DeeMee Posted July 11, 2012 ID:569133 Share Posted July 11, 2012 Windows 7 Pro SP1 64-bit OEM CopyRam: 2.00 GB32 bitRan Malwarebytes. Scan included. Deleted all PUPs ListedRan Avast after running Malwarebytes. Had many locked files mostly from Flash. However no alerts regarding viruses or PUPs.Deleted PC OPTIMIZER with Revo Installer restarted system. PC Optimizer has not reloaded with one start. All toolbars that were listed in Revo Installer are now gone.Both Java and Flash were current before the hack. They are set to automatically download and install. Except you can't set Java to automatically install. At least I haven't found a way to do so.Windows updates is current with all security updates. It is set to automatically download and install.Attempted to change homepage many times. Winpatrol caught the change but it repeatedly continued to change the homepage. Attempted to add toolbars. One was a recipe tool bar. I don't remember the name of the other toolbar.At this time none of the previous negative occurrences are present.Ran Superantispyware and it found Trojan-Agent/Gen-Patchload. However machine is operating fine. http://www.ehow.com/how_5076859_remove-win-trojangen.htmlI removed it via Super.Have not turned off system restore yet.Ok what is important is to try to figure out how this stuff got on my mother's machine.We are running the following programs live:Avast Free (Updated to latest version today)WinPatrolComodo Free FirewallWe also run the following on demand programs:Superantispyware--although it loads as if it is liveMalwarebytesSpybotSywareblasterI usually run the on demand programs once or every other week.The issue is making sure --as much as we can, I know that there is not a guarantee--that the software is off of the system and figure out whether there are any vulnerabilities that would allow it to reinfect.There are six accounts on this computer. One admin account. One is used for a guest account--renamed--and the rest are limited user accounts or rather standard user accounts. I have now required everyone that uses this computer to have a password.How did it get past Avast? Not only that even when it was absolutely clear that, at least, I had PUPs on my machine it did not awknowledge them.============================================MALWAREBYTES SCAN:Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.07.10.11Windows 7 Service Pack 1 x86 NTFSInternet Explorer 9.0.8112.16421Pauline B Wilis :: PBW [administrator]7/10/2012 1:47:19 PMmbam-log-2012-07-10 (15-02-57).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 421054Time elapsed: 1 hour(s), 6 minute(s), 3 second(s)Memory Processes Detected: 2C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14SrchMn.exe (PUP.MyWebSearch) -> 5508 -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14brmon.exe (PUP.MyWebSearch) -> 5920 -> No action taken.Memory Modules Detected: 3C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14brstub.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14hkstub.dll (PUP.MyWebSearch) -> No action taken.Registry Keys Detected: 79HKLM\SYSTEM\CurrentControlSet\Services\TotalRecipeSearch_14Service (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{a0154e07-2b48-475c-a82a-80efd84ea33e} (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TotalRecipeSearch_14bar Uninstall (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{ab56dfde-0c14-45b3-9df6-7b0eba617870} (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) -> No action taken.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{8a7d2060-824d-4b17-b00a-759b1b5f30d9} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{df22384f-cf68-4d19-969f-10423715528b} (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) -> No action taken.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{8c4b563e-52a1-4a10-b700-f8bf1cd7b726} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.MultipleButton.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.MultipleButton (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{9e5c950c-93f2-46b4-a47e-8450fff4d841} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{398035f8-0621-4534-aef6-b5592a68f6d8} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{9A74121D-E910-4C66-8CBC-2A342BD03EB5} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{b5ede79d-b004-47dd-93f9-152b0d145914} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{bcf02409-9333-44e7-96e8-01890ea9d58e} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{4FFED4E7-CF5A-467C-965C-0E425314E0CF} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{d0dabaca-3c45-4ee9-b0da-533cad1985b0} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.DynamicBarButton.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.DynamicBarButton (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{e1f82c34-7195-49a8-9c9b-47c064c22132} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{b7b60f9d-f1e4-4694-9a40-1538ea07a795} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{C76ED8C1-24E5-43A8-807F-448264610140} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.FeedManager.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.FeedManager (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{b38fbaed-ded1-4ba6-ba2e-f2515fd49442} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{ffed91ad-6369-48f5-b351-2a42d09cb27c} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{6A6B3763-2264-4710-B165-26DB0B35920C} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.HTMLPanel.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.HTMLPanel (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B38FBAED-DED1-4BA6-BA2E-F2515FD49442} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{A4503EC3-1111-4B62-8F46-0D88508F8A7B} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.HTMLMenu.