Please help me clean up my desktop

[Wanda]

I found out about a week ago that someone from Poland logged into my Yahoo mail account and sent spam messages to all of my online contacts. I have been working through this forum to help clean up my laptop which is my main computer. I had my son scan his computer's full disk drive to see what viruses his had since I occasionally use his computer. He wrote on a piece of paper that the scan found pup.bundleoffers.IIQ and pup.bundleIstaller.BT viruses. I don't know what software he used and he is gone for a week so I cannot aske him to post the log.

I just ran a full disk scan with Malwarebytes and it didn't find any current viruses. The log for it is below:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.05.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Wanda :: DELL-DESKTOP [administrator]

7/5/2012 9:18:23 AM

mbam-log-2012-07-05 (09-18-23).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 632954

Time elapsed: 1 hour(s), 54 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

However, I know from trying to clean up all the viruses on my laptop that the clean Malwarebytes report doesn't always mean that their is no rootkit or other deeper viruses. I would like this forum's help to also verify there is no viruses on my son's desktop.

Below is his DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Wanda at 15:05:40 on 2012-07-05

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4050 [GMT -5:00]

.

AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: ZoneAlarm Extreme Security Anti-Spyware *Enabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}

FW: ZoneAlarm Extreme Security Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Secunia\PSI\sua.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\taskhost.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Windows\System32\GfxUI.exe

C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe

C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\PROGRA~2\CHECKP~1\ZONEAL~1\MAILFR~1\mantispm.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9

uDefault_Search_URL = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://verizon.yahoo.com

uWindow Title = Windows Internet Explorer provided by Yahoo!

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: Verizon Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll

TB: {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot

mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"

mRun: [WinPatrol [FREE Edition]] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot

mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MI3DFC~1\OFFICE11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

Trusted Zone: metlife.com\mybenefits

Trusted Zone: microsoft.com\www.update

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll

DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://ra.fanniemae.com/InternalSite/WhlCompMgr.cab

DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v420.cab

DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://rsvpn.raytheon.com/dana-cached/sc/JuniperSetupClient.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9624504E-F0FC-447F-B3B9-E23AF0FF6045} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

BHO-X64: 0x1 - No File

BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO-X64: HP Print Enhancer - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO-X64: McAfee Phishing Filter - No File

BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

BHO-X64: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll

BHO-X64: ZoneAlarm Security Engine Registrar - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

BHO-X64: HP Smart BHO Class - No File

TB-X64: Verizon Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll

TB-X64: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll

TB-X64: {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - No File

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot

mRun-x64: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"

mRun-x64: [WinPatrol [FREE Edition]] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe -expressboot

mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup

mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start

IE-X64: {2670000A-7350-4f3c-8081-5663EE0C6C49}

IE-X64: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}

IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-07-03 21:07:41 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAC5B21C-37A0-437F-B6E2-D061FE789F26}\mpengine.dll

2012-07-02 19:37:59 -------- d-----w- C:\Users\Wanda\AppData\Local\Sony

2012-07-02 19:30:26 -------- d-----w- C:\Users\Wanda\AppData\Roaming\Roxio Log Files

2012-07-02 17:21:56 -------- d-----w- C:\Users\Wanda\AppData\Roaming\PDAppFlex

2012-07-01 13:05:45 33856 ---ha-w- C:\Windows\System32\hamachi.sys

2012-07-01 13:05:32 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi

2012-06-26 13:32:17 -------- d-----w- C:\Program Files (x86)\Microsoft XNA

2012-06-25 21:17:28 -------- d-----w- C:\Windows\SysWow64\directx

2012-06-25 16:46:08 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-25 16:45:43 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-25 16:45:19 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-25 16:45:19 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-22 20:18:24 955800 ----a-w- C:\Windows\System32\npDeployJava1.dll

2012-06-18 21:29:09 -------- d-----w- C:\Program Files (x86)\The Game Creators

2012-06-14 18:00:22 -------- d-----r- C:\Program Files (x86)\Skype

2012-06-14 01:37:48 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-06-14 01:37:48 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-06-14 01:37:48 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-06-14 01:36:52 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-06-14 01:36:26 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-06-14 01:36:25 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-06-14 01:36:25 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-06-14 01:35:56 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-06-14 01:35:29 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-06-14 01:35:01 3216384 ----a-w- C:\Windows\System32\msi.dll

