206170 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin

- 2008-02-17 20:25 . 2012-06-30 17:15 475136 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2008-02-17 20:25 . 2012-07-01 19:03 475136 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2011-02-11 09:16 . 2012-06-30 14:50 526600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-02-11 09:16 . 2012-07-01 14:47 526600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2008-02-17 20:25 . 2012-06-30 17:15 5144576 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2008-02-17 20:25 . 2012-07-01 19:03 5144576 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2008-05-09 04:02 . 2012-07-01 00:13 2385600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

- 2008-05-09 04:02 . 2012-06-30 07:48 2385600 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

+ 2011-04-11 06:32 . 2012-07-01 14:47 5027508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1317974818-1678399554-1570300057-1000-8192.dat

+ 2008-02-17 20:25 . 2012-07-01 19:03 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2008-02-17 20:25 . 2012-06-30 17:15 16187392 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2011-04-08 08:04 . 2012-07-01 07:22 63133672 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1317974818-1678399554-1570300057-1001-8192.dat

+ 2011-10-31 07:55 . 2012-07-01 14:47 24284919 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1317974818-1678399554-1570300057-1000-4096.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BTBFirstRun"="c:\program files (x86)\Hewlett-Packard\SDP\hprun.exe" [2007-07-19 20480]

"googletalk"="c:\users\Amitabh\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-09 65536]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-18 1484856]

"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]

S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-05-26 913792]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 02:14]

.

2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000Core.job

- c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33]

.

2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1000UA.job

- c:\users\Amitabh\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-15 20:33]

.

2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001Core.job

- c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58]

.

2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1317974818-1678399554-1570300057-1001UA.job

- c:\users\Shalabh\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-27 16:58]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Shalabh\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2007-10-25 5430272]

"LXCRCATS"="c:\windows\system32\spool\DRIVERS\x64\3\LXCRtime.dll" [2006-11-21 31744]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://cm.my.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105

LSP: c:\windows\system32\wpclsp.dll

Trusted Zone: att.com

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.1.254

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Amitabh\AppData\Roaming\Mozilla\Firefox\Profiles\up9n5bpd.default\

FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]

"ImagePath"="\??\c:\program files (x86)\HP\DVDPlay\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-07-01 14:27:10

ComboFix-quarantined-files.txt 2012-07-01 21:27

ComboFix2.txt 2012-06-30 22:39

.

Pre-Run: 167,281,922,048 bytes free

Post-Run: 167,071,113,216 bytes free

.

- - End Of File - - F8788B3D96E30C3C9A61937CF07416E9

Link to post
Share on other sites

I've decided to reformat my hard drive, my dad bought me windows 7 upgrade.

I have just one more question though if you have the answer. Do you know if I can do a clean install (format and install) from the windows 7 upgrade disc?

Or will I have to use the vista recovery discs to reformat and then install windows 7.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.