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.HTMLMenu (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A4503EC3-1111-4B62-8F46-0D88508F8A7B} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{895f3dbd-2484-4a14-a0ea-c3252ebb0ff7} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{529b4045-715c-46e7-bc81-81e3aaec9060} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{23A73CDC-711C-4D7E-AECC-D9AECFA152AA} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{96b8a0ef-0d9d-4a92-b548-376db4bbb58b} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{ee201ae6-533c-4947-97ea-12627d4854a0} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{4A80A60D-BDEF-4D70-BCCC-D0DAD25FF951} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.XMLSessionPlugin.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.XMLSessionPlugin (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{96B8A0EF-0D9D-4A92-B548-376DB4BBB58B} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{396a4e14-83e7-4941-b0d9-b598e1b97197} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{829e44ed-cb4f-4ccc-990f-428fbd0b128a} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{D70D51A6-C90C-4BF4-9C91-DC0B943754DE} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.RadioSettings.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.RadioSettings (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{a9c524bf-4044-402a-aa00-8c3b3da86125} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.ScriptButton.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.ScriptButton (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{03f3147c-cea6-4aae-b0ae-8d8abe7a8080} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{06a16622-19d9-47e8-9fec-6ca8cf275bd7} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{81C8B625-F505-4E26-84F9-207AF4240B00} (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{03F3147C-CEA6-4AAE-B0AE-8D8ABE7A8080} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{2502086b-5a46-4d05-8d5b-a1e77ab8bb32} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{cc748b11-e10d-4c87-9a24-93e429fdd1fd} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{2D465563-7CA8-45EC-83F2-6F5C293762F3} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.ThirdPartyInstaller.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.ThirdPartyInstaller (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2502086B-5A46-4D05-8D5B-A1E77AB8BB32} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID\{f7921d9c-168a-40ee-a4a9-42dd202b0bb4} (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.UrlAlertButton.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.UrlAlertButton (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.PseudoTransparentPlugin (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.PseudoTransparentPlugin.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.Radio (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.Radio.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.SettingsPlugin (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.SettingsPlugin.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.SkinLauncher (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.SkinLauncher.1 (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.SkinLauncherSettings (PUP.MyWebSearch) -> No action taken.HKCR\TotalRecipeSearch_14.SkinLauncherSettings.1 (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\TotalRecipeSearch_14 (PUP.MyWebSearch) -> No action taken.HKLM\SOFTWARE\MozillaPlugins\@TotalRecipeSearch_14.com/Plugin (PUP.MyWebSearch) -> No action taken.Registry Values Detected: 7HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) -> Data: -> No action taken.HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{8A7D2060-824D-4B17-B00A-759B1B5F30D9} (PUP.MyWebSearch) -> Data: -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|TotalRecipeSearch Search Scope Monitor (PUP.MyWebSearch) -> Data: "C:\PROGRA~1\TOTALR~2\bar\1.bin\14srchmn.exe" /m=2 /w /h -> No action taken.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|TotalRecipeSearch_14 Browser Plugin Loader (PUP.MyWebSearch) -> Data: C:\PROGRA~1\TOTALR~2\bar\1.bin\14brmon.exe -> No action taken.HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{8a7d2060-824d-4b17-b00a-759b1b5f30d9} (PUP.MyWebSearch) -> Data: -> No action taken.HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a0154e07-2b48-475c-a82a-80efd84ea33e} (PUP.MyWebSearch) -> Data: -> No action taken.HKLM\SOFTWARE\Mozilla\Firefox\Extensions|14ffxtbr@TotalRecipeSearch_14.com (PUP.MyWebSearch) -> Data: C:\Program Files\TotalRecipeSearch_14\bar\1.bin -> No action taken.Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 35C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14barsvc.exe (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14brstub.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14bar.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14SrchMn.exe (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14hkstub.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14brmon.exe (PUP.MyWebSearch) -> No action taken.C:\Users\Anthony\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\00KO9XMB\TotalRecipeSearch.exe (PUP.FunWebProducts) -> No action taken.C:\Users\Anthony\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0AP6NQGR\RecipeHub.exe (PUP.FunWebProducts) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14mlbtn.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14auxstb.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14datact.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14dlghk.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14dyn.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14feedmg.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14highin.exe (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14html.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14htmlmu.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14httpct.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14idle.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14ieovr.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14impipe.exe (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14medint.exe (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14msg.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14Plugin.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14radio.