2012-06-14 01:35:01 2342400 ----a-w- C:\Windows\SysWow64\msi.dll

2012-06-14 01:34:39 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-06-14 01:34:39 1462272 ----a-w- C:\Windows\System32\crypt32.dll

2012-06-14 01:34:39 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-06-14 01:34:39 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-06-14 01:34:38 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-06-14 01:34:38 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-06-12 17:13:43 -------- d-----w- C:\Program Files (x86)\Movie Maker 2.6

2012-06-12 15:48:26 -------- d-----w- C:\ProgramData\Verizon

2012-06-12 15:38:25 -------- d-----w- C:\Program Files (x86)\Verizon

2012-06-11 16:03:42 -------- d-----w- C:\Program Files (x86)\Port Forwarding Wizard

2012-06-11 15:06:34 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe

2012-06-11 14:59:40 -------- d-----w- C:\Program Files (x86)\NCH Software

2012-06-11 14:45:19 -------- d-----w- C:\Program Files (x86)\Adobe Download Assistant

2012-06-09 21:56:44 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll

.

==================== Find3M ====================

.

2012-07-02 00:42:17 70344 ------w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-02 00:42:17 426184 ------w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-05-28 16:33:25 98304 ------w- C:\Windows\SysWow64\CmdLineExt.dll

2012-05-18 03:07:39 772552 ------w- C:\Windows\SysWow64\npDeployJava1.dll

2012-05-18 03:07:39 687560 ------w- C:\Windows\SysWow64\deployJava1.dll

2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-05-05 20:11:11 8769696 ------w- C:\Windows\SysWow64\FlashPlayerInstaller.exe

2012-05-04 23:32:56 839056 ----a-w- C:\Windows\System32\deployJava1.dll

.

============= FINISH: 15:11:42.80 ===============

Here is the attach log:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 2/24/2011 5:00:40 PM

System Uptime: 7/5/2012 3:00:15 PM (0 hours ago)

.

Motherboard: Dell Inc. | | 0C2KJT

Processor: Intel® Core i3 CPU 550 @ 3.20GHz | CPU 1 | 1184/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 918 GiB total, 802.78 GiB free.

D: is CDROM ()

E: is Removable

F: is Removable

G: is Removable

H: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: Photosmart Premium C309g-m

Device ID: ROOT\IMAGE\0000

Manufacturer: HP

Name: Photosmart Premium C309g-m

PNP Device ID: ROOT\IMAGE\0000

Service: StillCam

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Photosmart Premium C309g-m

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Photosmart Premium C309g-m

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Download Assistant

Adobe Flash Player 11 ActiveX

Adobe Help Manager

Adobe Reader X (10.1.3)

AnswerWorks 5.0 English Runtime

Belkin F6D4050 Enhanced Wireless USB Adapter

BufferChm

C309g-m

Compatibility Pack for the 2007 Office system

Consumer In-Home Service Agreement

CRT-71

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Dell DataSafe Online

Dell DataSafe Local Backup

Dell DataSafe Local Backup - Support Software

Dell Stage

Destinations

DeviceDiscovery

DiskCheckup v3.0.1006

eReg

Evernote v. 4.5.4

GPBaseService2

HP Update

HPDiagnosticAlert

HPPhotoGadget

hpPrintProjects

HPProductAssistant

hpWLPGInstaller

HyperCam 2

IBM Installation Manager

InstallIQ Updater

Intel® Graphics Media Accelerator Driver

Internet Explorer

Java Auto Updater

Java 6 Update 33

Java 7 Update 5

Junk Mail filter update

LogMeIn Hamachi

MailStore Home 4.2.0.5431

Malwarebytes Anti-Malware version 1.61.0.1400

MarketResearch

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Access 2010

Microsoft Application Error Reporting

Microsoft ASP.NET MVC 2

Microsoft Forefront UAG endpoint components v4.0.0

Microsoft Home Publishing 2000

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access 2010

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Click-to-Run 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office File Validation Add-In