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14regfft.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14reghk.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14regiet.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14script.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14skin.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14skplay.exe (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14tpinst.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14uabtn.dll (PUP.MyWebSearch) -> No action taken.C:\Program Files\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll (PUP.MyWebSearch) -> No action taken.(end)=========================SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 07/10/2012 at 06:33 PMApplication Version : 5.1.1002Core Rules Database Version : 8875Trace Rules Database Version: 6687Scan type : Complete ScanTotal Scan Time : 00:36:39Operating System InformationWindows 7 Professional 32-bit, Service Pack 1 (Build 6.01.7601)UAC On - Limited UserMemory items scanned : 646Memory threats detected : 0Registry items scanned : 33674Registry threats detected : 0File items scanned : 55875File threats detected : 103Adware.Tracking CookieC:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\GWTL3M8N.txt [ Cookie:anthony@findlaw.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\MULPR138.txt [ Cookie:anthony@c.atdmt.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\RUY271Y9.txt [ Cookie:anthony@collective-media.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\17NO4O0Q.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/984328609/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\ID128LTE.txt [ Cookie:anthony@questionmarket.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\HMHHYJ3N.txt [ Cookie:anthony@tribalfusion.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\79EZTSTU.txt [ Cookie:anthony@invitemedia.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\406H5GTL.txt [ Cookie:anthony@server.iad.liveperson.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\JNYWNW25.txt [ Cookie:anthony@lfstmedia.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\L9N8EZ0V.txt [ Cookie:anthony@at.atwola.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\U15VXSEV.txt [ Cookie:anthony@yieldmanager.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\UGHN9K0F.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/968198462/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\HTEAJ14R.txt [ Cookie:anthony@www.burstnet.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\BEZ1JOVR.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/1072738770/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\SAR127IZ.txt [ Cookie:anthony@traveladvertising.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\99ZQYPJA.txt [ Cookie:anthony@mediaplex.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\JCS69BZU.txt [ Cookie:anthony@prnewswire.122.2o7.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\AGPESJS6.txt [ Cookie:anthony@doubleclick.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\TQPFXH1P.txt [ Cookie:anthony@a1.interclick.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\RKEJC5MW.txt [ Cookie:anthony@imrworldwide.com/cgi-bin ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\05V1H133.txt [ Cookie:anthony@zedo.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\TDJKZHGK.txt [ Cookie:anthony@msnbc.112.2o7.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\2XSQD3B2.txt [ Cookie:anthony@statse.webtrendslive.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\MAR7P339.txt [ Cookie:anthony@advertising.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\SOQF5G31.txt [ Cookie:anthony@apmebf.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\FE1VHDXF.txt [ Cookie:anthony@interclick.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\RJNS7NPD.txt [ Cookie:anthony@johnhancockfinancialservices.122.2o7.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\MMWB5ZJJ.txt [ Cookie:anthony@adbrite.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\NPVYX2AR.txt [ Cookie:anthony@revsci.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\P603TJXM.txt [ Cookie:anthony@intermundomedia.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\J161LUJX.txt [ Cookie:anthony@pointroll.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\8K0WS2XI.txt [ Cookie:anthony@lucidmedia.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\BEGV773H.txt [ Cookie:anthony@liveperson.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\6DD6UV7A.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/1005970738/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\UBRMLP7K.txt [ Cookie:anthony@tacoda.at.atwola.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\J8KGTHP2.txt [ Cookie:anthony@adsonar.com/adserving ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\WN5CEZ18.txt [ Cookie:anthony@serving-sys.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\DUSC9KJ5.txt [ Cookie:anthony@kanoodle.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\B8R10NCX.txt [ Cookie:anthony@liveperson.net/hc/23818417 ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\XTB417ZX.txt [ Cookie:anthony@msn.com/investments/find-symbol/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\3Y1AV3LK.txt [ Cookie:anthony@ad.yieldmanager.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\D9G58FQX.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/964167311/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\WQZG6G4N.txt [ Cookie:anthony@kontera.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\5Q39JEJG.txt [ Cookie:anthony@media2.legacy.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\9H2M525U.txt [ Cookie:anthony@legolas-media.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\0QZ2XAYV.txt [ Cookie:anthony@casalemedia.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\9G3AIIFR.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/949500792/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\WNPW97JR.txt [ Cookie:anthony@adtech.de/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\VQR8BI7D.txt [ Cookie:anthony@pro-market.net/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\OJEK4H92.txt [ Cookie:anthony@adserver.adtechus.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\YCZ6AJJ1.txt [ Cookie:anthony@burstnet.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\8O6W99BA.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/1004552843/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\JYCCAIXL.txt [ Cookie:anthony@media6degrees.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\3A095GCF.txt [ Cookie:anthony@findlaw.com/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\BTXYE1BT.txt [ Cookie:anthony@www.googleadservices.com/pagead/conversion/1034892697/ ]C:\USERS\ANTHONY\AppData\Roaming\Microsoft\Windows\Cookies\Low\6LRJCWB6.txt [ Cookie:anthony@homestore.122.2o7.net/ ]C:\USERS\ANTHONY\Cookies\GWTL3M8N.txt [ Cookie:anthony@findlaw.com/ ]C:\USERS\PAULINE\AppData\Roaming\Microsoft\Windows\Cookies\U327BSIX.txt [ Cookie:pauline@atdmt.com/ ]C:\USERS\PAULINE\Cookies\U327BSIX.txt [ Cookie:pauline@atdmt.com/ ]C:\USERS\PAULINE B WILIS\AppData\Roaming\Microsoft\Windows\Cookies\Low\J3EOTIWE.txt [ Cookie:pauline b wilis@revsci.net/ ]C:\USERS\YALE\AppData\Roaming\Microsoft\Windows\Cookies\Low\0FU76QH6.txt [ Cookie:yale@c.atdmt.com/ ]C:\USERS\YALE\AppData\Roaming\Microsoft\Windows\Cookies\Low\28EKWHBY.txt [ Cookie:yale@atdmt.com/ ]C:\USERS\YALE\AppData\Roaming\Microsoft\Windows\Cookies\Low\FS9EI7R8.txt [ Cookie:yale@revsci.net/ ]msnbcmedia.msn.com [ C:\USERS\ANTHONY\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\L6SD9N2R ]core.saymedia.com [ C:\USERS\U\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HUYSDYBP ]s0.2mdn.net [ C:\USERS\U\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HUYSDYBP ]art.aim4media.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]cdn.complexmedianetwork.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]cdn.tremormedia.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]core.insightexpressai.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]core.saymedia.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]crackle.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]ia.media-imdb.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]media.heavy.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]objects.tremormedia.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]secure-uk.imrworldwide.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]secure-us.imrworldwide.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]static.discoverymedia.com [ C:\USERS\YALE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\ZB3J723U ]PUP.MyWebSearchC:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B3LILXHH\dcs[1].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UQSTS0VO\mws-oasis-compressed[1].js [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J6JHSBSD\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V6482029\unified[1].css [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V6482029\afs[3].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6L4IFNG2\dcs[1].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C0AMBGZT\afs[4].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1YLOLAT\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B3LILXHH\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C0AMBGZT\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J6JHSBSD\afs[3].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V6482029\ads[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K1YLOLAT\GGmain[2].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\68266ZIL\ntpagetag[1].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V6482029\ads[2].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3FX0UVB0\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V6482029\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O9PD0NUX\ntpagetag[2].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O9PD0NUX\GGmain[2].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\68266ZIL\ping[11].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EQAF43RD\ntpagetag[1].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3FX0UVB0\ping[7].gif [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6L4IFNG2\GGmain[1].htm [ cache:mywebsearch.com ]C:\USERS\ANTHONY\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HOTJP1QL\GGmain[2].htm [ cache:mywebsearch.com ]Trojan.Agent/Gen-PatchloadC:\WINDOWS\INSTALLER\{90850409-6000-11D3-8CFE-0150048383C9}\MISC.EXE Link to post Share on other sites More sharing options...
Staff screen317 Posted July 11, 2012 Staff ID:569148 Share Posted July 11, 2012 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, download DDS by sUBs and save it to your Desktop. Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
DeeMee Posted July 11, 2012 Author ID:569192 Share Posted July 11, 2012 As requested Malwarebytes:Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.07.10.14Windows 7 Service Pack 1 x86 NTFSInternet Explorer 9.0.8112.16421Pauline B Wilis :: PBW [administrator]7/10/2012 8:44:31 PMmbam-log-2012-07-10 (20-44-31).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 296355Time elapsed: 4 minute(s), 18 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)===========================================DDS.DDS (Ver_2011-08-26.01) - NTFSx86Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.0Run by Pauline B Wilis at 21:14:23 on 2012-07-10Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1789.1010 [GMT -5:00].AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Program Files\COMODO\COMODO Internet Security\cmdagent.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Program Files\AVAST Software\Avast\AvastSvc.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exeC:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exeC:\Program Files\PDF Complete\pdfsvc.exeC:\Program Files\Common Files\Protexis\License Service\PsiService_2.exeC:\Program Files\Spybot - Search & Destroy\SDWinSec.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\WUDFHost.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeC:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\system32\atieclxx.