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Standard Edition 2003

Microsoft Office Starter 2010 - English

Microsoft Office Word MUI (English) 2010

Microsoft SQL Server 2008 Browser

Microsoft SQL Server 2008 R2 Management Objects

Microsoft SQL Server Database Publishing Wizard 1.4

Microsoft SQL Server System CLR Types

Microsoft XNA Framework Redistributable 4.0

microsoft.vs6

Microsoft_VC80_CRT_x86

Microsoft_VC90_CRT_x86

MSVCRT

MSVCRT Redists

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP3 Parser (KB973685)

msxml4sys32

Multimedia Card Reader

Norton Security Scan

Picasa 3

Portal

PS_AIO_06_C309g-m_SW_Min

RCT3 Soaked

Realtek High Definition Audio Driver

Redist

RollerCoaster Tycoon 3

RummyRoyal.com

Scan

Secunia PSI (2.0.0.3001)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Skype™ 5.10

SmartWebPrinting

SolutionCenter

SpywareBlaster 4.4

sqaote32

Status

Steam

SugarSync Manager

Terraria

Toolbox

TrayApp

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

VC 9.0 Runtime

Ventrilo Client

Verizon Media Manager

Verizon Yahoo! Applications

VideoPad Video Editor

VLC media player 2.0.1

WavePad Sound Editor

WeatherBug

WebReg

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Movie Maker 2.6

Windows SDK IntellisenseNFX

WinRAR 4.11 (32-bit)

ZoneAlarm Antivirus

ZoneAlarm DataLock

ZoneAlarm Extreme Security

ZoneAlarm Firewall

ZoneAlarm Security

.

==== Event Viewer Messages From Past Week ========

.

7/5/2012 3:11:53 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

7/5/2012 3:04:19 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

7/4/2012 1:00:23 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.

7/4/2012 1:00:21 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Virtualization Client service to connect.

7/4/2012 1:00:21 PM, Error: Service Control Manager [7000] - The Application Virtualization Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

7/3/2012 4:02:54 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.129.902.0).

7/3/2012 3:52:42 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

7/3/2012 3:52:02 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004

7/2/2012 6:57:27 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.5. The computer with the IP address 192.168.1.8 did not allow the name to be claimed by this computer.

7/2/2012 1:41:06 PM, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

7/1/2012 8:06:19 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LogMeIn Hamachi Tunneling Engine service to connect.

7/1/2012 8:06:19 AM, Error: Service Control Manager [7000] - The LogMeIn Hamachi Tunneling Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

7/1/2012 8:05:46 AM, Error: Service Control Manager [7030] - The LogMeIn Hamachi Tunneling Engine service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

7/1/2012 8:02:25 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IBM Rational ClearQuest Mail Service service to connect.

7/1/2012 8:02:25 AM, Error: Service Control Manager [7000] - The IBM Rational ClearQuest Mail Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

7/1/2012 7:38:17 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SQL Server (SQLEXPRESS) service to connect.

7/1/2012 7:38:17 PM, Error: Service Control Manager [7000] - The SQL Server (SQLEXPRESS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

6/30/2012 3:37:08 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer TOSHIBALAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9624504E-F0FC-447F-B3B9-E23AF0FF6045}. The master browser is stopping or an election is being forced.

6/29/2012 2:28:15 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Client Virtualization Handler service to connect.

6/29/2012 2:28:15 PM, Error: Service Control Manager [7000] - The Client Virtualization Handler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

My son has been complaining the computer has been slower than normal the past few weeks but I don't have any details.

Thank you for your time in helping me,

Wanda

[LDTate]

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[Wanda]

The link above is for a different computer than the ones I posted logs for in this link. We have two computers. The first forum posting was for my laptop that I primarily use. The second posting is for my son's computer that I used occasionally. I still need help in cleaning up this desktop since I don' want to run tools without direction from knowledgeable people in this forum.

[LDTate]

Is this the second one?

If so, run combfix.

If not, give me the link to your other computer.

[Wanda]

Yes this is a post for the second computer, my son's, and the not the one you already help me clean up.

I ran the ComboFix scan on this computer this morning. It ran much faster than my first laptop scan. Below is the log from the scan:

ComboFix 12-07-07.04 - Zachary 07/07/2012 10:46:35.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.3957 [GMT -5:00]

Running from: c:\users\Zachary\Desktop\ComboFix.exe

FW: ZoneAlarm Extreme Security Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: ZoneAlarm Extreme Security Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Wanda\Documents\~WRL2629.tmp

c:\users\Zachary\AppData\Local\Temp\IswTmp\WH\0

.

.

((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))

.

.