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\AVAST Software\Avast\AvastUI.exeC:\Program Files\COMODO\COMODO Internet Security\cfp.exeC:\Program Files\Microsoft IntelliType Pro\itype.exeC:\Program Files\BillP Studios\WinPatrol\WinPatrol.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXEC:\Program Files\Microsoft IntelliType Pro\dpupdchk.exeC:\Windows\notepad.exeC:\Windows\system32\ctfmon.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\conhost.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dllBHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dllTB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dlluRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exeuRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /backgroundmRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -smRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exemRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /noguimRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -hmRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressbootmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cabDPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{28467CAE-4A23-46EF-BFC4-BCC519B7368E} : DhcpNameServer = 192.168.1.254AppInit_DLLs: c:\windows\system32\guard32.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLHosts: 127.0.0.1 www.spywareinfo.com.================= FIREFOX ===================.FF - ProfilePath - c:\users\pauline b wilis\appdata\roaming\mozilla\firefox\profiles\5gtdlurx.default\FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dllFF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dllFF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dllFF - plugin: c:\windows\system32\npdeployJava1.dllFF - plugin: c:\windows\system32\npmproxy.dll.============= SERVICES / DRIVERS ===============.R0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [2012-2-6 64128]R0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [2012-2-6 32384]R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-5 721000]R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-3-5 353688]R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 491816]R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-6-30 39640]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-1-28 172032]R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-3-5 21256]R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-3-5 57656]R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-10 44808]R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2010-2-11 103936]R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2010-8-20 92216]R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2012-2-6 1128952]R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880]R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-3-6 1153368]R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-1-28 5295616]R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-1-28 150016]R3 AVerAVF2;AVerAVF2;c:\windows\system32\drivers\AVerAVF2.sys [2010-11-11 1133952]R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2012-2-6 325672]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-5 136176]S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250056]S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-5 136176]S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-6 1343400].=============== Created Last 30 ================.2012-07-10 15:28:38 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{72ee03b7-061e-4c8d-8390-013a86d35bc5}\mpengine.dll2012-06-29 13:34:55 -------- d-----w- c:\programdata\PC Optimizer Pro2012-06-29 13:24:07 -------- d-----w- c:\program files\TotalRecipeSearch_142012-06-29 13:03:40 -------- d-----w- c:\program files\RecipeHub_2jEI2012-06-21 19:59:53 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-21 19:59:46 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-21 19:59:41 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-21 19:59:41 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-13 02:12:42 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-13 02:12:28 58880 ----a-w- c:\windows\system32\rdpwsx.dll2012-06-13 02:12:28 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll2012-06-13 02:12:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe2012-06-13 02:12:26 2343936 ----a-w- c:\windows\system32\win32k.sys2012-06-13 02:12:24 2342400 ----a-w- c:\windows\system32\msi.dll2012-06-13 02:12:23 164352 ----a-w- c:\windows\system32\profsvc.dll2012-06-13 02:12:17 1158656 ----a-w- c:\windows\system32\crypt32.dll2012-06-13 02:12:16 140288 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-13 02:12:16 103936 ----a-w- c:\windows\system32\cryptnet.dll.==================== Find3M ====================.2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys2012-07-03 16:21:53 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr2012-06-23 00:46:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-06-23 00:46:37 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-06-20 20:07:06 772592 ----a-w- c:\windows\system32\npdeployJava1.dll2012-06-20 20:07:06 687600 ----a-w- c:\windows\system32\deployJava1.dll2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb.============= FINISH: 21:15:11.79 =============== Link to post Share on other sites More sharing options...
DeeMee Posted July 11, 2012 Author ID:569193 Share Posted July 11, 2012 Had to turn off Avast in order for DDS to run. Link to post Share on other sites More sharing options...
Staff screen317 Posted July 11, 2012 Staff ID:569311 Share Posted July 11, 2012 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
DeeMee Posted July 11, 2012 Author ID:569328 Share Posted July 11, 2012 I will not be able to respond until tomorrow. I don't live with my mother. I will be over there tomorrow and will spend as much time as necessary to complete the process. Link to post Share on other sites More sharing options...
Staff screen317 Posted July 11, 2012 Staff ID:569368 Share Posted July 11, 2012 Great, thank you for the update. Link to post Share on other sites More sharing options...
DeeMee Posted July 12, 2012 Author ID:569890 Share Posted July 12, 2012 Thanks for your patience. Here are both logs. I will be here until late today.ComboFix 12-07-12.02 - Pauline B Wilis 07/12/2012 13:54:12.1.2 - x86Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1789.592 [GMT -5:00]Running from: c:\users\\Desktop\ComboFix.exeAV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}* Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\install.exec:\program files\TotalRecipeSearch_14c:\program files\TotalRecipeSearch_14\bar\1.bin\14sknlcr.dllc:\program files\TotalRecipeSearch_14\bar\1.bin\CHROME.MANIFESTc:\program files\TotalRecipeSearch_14\bar\1.bin\chrome\14ffxtbr.jarc:\program files\TotalRecipeSearch_14\bar\1.bin\INSTALL.RDFc:\program files\TotalRecipeSearch_14\bar\1.bin\installKeys.jsc:\program files\TotalRecipeSearch_14\bar\1.bin\LOGO.BMPc:\program files\TotalRecipeSearch_14\bar\1.bin\T8RES.DLLc:\program files\TotalRecipeSearch_14\bar\gen1\COMMON.T8Sc:\program files\TotalRecipeSearch_14\bar\IE9Mesg\COMMON.T8Sc:\program files\TotalRecipeSearch_14\bar\Message\COMMON.T8Sc:\program files\TotalRecipeSearch_14\bar\Settings\s_pid.datc:\users\U\g2mdlhlpx.exe..((((((((((((((((((((((((( Files Created from 2012-06-12 to 2012-07-12 )))))))))))))))))))))))))))))))..2012-07-12 19:00 . 2012-07-12 19:00 -------- d-----w- c:\users\Pauline B Wilis\AppData\Local\temp2012-07-12 19:00 . 2012-07-12 19:00 -------- d-----w- c:\users\Yale\AppData\Local\temp2012-07-12 17:39 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66226615-017D-48E0-BB64-CF816DBACB4D}\mpengine.dll2012-07-11 02:25 . 2012-07-11 02:25 -------- d-----w- c:\users\Pauline B Wilis\AppData\Local\Macromedia2012-07-10 17:58 . 2012-07-10 17:58 -------- d-----w- c:\users\U\AppData\Local\Citrix2012-07-10 17:54 . 2012-07-10 17:54 -------- d-----w- c:\users\U\AppData\Local\Macromedia2012-06-29 13:34 . 2012-07-10 21:54 -------- d-----w- c:\programdata\PC Optimizer Pro2012-06-29 13:03 . 2012-06-29 13:03 -------- d-----w- c:\program files\RecipeHub_2jEI2012-06-21 19:59 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe2012-06-21 19:59 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll2012-06-21 19:59 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll2012-06-21 19:59 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-21 19:59 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll2012-06-21 19:59 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll2012-06-21 19:59 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-21 19:59 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-21 19:59 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-20 20:07 . 2012-06-20 20:07 -------- d-----w- c:\program files\Java2012-06-13 02:12 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-13 02:12 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll2012-06-13 02:12 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll2012-06-13 02:12 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe2012-06-13 02:12 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys2012-06-13 02:12 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll2012-06-13 02:12 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll2012-06-13 02:12 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll2012-06-13 02:12 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-13 02:12 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-07-12 18:46 . 2012-03-29 19:24 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-07-12 18:46 . 2012-03-07 02:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-07-03 16:21 . 2012-03-06 00:58 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys2012-07-03 16:21 . 2012-03-08 21:05 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys2012-07-03 16:21 . 2012-03-06 00:58 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys2012-07-03 16:21 . 2012-03-06 00:58 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys2012-07-03 16:21 . 2012-03-06 00:58 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys2012-07-03 16:21 . 2012-03-06 00:58 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys2012-07-03 16:21 . 2012-03-06 00:58 41224 ----a-w- c:\windows\avastSS.scr2012-07-03 16:21 . 2012-03-06 00:58 227648 ----a-w- c:\windows\system32\aswBoot.exe2012-06-20 20:07 . 2012-03-08 22:39 772592 ----a-w- c:\windows\system32\npdeployJava1.dll2012-06-20 20:07 . 2012-03-06 15:27 687600 ----a-w- c:\windows\system32\deployJava1.dll2012-03-20 19:22 . 2012-03-06 02:03 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]@="{472083B0-C522-11CF-8763-00608CC02F24}"[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-20 3905408]"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2012-03-26 306688].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-22 8120864]"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2011-05-06 658424]"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-04-15 374368]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296].c:\users\U\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-4-19 1199104].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\windows\System32\guard32.