2012-07-07 15:58 . 2012-07-07 15:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-02 19:37 . 2012-07-02 19:37 -------- d-----w- c:\users\Wanda\AppData\Roaming\Sony

2012-07-02 19:37 . 2012-07-02 19:37 -------- d-----w- c:\users\Wanda\AppData\Local\Sony

2012-07-02 19:30 . 2012-07-02 19:30 -------- d-----w- c:\users\Wanda\AppData\Roaming\Roxio Log Files

2012-07-02 17:21 . 2012-07-02 17:21 -------- d-----w- c:\users\Wanda\AppData\Roaming\PDAppFlex

2012-07-01 13:05 . 2009-03-18 22:35 33856 ---ha-w- c:\windows\system32\hamachi.sys

2012-07-01 13:05 . 2012-07-01 13:05 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi

2012-06-28 20:25 . 2012-06-28 20:25 -------- d-----w- c:\users\Zachary\AppData\Roaming\Malwarebytes

2012-06-26 13:32 . 2012-06-26 13:32 -------- d-----w- c:\program files (x86)\Microsoft XNA

2012-06-25 16:46 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-25 16:46 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-25 16:46 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-25 16:46 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-25 16:45 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-25 16:45 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-25 16:45 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-25 16:45 . 2012-06-02 20:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-25 16:45 . 2012-06-02 20:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-22 20:18 . 2012-05-04 23:33 955800 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-06-19 15:05 . 2012-06-26 23:52 -------- d-----w- c:\users\Zachary\AppData\Local\Eclipse

2012-06-19 15:04 . 2012-06-22 20:31 -------- d-----w- c:\users\Zachary\workspace

2012-06-18 21:38 . 2012-06-18 21:38 -------- d-----w- c:\users\Zachary\AppData\Roaming\CodeBlocks

2012-06-18 21:29 . 2012-06-19 00:54 -------- d-----w- c:\program files (x86)\The Game Creators

2012-06-14 18:00 . 2012-07-07 15:31 -------- d-----w- c:\users\Zachary\AppData\Roaming\Skype

2012-06-14 18:00 . 2012-07-07 15:30 -------- d-----r- c:\program files (x86)\Skype

2012-06-14 18:00 . 2012-06-14 18:00 -------- d-----w- c:\program files (x86)\Common Files\Skype

2012-06-14 01:37 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-14 01:37 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-14 01:37 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-14 01:36 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll

2012-06-14 01:36 . 2012-05-04 11:06 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-06-14 01:36 . 2012-05-04 10:03 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-06-14 01:36 . 2012-05-04 10:03 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-06-14 01:35 . 2012-05-15 01:32 3146752 ----a-w- c:\windows\system32\win32k.sys

2012-06-14 01:35 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-14 01:35 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll

2012-06-14 01:35 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll

2012-06-14 01:34 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-14 01:34 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-14 01:34 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll

2012-06-14 01:34 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll

2012-06-14 01:34 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll

2012-06-14 01:34 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll

2012-06-12 17:28 . 2012-06-22 15:52 -------- d-----w- c:\users\Zachary\AppData\Local\WMTools Downloaded Files

2012-06-12 17:13 . 2012-06-12 17:13 -------- d-----w- c:\program files (x86)\Movie Maker 2.6

2012-06-12 15:48 . 2012-06-12 15:48 -------- d-----w- c:\users\Zachary\AppData\Roaming\Verizon

2012-06-12 15:48 . 2012-06-12 15:48 -------- d-----w- c:\programdata\Verizon

2012-06-12 15:38 . 2012-06-12 15:38 -------- d-----w- c:\program files (x86)\Verizon

2012-06-11 20:27 . 2012-06-11 20:48 -------- d-----w- c:\users\Zachary\AppData\Local\Roblox

2012-06-11 16:20 . 2012-06-11 16:20 -------- d-----w- c:\users\Zachary\AppData\Local\APN

2012-06-11 16:03 . 2012-07-02 19:30 -------- d-----w- c:\program files (x86)\Port Forwarding Wizard

2012-06-11 15:06 . 2012-06-11 15:06 -------- d-----w- c:\programdata\regid.1986-12.com.adobe

2012-06-11 15:02 . 2012-06-18 15:04 -------- d-----w- c:\programdata\NCH Software

2012-06-11 14:59 . 2012-06-19 00:56 -------- d-----w- c:\program files (x86)\NCH Software

2012-06-11 14:59 . 2012-06-18 15:04 -------- d-----w- c:\users\Zachary\AppData\Roaming\NCH Software

2012-06-11 14:46 . 2012-06-11 14:55 -------- d-----w- c:\users\Zachary\Adobe Premiere Pro CS6

2012-06-11 14:45 . 2012-06-11 14:45 -------- d-----w- c:\users\Zachary\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-06-11 14:45 . 2012-06-11 14:45 -------- d-----w- c:\program files (x86)\Adobe Download Assistant

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-02 19:11 . 2011-06-03 22:19 540896 ----a-w- c:\programdata\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll

2012-07-02 00:42 . 2012-03-28 12:40 426184 ------w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-07-02 00:42 . 2011-06-07 16:40 70344 ------w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-10 12:58 . 2011-02-25 16:34 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll

2012-06-10 12:58 . 2011-02-25 15:30 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll

2012-06-09 21:56 . 2012-06-09 21:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll

2012-05-31 17:25 . 2011-09-22 17:57 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-05-31 04:04 . 2012-07-06 19:25 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{53AB1619-7578-47E4-8F8E-985F66686DF8}\mpengine.dll

2012-05-28 16:33 . 2012-05-28 16:33 98304 ------w- c:\windows\SysWow64\CmdLineExt.dll

2012-05-18 03:07 . 2012-05-18 03:09 772552 ------w- c:\windows\SysWow64\npDeployJava1.dll

2012-05-18 03:07 . 2011-02-22 17:40 687560 ------w- c:\windows\SysWow64\deployJava1.dll

2012-05-05 20:11 . 2012-04-14 11:11 8769696 ------w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-05-04 23:32 . 2011-02-22 17:40 839056 ----a-w- c:\windows\system32\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-05-27 1242448]

"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]

"Verizon Media Manager"="c:\program files (x86)\Verizon\Verizon Media Manager\Release\Verizon Media Manager.exe" [2012-05-09 1523712]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-03 17417392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2011-02-13 325000]

"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2011-10-26 73360]

"WinPatrol [FREE Edition]"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2011-02-13 20:20 325000]

"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-10-20 1118040]

"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]

"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-06-27 1996200]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 0047471314372254mcinstcleanup;McAfee Application Installer Cleanup (0047471314372254);c:\windows\TEMP\004747~1.EXE [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-02 257224]

R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x64.sys [x]

R3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\DOWNLO~1\DMService.exe [2011-11-28 487312]

R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2011-10-19 45448]

R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]

R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 17976]

R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-01-10 993848]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-25 1255736]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]

S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-10-14 11864]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-11-01 140672]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-06-27 2369960]

S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-10-19 33672]

S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-10-19 827520]

S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]

S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-01-10 399416]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]

S2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [2010-11-25 150928]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 271872]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-10-16 321064]

S3 netr28ux;Belkin USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2009-08-06 987648]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 00:42]

.

2012-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1003Core.job

- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 00:06]

.

2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1003UA.job

- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 00:06]

.

2012-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1004Core.job

- c:\users\Zachary\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 23:21]

.

2012-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1145637048-450267307-2219416244-1004UA.job

- c:\users\Zachary\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-24 23:21]

.

2012-03-07 c:\windows\Tasks\Norton Security Scan for Ben.job

- c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-14 03:43]

.

2012-07-02 c:\windows\Tasks\Norton Security Scan for Wanda.job

- c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-14 03:43]

.

2012-07-02 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]

.

2012-07-07 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 07:16]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]

@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"

[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]

2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]

@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"

[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]

2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]

@="{A759AFF6-5851-457D-A540-F4ECED148351}"

[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]

2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]

@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"

[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]

2012-06-12 00:15 463992 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2011-02-13 325000]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]

"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2012-02-01 2195824]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.bakugan.com/home.html

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 192.168.1.1

DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v420.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-AdobeBridge - (no file)

Toolbar-Locked - (no file)

WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)

HKLM-Run-ISW - (no file)

AddRemove-{90140000-0015-0409-0000-0000000FF1CE}_Office14.AccessR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-001F-0409-0000-0000000FF1CE}_Office14.AccessR_{17E7B9AB-2DD2-457D-8D8E-CD14ACA973FE} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-001F-0409-0000-0000000FF1CE}_Office14.AccessR_{99ACCA38-6DD3-48A8-96AE-A283C9759279} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-001F-040C-0000-0000000FF1CE}_Office14.AccessR_{15058154-469F-4794-ACD5-94F8420F9B80} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-001F-040C-0000-0000000FF1CE}_Office14.AccessR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.AccessR_{995A7832-B512-46D5-87C9-2D71FB541435} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.AccessR_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-002A-0409-1000-0000000FF1CE}_Office14.AccessR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-002C-0409-0000-0000000FF1CE}_Office14.AccessR_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-006E-0409-0000-0000000FF1CE}_Office14.AccessR_{4560037C-E356-444A-A015-D21F487D809E} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-006E-0409-0000-0000000FF1CE}_Office14.AccessR_{73E67A3A-8D61-44EF-90C2-1697C3DBE668} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-0115-0409-0000-0000000FF1CE}_Office14.AccessR_{4560037C-E356-444A-A015-D21F487D809E} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-0116-0409-1000-0000000FF1CE}_Office14.AccessR_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

AddRemove-{90140000-0117-0409-0000-0000000FF1CE}_Office14.AccessR_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF} - c:\program files (x86)\Common Files\Microsoft Shared\OFFICE14\Oarpmany.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

.

**************************************************************************

.

Completion time: 2012-07-07 11:14:38 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-07 16:14

.

Pre-Run: 861,820,968,960 bytes free

Post-Run: 862,948,364,288 bytes free

.

- - End Of File - - C1DA00B5EAC5775589239CF55BC01764

After the scan I let my son play on the computer a bit. He said it was about the same with his Java based games occasionally lagging a bit. I don't know if this is due to malware or not.

Thank you for your help again,

Wanda and son Zachary

[LDTate]

I'm not seeing anything bad in that scan.

Uninstall Combofix and run a online scan

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

Next:

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Make sure that the option "Remove found threats" is Unchecked

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

[Wanda]

Sorry for the delay in getting back with you. We have been dealing with my stepfather-in-laws hospitalization and then passing this weekend. I will try and get my son to do the scan tomorrow.

[LDTate]

No problem.

[Wanda]

Ok, the Eset Online Scan is not running correctly like on the other machine. My son did the first scan under his ID and then I did it again under my ID but we both were not able to get a full scan log to write. Once the scan downloaded the virus file updates and started, I even turned off our wireless internet access and then all firewalls and antivirus programs to make sure none of them were stopping the writing of the log.

It looked like the initial part of the log was written. Here it is below:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

We also saved the reported found items displayed at the end of the scan:

C:\Users\Ben\Desktop\Training\Oracle PeopleSoft\speedupmypc.exe Win32/SpeedUpMyPC application

C:\Users\Big Disk Backup\Laptop SyncBack\Wanda\Local Settings\Apps\2.0\712G7RZB.1KW\VGQKYAMZ.VQJ\inst..tion_d0587fc617210d12_0000.0001_fd40a442e685358f\installiqexe.exe probably a variant of Win32/InstallIQ application

I am sure that I followed your directions and did it the same as the laptop scan. Any ideas on why a full log is not writing?

Wanda

[LDTate]

It might be a issue with Eset.

We can try another scanner.

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
  
• press start
  
• Allow the program to run the initial express scan
  
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
• Once the scan is complete, the results will be displayed
  
• on the menu bar, click file and choose report list.
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  
• Close Dr.Web Cureit.
  
• Please post the Dr.Web.txt report in your next reply
  

Reboot the computer in Normal Mode,

Post the Cure-it report

[Wanda]

Sorry for the delay. I ran the Dr. Web Cure-It express scan under my son's account and it didn't find anything that needed to be cured. There was no scan report in the Menu bar's File report list. I did find the detailed scan log in a DoctorWeb folder under my son's C:/Users account. It is too large to paste into one post since it lists every file checked. Below is the summary results at the end:

-----------------------------------------------------------------------------

Scan statistics

-----------------------------------------------------------------------------

Scanned: 26049

Infected: 0

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 0

Ignored: 0

Scan speed: 1287 Kb/s

Scan time: 0:19:22

-----------------------------------------------------------------------------

=============================================================================

Total session statistics

=============================================================================

Scanned: 26050

Infected: 0

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 0

Ignored: 0

Scan speed: 1294 Kb/s

Scan time: 0:19:22

=============================================================================

Thank you for your time.

[LDTate]

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

[Wanda]

Yes I planned to change all of our accounts passwords once both machines were as clean as possible. That appears to be now the case with all of your assistance. Thank you again for all your help and assistance.

[LDTate]

You're more than welcome.

Glad we were able to help

Peace be with you

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.