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]S0 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [x]S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [x]S1 aswSnx;aswSnx; [x]S1 aswSP;aswSP; [x]S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]S2 aswFsBlk;aswFsBlk; [x]S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [x]S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [x]S2 regi;regi;c:\windows\system32\drivers\regi.sys [x]S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]S3 AVerAVF2;AVerAVF2;c:\windows\system32\DRIVERS\AVerAVF2.sys [x]..Contents of the 'Scheduled Tasks' folder.2012-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 18:46].2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-06 00:58].2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-06 00:58]..------- Supplementary Scan -------.TCP: DhcpNameServer = 192.168.1.254FF - ProfilePath - c:\users\Pauline B Wilis\AppData\Roaming\Mozilla\Firefox\Profiles\5gtdlurx.default\.- - - - ORPHANS REMOVED - - - -.AddRemove-{B1A4A13D-4665-4ED3-9DFE-F845725FBBD8} - c:\program files\InstallShield Installation Information\{B1A4A13D-4665-4ED3-9DFE-F845725FBBD8}\setup.exe...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(660)c:\windows\system32\guard32.dll.- - - - - - - > 'lsass.exe'(592)c:\windows\system32\guard32.dll.Completion time: 2012-07-12 14:02:36ComboFix-quarantined-files.txt 2012-07-12 19:02.Pre-Run: 122,907,811,840 bytes freePost-Run: 122,831,486,976 bytes free.- - End Of File - - 56053D5243A7DAC4018EF51E700D1D3D=====================================.DDS (Ver_2011-08-26.01) - NTFSx86Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.0Run by at 14:08:47 on 2012-07-12.============== Running Processes ===============..============== Pseudo HJT Report ===============.BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dllBHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dllTB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dlluRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exeuRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /backgroundmRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -smRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exemRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /noguimRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -hmRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressbootmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cabDPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{28467CAE-4A23-46EF-BFC4-BCC519B7368E} : DhcpNameServer = 192.168.1.254AppInit_DLLs: c:\windows\system32\guard32.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\users\pauline b wilis\appdata\roaming\mozilla\firefox\profiles\5gtdlurx.default\.============= SERVICES / DRIVERS ===============..=============== Created Last 30 ================.2012-07-12 19:02:43 -------- d-sh--w- C:\$RECYCLE.BIN2012-07-12 19:02:40 -------- d-----w- c:\users\pauline b wilis\appdata\local\temp2012-07-12 18:52:36 98816 ----a-w- c:\windows\sed.exe2012-07-12 18:52:36 518144 ----a-w- c:\windows\SWREG.exe2012-07-12 18:52:36 256000 ----a-w- c:\windows\PEV.exe2012-07-12 18:52:36 208896 ----a-w- c:\windows\MBR.exe2012-07-12 17:39:17 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{66226615-017d-48e0-bb64-cf816dbacb4d}\mpengine.dll2012-07-11 02:25:43 -------- d-----w- c:\users\pauline b wilis\appdata\local\Macromedia2012-06-29 13:34:55 -------- d-----w- c:\programdata\PC Optimizer Pro2012-06-29 13:03:40 -------- d-----w- c:\program files\RecipeHub_2jEI2012-06-21 19:59:53 2422272 ----a-w- c:\windows\system32\wucltux.dll2012-06-21 19:59:46 88576 ----a-w- c:\windows\system32\wudriver.dll2012-06-21 19:59:41 33792 ----a-w- c:\windows\system32\wuapp.exe2012-06-21 19:59:41 171904 ----a-w- c:\windows\system32\wuwebv.dll2012-06-13 02:12:42 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys2012-06-13 02:12:28 58880 ----a-w- c:\windows\system32\rdpwsx.dll2012-06-13 02:12:28 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll2012-06-13 02:12:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe2012-06-13 02:12:26 2343936 ----a-w- c:\windows\system32\win32k.sys2012-06-13 02:12:24 2342400 ----a-w- c:\windows\system32\msi.dll2012-06-13 02:12:23 164352 ----a-w- c:\windows\system32\profsvc.dll2012-06-13 02:12:17 1158656 ----a-w- c:\windows\system32\crypt32.dll2012-06-13 02:12:16 140288 ----a-w- c:\windows\system32\cryptsvc.dll2012-06-13 02:12:16 103936 ----a-w- c:\windows\system32\cryptnet.dll.==================== Find3M ====================.2012-07-12 18:46:30 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-07-12 18:46:30 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys2012-07-03 16:21:53 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr2012-06-20 20:07:06 772592 ----a-w- c:\windows\system32\npdeployJava1.dll2012-06-20 20:07:06 687600 ----a-w- c:\windows\system32\deployJava1.dll2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb.============= FINISH: 14:09:37.41 =============== Link to post Share on other sites More sharing options...
DeeMee Posted July 12, 2012 Author ID:569946 Share Posted July 12, 2012 Any way to delete certain information from these scans that may be sensitive. BTW, my nephew reported to me that they got a telephone call from these same people. How creepy is that? Link to post Share on other sites More sharing options...
DeeMee Posted July 13, 2012 Author ID:570177 Share Posted July 13, 2012 BUMP Link to post Share on other sites More sharing options...
Staff screen317 Posted July 16, 2012 Staff ID:571204 Share Posted July 16, 2012 Hi,Bumping only ensures that you get put in the bottom of my reply queue of about 100. Please don't do that and you'll generally get faster responses.If you get any information about the people making phone calls, I can pass it to our team. Don't give them any of your information though!Run TFC by OldTimer to clear temporary files:Please download TFC from here and save it to your desktop.Close any open programs and Internet browsers.Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.Please be patient as clearing out temp files may take a while.Once it completes you may be prompted to restart your computer, please do so.Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Scan Wait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
DeeMee Posted July 17, 2012 Author ID:571655 Share Posted July 17, 2012 Yeah maybe bumping does that but you should have contacted me via PM regarding this. I PMed you and didn't get a response. I told you that my mother lived quite a distance away. If you have more clients than you can handle, then let's get someone that can handle your overload. I will not be going over my mother's house until Wednesday at the earliest. Therefore, we will be moving towards two weeks into cleaning a system that may have only taken a week. Sure we are happy and thankful that you guys are there for us but you could have told me the deal instead of me waiting and spending the night over my mother's house for two days hoping for a response from you for the next step. Since, you haven't followed my requests, I will need to have someone that may. If that means that I may not be able to use the forum then so be it.All you had to do was to tell me you had a backlog. That's it. I was more than considerate explaining the total situation to you. My mother uses this computer for work. She has a right to be frustrated if I do not have a clue as to the time it will take for resolution because the person who is supposed to be helping me can't even send me a PM or post it on the site. BTW, my internet is down. I'm using a hotspot to send this. Therefore, my access will be spotty at best this week. Link to post Share on other sites More sharing options...
Staff screen317 Posted July 18, 2012 Staff ID:572225 Share Posted July 18, 2012 I did miss your PM-- sorry. Unfortunately I do not work 24/7 and may not be able to accommodate your schedule..Do see my instructions above. We are almost done. Link to post Share on other sites More sharing options...
DeeMee Posted July 19, 2012 Author ID:572770 Share Posted July 19, 2012 Thanks. I will be over my mother's house until tomorrow 7:00 CST. Here is the information that you requested:Ran TFC. I was unable to find the file for ESET. It was not at the file path that was displayed by your directions and others directions on the web. I ran it twice, search for it via Windows search and there is not such a file. In addition I thought that possibly it was hidden. No luck. Would I have to turn off both my firewall and Avast in order to receive such a file? In any case, it completed and was clean.Here is a copy of security check:Results of screen317's Security Check version 0.99.43Windows 7 Service Pack 1 x86 (UAC is enabled)Internet Explorer 9``````````````Antivirus/Firewall Check:``````````````Windows Firewall Disabled!avast! AntivirusAntivirus up to date! (On Access scanning disabled!)`````````Anti-malware/Other Utilities Check:`````````WinPatrolMVPS Hosts FileSpywareBlaster 4.6Spybot - Search & DestroySUPERAntiSpywareMalwarebytes Anti-Malware version 1.62.0.1300CCleanerJava™ 7 Update 5Adobe Flash Player 11.3.300.265Mozilla Firefox 11.0 Firefox out of Date!Google Chrome 20.0.1132.47Google Chrome 20.0.1132.57````````Process Check: objlist.exe by Laurent````````WinPatrol winpatrol.exeSpybot Teatimer.exe is disabled!Comodo Firewall cmdagent.exeComodo Firewall cfp.exeAVAST Software Avast AvastSvc.exeAVAST Software Avast AvastUI.exeBillP Studios WinPatrol WinPatrol.exe`````````````````System Health check`````````````````Total Fragmentation on Drive C: 3%````````````````````End of Log``````````````````````That's interesting. I did not install MVPS Host fileThanks.PIC OF ESEST SCAN.rtf Link to post Share on other sites More sharing options...
Staff screen317 Posted July 19, 2012 Staff ID:573106 Share Posted July 19, 2012 Hi,Thanks. They updated the scanner so I need to update my instructions.Run TFC by OldTimer to clear temporary files:Please download TFC from here and save it to your desktop.Close any open programs and Internet browsers.Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.Please be patient as clearing out temp files may take a while.Once it completes you may be prompted to restart your computer, please do so.Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.Reboot.In Firefox, click Help --> About. Update it and ensure that you're using the latest version (14).Reboot and let me know what issues remain. Link to post Share on other sites More sharing options...
DeeMee Posted July 19, 2012 Author ID:573171 Share Posted July 19, 2012 Hi,TFC run, completed & system restarted.Combofix uninstalledSecurity Check deleted and system rebooted.Firefox upgraded-although I already had it set to automatically upgrade, it had not upgraded since 11.X. That's a little strange...I think.System runs fine with no apparant issues. Link to post Share on other sites More sharing options...
Staff screen317 Posted July 19, 2012 Staff ID:573220 Share Posted July 19, 2012 Glad to hear things are better!Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE.5) Be sure to update your Antivirus and Antispyware programs often!Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?Safe surfing,-screen317 Link to post Share on other sites More sharing options...
DeeMee Posted July 19, 2012 Author ID:573318 Share Posted July 19, 2012 Thanks a lot Chris. I appreciate all your help and others who donate their time here.Best of luck with school. Link to post Share on other sites More sharing options...
Staff screen317 Posted July 20, 2012 Staff ID:573677 Share Posted July 20, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts