Jump to content

Trojan Agent in svchost.exe


Recommended Posts

Hello,

Malwarebytes says that I have 2 Trojan.Agents:

1 in memory process svchost.exe and

1 in file svchost.exe

My computer usually fails to successfully run windows unless I request to start in safe mode. Sometimes it will start windows successfully in normal mode. Thanks for any advise you can give me.

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 1/18/2010 1:55:48 PM

System Uptime: 12/8/2012 5:47:06 PM (0 hours ago)

.

Motherboard: PEGATRON CORPORATION | | Narra6

Processor: AMD Athlon II X2 240 Processor | CPU 1 | 2812/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 456 GiB total, 394.384 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 1.463 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: Photosmart D110 series

Device ID: ROOT\IMAGE\0000

Manufacturer: HP

Name: Photosmart D110 series

PNP Device ID: ROOT\IMAGE\0000

Service: StillCam

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: avast! Network Shield Support

Device ID: ROOT\LEGACY_ASWTDI\0000

Manufacturer:

Name: avast! Network Shield Support

PNP Device ID: ROOT\LEGACY_ASWTDI\0000

Service: aswTdi

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Photosmart D110 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Photosmart D110 series

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Security Processor Loader Driver

Device ID: ROOT\LEGACY_SPLDR\0000

Manufacturer:

Name: Security Processor Loader Driver

PNP Device ID: ROOT\LEGACY_SPLDR\0000

Service: spldr

.

==== System Restore Points ===================

.

RP335: 12/7/2012 10:25:53 PM - Windows Update

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.4)

Adobe Shockwave Player 11.5

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft Print Creations

ArcSoft Print Creations - Album Page

ArcSoft Print Creations - Funhouse

ArcSoft Print Creations - Greeting Card

ArcSoft Print Creations - Photo Book

ArcSoft Print Creations - Photo Calendar

ArcSoft Print Creations - Scrapbook

ArcSoft Print Creations - Slimline Card

ARO 2012

Ask Toolbar

avast! Free Antivirus

BlackBerry Device Software Updater

Bonjour

CCScore

Compatibility Pack for the 2007 Office system

CyberLink DVD Suite Deluxe

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Diner Dash - Flo Through Time

DirectX for Managed Code Update (Summer 2004)

DivX Setup

DVDFab 8.2.1.8 (09/11/2012) Qt

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESSini

ESSPCD

ESSPDock

ESSTOOLS

essvatgt

EZ Fonts

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Hardware Diagnostic Tools

HP Advisor

HP Customer Experience Enhancements

HP Games

HP Odometer

HP Photosmart D110 All-In-One Driver 14.0 Rel. 7

HP Remote Solution

HP Setup

HP Support Information

HP Update

iCloud

iPod for Windows 2005-10-12

iTunes

Java Auto Updater

Java 6 Update 31

Jojo's Fashion Show World Tour

Junk Mail filter update

Kodak EasyShare software

LabelPrint

LightScribe System Software

LSI PCI-SV92EX Soft Modem

Malwarebytes Anti-Malware version 1.65.1.1000

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 1.1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Live Search Toolbar

Microsoft Office 2000 Disc 2

Microsoft Office 2000 Professional

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Student 2010

Microsoft Office Home and Student 60 day trial

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

MobileMe Control Panel

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

netbrdg

Network64

NVIDIA Drivers

OfotoXMI

PASW Statistics 18

PictureMover

PlayReady PC Runtime amd64

Power Tab Editor 1.7

Power2Go

PowerDirector

PS_AIO_07_D110_SW_Min

QuickTime

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

Realtek High Definition Audio Driver

RealUpgrade 1.1

Recovery Manager

Scan

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2553488) 32-Bit Edition

SFR

Shared C Run-time for x64

SHASTA

skin0001

SKINXSDK

staticcr

Support.com Toolbar Updater

TEFView 2.71

TempoPerfect Metronome Software

Toolbox

TuneUp Companion 2.2.7

Universal Document Converter (Demo)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553272) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

Update Installer for WildTangent Games App

VC80CRTRedist - 8.0.50727.6195

VPRINTOL

WildTangent Games App

WildTangent Games App (HP Games)

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WIRELESS

Wondershare PDF Converter (Build 2.6.0)

Yahoo! BrowserPlus 2.9.8

Yahoo! Messenger

Yahoo! Software Update

Yahoo! Toolbar

Zuma's Revenge

.

==== Event Viewer Messages From Past Week ========

.

12/8/2012 5:49:38 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

12/8/2012 5:47:55 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

12/8/2012 5:47:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

12/8/2012 5:47:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

12/8/2012 5:47:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/8/2012 5:47:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

12/8/2012 5:47:36 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi discache spldr Wanarpv6

12/8/2012 5:43:06 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800035c563a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120812-28095-01.

12/8/2012 5:40:57 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.

12/8/2012 5:37:35 PM, Error: Service Control Manager [7023] - The Peer Name Resolution Protocol service terminated with the following error: %%-2140993535

12/8/2012 5:37:35 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: %%-2140993535

12/8/2012 5:37:35 PM, Error: Microsoft-Windows-PNRPSvc [102] - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630801.

12/8/2012 5:06:13 PM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: The service has not been started.

12/8/2012 3:13:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

12/7/2012 11:48:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

12/7/2012 11:24:18 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800032fe0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120712-27050-01.

12/7/2012 11:22:36 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

12/7/2012 11:22:36 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/7/2012 11:22:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

12/7/2012 11:12:56 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800035d363a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120712-34179-01.

12/7/2012 10:56:37 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dd, 0x0000000000000002, 0x0000000000000001, 0xfffff800032af0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120712-62494-01.

12/7/2012 10:53:24 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IPsec Policy Agent service to connect.

12/7/2012 10:53:24 PM, Error: Service Control Manager [7000] - The IPsec Policy Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/7/2012 10:50:45 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LightScribeService Direct Disc Labeling Service service to connect.

12/7/2012 10:50:12 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

12/7/2012 10:50:12 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/7/2012 10:16:39 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800033020c5, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120712-36519-01.

12/6/2012 7:20:24 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.

12/5/2012 7:29:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

12/5/2012 7:25:14 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800032fc0c5, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120512-19203-01.

12/5/2012 7:17:10 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800032c00c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120512-22386-01.

12/5/2012 2:05:30 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

12/5/2012 12:50:05 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000326166b, 0x0000000000000000, 0x000007fffffa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120512-21512-01.

12/5/2012 11:19:13 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000002feb, 0x0000000000000002, 0x0000000000000001, 0xfffff800033110c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120512-17472-01.

12/5/2012 11:04:16 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000977e5091, 0x0000000000000002, 0x0000000000000001, 0xfffff800032b50c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120512-18189-01.

12/4/2012 9:41:26 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800032b70c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-21886-01.

12/4/2012 9:26:11 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800032fa0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-19234-01.

12/4/2012 8:58:14 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000330b0c5, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-20467-01.

12/4/2012 8:52:42 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800032b866b, 0x0000000000000000, 0x000007fffffa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-22152-01.

12/4/2012 8:27:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaSvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

12/4/2012 8:26:55 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000de, 0x0000000000000002, 0x0000000000000001, 0xfffff800026c10c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-22308-01.

12/4/2012 8:18:30 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x000000000007069b, 0x0000000000000002, 0x0000000000000001, 0xfffff800032cc0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-26083-01.

12/4/2012 7:30:44 AM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

12/4/2012 7:30:44 AM, Error: Service Control Manager [7038] - The netprofm service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

12/4/2012 7:30:44 AM, Error: Service Control Manager [7000] - The Network List Service service failed to start due to the following error: The service did not start due to a logon failure.

12/4/2012 7:30:44 AM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The service did not start due to a logon failure.

12/4/2012 7:30:44 AM, Error: Service Control Manager [7000] - The Application Information service failed to start due to the following error: A system shutdown is in progress.

12/4/2012 7:30:38 AM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.

12/4/2012 7:25:18 AM, Error: Service Control Manager [7022] - The SSDP Discovery service hung on starting.

12/4/2012 7:25:18 AM, Error: Service Control Manager [7001] - The UPnP Device Host service depends on the SSDP Discovery service which failed to start because of the following error: After starting, the service hung in a start-pending state.

12/4/2012 7:23:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

12/4/2012 7:22:17 AM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

12/4/2012 7:18:46 AM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..

12/4/2012 6:13:43 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffffa8004124bb0, 0x0000000000000000, 0x000000007efa8000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-37487-01.

12/4/2012 6:13:24 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.

12/4/2012 6:13:24 PM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/4/2012 6:13:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "-Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

12/4/2012 6:12:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Presentation Foundation Font Cache 3.0.0.0 service to connect.

12/4/2012 6:12:50 PM, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/4/2012 6:06:37 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000267466b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-58281-01.

12/4/2012 6:02:52 PM, Error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

12/4/2012 6:01:56 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the mcmscsvc service.

12/4/2012 5:59:52 PM, Error: Service Control Manager [7000] - The FilmFanaticService service failed to start due to the following error: The system cannot find the file specified.

12/4/2012 5:59:22 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000070aa1, 0x0000000000000002, 0x0000000000000001, 0xfffff800032c90c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-25334-01.

12/4/2012 11:23:50 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.

12/4/2012 11:23:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

12/4/2012 11:23:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

12/4/2012 11:07:59 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}

12/4/2012 11:07:56 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

12/4/2012 11:06:34 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6

12/4/2012 11:06:21 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000096, 0xfffff8000330016a, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120412-32136-01.

12/3/2012 8:53:12 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the COM+ Event System service to connect.

12/3/2012 8:53:12 PM, Error: Service Control Manager [7001] - The System Event Notification Service service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.

12/3/2012 8:53:12 PM, Error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/3/2012 8:52:54 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000357663a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-41496-02.

12/3/2012 8:50:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

12/3/2012 8:48:08 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x000000000000024c, 0x0000000000000002, 0x0000000000000001, 0xfffff800033170c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-41496-01.

12/3/2012 8:17:38 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0xfffff880400c0024, 0x0000000000000002, 0x0000000000000000, 0xfffff80003284715). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-17986-01.

12/3/2012 8:13:05 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800032ba0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18813-01.

12/3/2012 8:09:39 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff8000330c0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18408-01.

12/3/2012 8:05:20 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800035cc63a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18829-01.

12/3/2012 8:01:35 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x000000000000264b, 0x0000000000000002, 0x0000000000000001, 0xfffff800032ca0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18626-01.

12/3/2012 7:57:55 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000000, 0x0000000000000002, 0x0000000000000001, 0xfffff80003269adf). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-17175-01.

12/3/2012 7:53:01 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x000000007fef5975, 0x0000000000000002, 0x0000000000000001, 0xfffff800032b20c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18564-01.

12/3/2012 7:49:01 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000088, 0x0000000000000002, 0x0000000000000001, 0xfffff80003266aa6). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18423-01.

12/3/2012 7:47:42 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000ab0, 0x0000000000000002, 0x0000000000000001, 0xfffff800033120c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-15553-01.

12/3/2012 7:44:47 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

12/3/2012 7:44:47 AM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/3/2012 7:43:18 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0xfffff8a010357000, 0x0000000000000000, 0xfffff800032e96ce, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-17955-01.

12/3/2012 7:40:28 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000040, 0x0000000000000002, 0x0000000000000001, 0xfffff800032de468). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-18049-01.

12/3/2012 7:37:25 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000600dd, 0x0000000000000002, 0x0000000000000001, 0xfffff800033050c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-17206-01.

12/3/2012 7:35:49 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Function Discovery Resource Publication service to connect.

12/3/2012 7:35:49 PM, Error: Service Control Manager [7000] - The Function Discovery Resource Publication service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/3/2012 10:06:14 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff80003298db6, 0x0000000000000000, 0x0000000000000011). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-20264-01.

12/3/2012 10:02:30 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800032bf0c5, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120312-23758-01.

12/2/2012 9:44:03 AM, Error: Service Control Manager [7034] - The HP Network Devices Support service terminated unexpectedly. It has done this 1 time(s).

12/2/2012 8:06:07 PM, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

12/2/2012 12:39:45 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070420'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

12/2/2012 12:37:08 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000096, 0xfffff800032b216a, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120212-40154-01.

12/2/2012 10:31:21 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the defragsvc service.

12/1/2012 5:49:20 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800032c90c5, 0x0000000000000000, 0xffffffffffffffff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-19406-01.

12/1/2012 5:01:57 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000072fe0, 0x0000000000000002, 0x0000000000000001, 0xfffff800032c60c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-18096-01.

12/1/2012 3:56:31 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800033090c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-17331-01.

12/1/2012 3:53:37 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800032ff0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-16551-01.

12/1/2012 3:49:49 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000400000e4, 0x0000000000000002, 0x0000000000000001, 0xfffff8000330c0c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-15646-01.

12/1/2012 3:46:46 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x0000000000000782, 0xfffffa80051330b0, 0xfffff9800cd00000, 0xfffff8a0038545b0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-30108-01.

12/1/2012 3:38:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

12/1/2012 3:30:13 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff8000326966b, 0x0000000000000000, 0x000000007efa0000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-25474-01.

12/1/2012 3:21:44 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000010, 0x0000000000000002, 0x0000000000000000, 0xfffff800032708b3). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-19671-01.

12/1/2012 3:11:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

12/1/2012 3:09:47 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff800035bca71, 0xfffff88006762f70, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-24429-01.

12/1/2012 2:54:39 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000096, 0xfffff800032b816a, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-24133-01.

12/1/2012 2:52:08 PM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The pipe has been ended.

12/1/2012 2:52:08 PM, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The pipe has been ended.

12/1/2012 2:52:08 PM, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The pipe has been ended.

12/1/2012 2:52:08 PM, Error: Service Control Manager [7000] - The McAfee Firewall Core Service service failed to start due to the following error: The pipe has been ended.

12/1/2012 12:47:23 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000000000dc, 0x0000000000000002, 0x0000000000000001, 0xfffff800033140c5). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-14835-01.

12/1/2012 12:33:38 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000040, 0x0000000000000002, 0x0000000000000001, 0xfffff800032f0468). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-16395-01.

12/1/2012 12:26:41 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the MBAMScheduler service to connect.

12/1/2012 12:26:41 PM, Error: Service Control Manager [7000] - The MBAMScheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/1/2012 1:20:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McComponentHostService with arguments "" in order to run the server: {CC6F4D12-8575-4CFF-9455-CF5774AEB13B}

12/1/2012 1:15:20 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800035c563a, 0x0000000000000001, 0x0000000000000018). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-22417-01.

12/1/2012 1:05:14 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000330073, 0x0000000000000002, 0x0000000000000001, 0xfffff8000321ffd0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 120112-24195-01.

.

==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK

Internet Explorer: 9.0.8112.16455

Run by Blanchard at 17:49:04 on 2012-12-08

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.2072 [GMT -6:00]

.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

\\.\globalroot\systemroot\svchost.exe -netsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://yahoo.com/

mStart Page = hxxp://www.yahoo.com

mDefault_Page_URL = hxxp://www.yahoo.com

uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

uURLSearchHooks: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - <orphaned>

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - LocalServer32 - <no file>

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

BHO: Support.com Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

TB: Support.com Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

TB: Search Toolbar: {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Support.com Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet

uRun: [itibiti.exe] C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [AROReminder] C:\Program Files (x86)\ARO 2012\ARO.exe -rem

mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe

mRun: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"

mRun: [searchProtection] C:\ProgramData\Search Protection\_run.bat

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript

StartupFolder: C:\Users\BLANCH~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

Trusted Zone: moove.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{0E97319C-1499-443F-8DA1-F948B1EEF128} : DHCPNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -

x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup

x64-Run: [PC-Doctor for Windows localizer] C:\Program Files\PC-Doctor for Windows\localizer.exe

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2012-12-4 14456]

S1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-12-1 984144]

S1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-12-1 370288]

S2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-12-1 25232]

S2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-12-1 71600]

S2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-12-1 44808]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-5 399432]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-5 676936]

S3 androidusb;ADB Interface Driver;C:\Windows\System32\drivers\androidusb.sys [2010-4-29 32768]

S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;C:\Windows\System32\drivers\BVRPMPR5a64.SYS [2011-6-17 35840]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-7-3 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-5 25928]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" --> C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-6 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-8-2 51712]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-4 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-12-08 23:39:30 20480 ----a-w- C:\Windows\svchost.exe

2012-12-08 17:35:55 -------- d-----w- C:\Users\Blanchard\AppData\Local\{B8F93E05-4FDB-4F0E-82DE-4323D5E81ED2}

2012-12-08 04:26:26 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B68AEC25-C55E-497F-9A1B-CF19C4A8A0C9}\mpengine.dll

2012-12-08 04:22:08 -------- d-----w- C:\Users\Blanchard\AppData\Local\{603536F6-878C-4BD0-9B27-3B8E161D994B}

2012-12-06 05:17:23 -------- d-----w- C:\Users\Blanchard\AppData\Local\{E03956B4-C834-48A0-BFF7-50A97E9664FB}

2012-12-06 04:35:47 -------- d-----w- C:\Program Files (x86)\GridinSoft Trojan Killer

2012-12-05 17:01:22 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-12-05 17:01:22 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-05 03:48:58 -------- d-----w- C:\Users\Blanchard\AppData\Roaming\LavasoftStatistics

2012-12-05 03:48:48 -------- d-----w- C:\Users\Blanchard\AppData\Local\Downloaded Installations

2012-12-05 03:48:33 47496 ----a-w- C:\Windows\System32\sbbd.exe

2012-12-05 03:48:33 14456 ----a-w- C:\Windows\System32\drivers\gfibto.sys

2012-12-05 03:48:21 -------- d-----w- C:\ProgramData\Search Protection

2012-12-05 03:47:46 -------- d-----w- C:\Users\Blanchard\AppData\Roaming\Ad-Aware Antivirus

2012-12-05 03:40:03 -------- d-----w- C:\Users\Blanchard\AppData\Local\{E2593859-16AB-4A5D-B315-4617AF08C6D6}

2012-12-05 00:13:05 -------- d-----w- C:\Users\Blanchard\AppData\Local\{AA6D8B4F-7D29-4571-ABEA-BB35C1928B94}

2012-12-04 17:23:28 -------- d-----w- C:\Users\Blanchard\AppData\Local\McAfee Anti-Theft

2012-12-04 14:25:56 -------- d-----w- C:\ProgramData\Tarma Installer

2012-12-04 12:10:41 -------- d-----w- C:\Users\Blanchard\AppData\Local\{C5CB3A6D-6D3F-4F90-9D9F-2F4AA196D074}

2012-12-04 04:09:13 -------- d-----w- C:\Users\Blanchard\AppData\Roaming\SpeedyPC Software

2012-12-04 04:09:13 -------- d-----w- C:\Users\Blanchard\AppData\Roaming\DriverCure

2012-12-04 04:09:01 -------- d-----w- C:\ProgramData\SpeedyPC Software

2012-12-03 13:59:38 -------- d-----w- C:\Users\Blanchard\AppData\Local\{C2140A78-3631-4A13-98FA-6E241A72C190}

2012-12-03 13:55:20 -------- d-----w- C:\Users\Blanchard\AppData\Local\{8EDE0FC9-C040-4CA9-8938-F99A264B13B3}

2012-12-03 13:46:57 -------- d-----w- C:\Users\Blanchard\AppData\Roaming\Sammsoft

2012-12-02 18:38:54 -------- d-----w- C:\Users\Blanchard\AppData\Local\{EF3F9E7E-9135-4645-9919-2A8A28E1622F}

2012-12-02 13:58:32 -------- d-----w- C:\Users\Blanchard\AppData\Local\{D33DB69D-C013-4E07-AF53-B4A26487F320}

2012-12-01 23:22:24 -------- d-----w- C:\Program Files (x86)\ARO 2012

2012-12-01 23:21:53 -------- d-----w- C:\Program Files (x86)\Ask.com

2012-12-01 23:21:20 -------- d-----w- C:\Users\Blanchard\AppData\Local\APN

2012-12-01 21:38:13 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2012-12-01 21:38:13 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2012-12-01 21:37:58 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2012-12-01 21:37:46 41224 ----a-w- C:\Windows\avastSS.scr

2012-12-01 21:37:36 -------- d-----w- C:\ProgramData\AVAST Software

2012-12-01 21:37:36 -------- d-----w- C:\Program Files\AVAST Software

2012-12-01 21:22:42 -------- d-----w- C:\Users\Blanchard\AppData\Local\{9E1D87AE-7046-4915-BB25-AAA1F066E08B}

2012-12-01 19:03:31 -------- d-----w- C:\Users\Blanchard\AppData\Local\{0495D8F3-64A1-4E05-99AC-63C10923C0AD}

2012-12-01 18:46:01 -------- d-----w- C:\Users\Blanchard\AppData\Local\{49D97750-3483-422F-9CDD-B184E864BC62}

2012-12-01 18:31:38 -------- d-----w- C:\Users\Blanchard\AppData\Local\{F1E67A43-04F6-491F-99FB-FC9A75BF248E}

2012-11-29 17:06:14 -------- d-----w- C:\Users\Blanchard\AppData\Local\{D074B765-1BB6-425C-82E9-60DB31C023E6}

2012-11-29 04:30:49 -------- d-----w- C:\ProgramData\dvdfab

2012-11-29 04:29:08 -------- d-----w- C:\Users\Blanchard\AppData\Local\{190B7C7B-A224-4ADC-B7E3-B2AFC299345C}

2012-11-29 04:25:33 -------- d-----w- C:\Program Files (x86)\DVDFab 8 Qt

2012-11-27 16:57:24 -------- d-----w- C:\Users\Blanchard\AppData\Local\{7F9D2D93-84D8-4E31-BED4-1AC894ADFE03}

2012-11-26 01:43:51 -------- d-----w- C:\Users\Blanchard\AppData\Roaming\RealNetworks

2012-11-25 20:04:40 179328 ----a-w- C:\Program Files (x86)\pares.dll

2012-11-24 14:09:48 -------- d-----w- C:\Users\Blanchard\AppData\Local\{E95F03CA-1353-480E-ACD1-C646831BB620}

2012-11-24 01:42:15 -------- d-----w- C:\Users\Blanchard\AppData\Local\{48ED7415-3A28-41F8-9521-3C2B44182C2A}

2012-11-21 02:25:36 -------- d-----w- C:\Users\Blanchard\AppData\Local\{3EC571E1-0A46-4D90-AB28-81F31D5502F2}

2012-11-20 12:35:10 -------- d-----w- C:\Windows\Hewlett-Packard

2012-11-20 11:56:19 -------- d-----w- C:\Users\Blanchard\AppData\Local\{6963C5C2-60C9-44B0-BCFA-6D88DBD495D3}

2012-11-17 17:58:42 -------- d-----w- C:\Users\Blanchard\AppData\Local\{9F52AC09-4092-4DEB-8716-BDBE34EE67F4}

2012-11-16 13:09:06 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-11-16 13:09:06 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-11-16 13:09:06 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-11-16 13:09:06 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-11-16 13:01:56 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-11-16 13:01:56 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-11-16 13:01:55 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-11-16 13:01:55 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-11-16 13:01:55 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-11-16 13:01:55 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-11-16 13:01:55 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-11-16 11:18:59 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-11-16 11:18:59 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-11-16 11:18:59 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-11-16 11:18:59 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-11-16 11:18:35 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-11-16 11:18:35 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-11-16 11:09:47 -------- d-----w- C:\Users\Blanchard\AppData\Local\{AF78AA2F-E88D-4250-A5C7-2E03BB0FBC79}

2012-11-13 23:33:44 -------- d-----w- C:\Users\Blanchard\AppData\Local\{26CB0D8E-D62B-48C3-A972-60A439DA9212}

2012-11-13 02:04:38 -------- d-----w- C:\Users\Blanchard\AppData\Local\{5EF81FB4-C5FC-4F3A-8EBE-CE5CE45812D5}

2012-11-10 14:22:02 -------- d-----w- C:\Users\Blanchard\AppData\Local\{0FA54AA5-A943-4B8C-BEFC-0C6E723CF2B8}

.

==================== Find3M ====================

.

2012-12-01 15:21:15 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-01 15:21:15 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-10-20 01:58:38 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll

2012-10-20 01:58:38 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll

2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc(3545).dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

.

============= FINISH: 17:52:37.64 ===============

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

Thanks so much, that seems to have done the job. Malwarebytes Anti-Rootkit found 4 problems on the first run and zero on the second. My computer is running like it used to.

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2012.12.08.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Blanchard :: BLANCHARD-PC [administrator]

12/8/2012 7:03:48 PM

mbar-log-2012-12-08 (19-03-48).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 32933

Time elapsed: 13 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 2952060928, free: 2111987712

------------ Kernel report ------------

12/08/2012 18:26:26

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\gfibto.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\nvstor64.sys

\SystemRoot\system32\DRIVERS\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\Drivers\aswrdr2.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nvmf6264.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_nvstor64.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\hidusb.sys

\SystemRoot\system32\drivers\HIDCLASS.SYS

\SystemRoot\system32\drivers\HIDPARSE.SYS

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\framebuf.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\iertutil.dll

\Windows\System32\advapi32.dll

\Windows\System32\setupapi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\imm32.dll

\Windows\System32\psapi.dll

\Windows\System32\gdi32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\imagehlp.dll

\Windows\System32\sechost.dll

\Windows\System32\usp10.dll

\Windows\System32\normaliz.dll

\Windows\System32\urlmon.dll

\Windows\System32\clbcatq.dll

\Windows\System32\ws2_32.dll

\Windows\System32\msctf.dll

\Windows\System32\user32.dll

\Windows\System32\wininet.dll

\Windows\System32\comdlg32.dll

\Windows\System32\lpk.dll

\Windows\System32\shlwapi.dll

\Windows\System32\difxapi.dll

\Windows\System32\msvcrt.dll

\Windows\System32\kernel32.dll

\Windows\System32\ole32.dll

\Windows\System32\nsi.dll

\Windows\System32\shell32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\crypt32.dll

\Windows\System32\wintrust.dll

\Windows\System32\comctl32.dll

\Windows\System32\devobj.dll

\Windows\System32\KernelBase.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8003286060

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000057\

Lower Device Object: 0xfffffa8002c797e0

Lower Device Driver Name: \00000255\

Driver name found: nvstor64

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.08.07

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8003286060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8003286b60, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8003286060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8002170e40, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8002c797e0, DeviceName: \Device\00000057\, DriverName: \00000255\

------------ End ----------

Upper DeviceData: 0xfffff8a003ee94e0, 0xfffffa8003286060, 0xfffffa80041c6790

Lower DeviceData: 0xfffff8a00301ea50, 0xfffffa8002c797e0, 0xfffffa8002ef6340

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

MBR buffers are not equal

MBR is forged! [375aa84a32db42cfc470956bb736fd78]

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 1549F232

Partition information:

Partition 0 type is Empty (0x0)

Partition is ACTIVE.

Partition starts at LBA: 50 Numsec = 0

Partition is not bootable

Infected: VBR on Empty active partition --> [Rootkit.Pihar.c.MBR]

Changing partition to empty and not active. New active partition is 0 on drive 0 ...

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 956180480

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 956387328 Numsec = 20383744

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

MBR infection found on drive 0

Disk Size: 500107862016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-49-976753168-976773168)...

Sector 976772852 --> [Forged physical sector]

Sector 976772853 --> [Forged physical sector]

Sector 976772854 --> [Forged physical sector]

Sector 976772855 --> [Forged physical sector]

Sector 976772856 --> [Forged physical sector]

Sector 976772857 --> [Forged physical sector]

Sector 976772858 --> [Forged physical sector]

Sector 976772859 --> [Forged physical sector]

Sector 976772860 --> [Forged physical sector]

Sector 976772861 --> [Forged physical sector]

Sector 976772862 --> [Forged physical sector]

Sector 976772863 --> [Forged physical sector]

Sector 976772864 --> [Forged physical sector]

Sector 976772865 --> [Forged physical sector]

Sector 976772866 --> [Forged physical sector]

Sector 976772867 --> [Forged physical sector]

Sector 976772868 --> [Forged physical sector]

Sector 976772869 --> [Forged physical sector]

Sector 976772870 --> [Forged physical sector]

Sector 976772871 --> [Forged physical sector]

Sector 976772872 --> [Forged physical sector]

Sector 976772873 --> [Forged physical sector]

Sector 976772874 --> [Forged physical sector]

Sector 976772875 --> [Forged physical sector]

Sector 976772876 --> [Forged physical sector]

Sector 976772877 --> [Forged physical sector]

Sector 976772878 --> [Forged physical sector]

Sector 976772879 --> [Forged physical sector]

Sector 976772880 --> [Forged physical sector]

Sector 976772881 --> [Forged physical sector]

Sector 976772882 --> [Forged physical sector]

Sector 976772883 --> [Forged physical sector]

Sector 976772884 --> [Forged physical sector]

Sector 976772885 --> [Forged physical sector]

Sector 976772886 --> [Forged physical sector]

Sector 976772887 --> [Forged physical sector]

Sector 976772888 --> [Forged physical sector]

Sector 976772889 --> [Forged physical sector]

Sector 976772890 --> [Forged physical sector]

Sector 976772891 --> [Forged physical sector]

Sector 976772892 --> [Forged physical sector]

Sector 976772893 --> [Forged physical sector]

Sector 976772894 --> [Forged physical sector]

Sector 976772895 --> [Forged physical sector]

Sector 976772896 --> [Forged physical sector]

Sector 976772897 --> [Forged physical sector]

Sector 976772898 --> [Forged physical sector]

Sector 976772899 --> [Forged physical sector]

Sector 976772900 --> [Forged physical sector]

Sector 976772901 --> [Forged physical sector]

Sector 976772902 --> [Forged physical sector]

Sector 976772903 --> [Forged physical sector]

Sector 976772904 --> [Forged physical sector]

Sector 976772905 --> [Forged physical sector]

Sector 976772906 --> [Forged physical sector]

Sector 976772907 --> [Forged physical sector]

Sector 976772908 --> [Forged physical sector]

Sector 976772909 --> [Forged physical sector]

Sector 976772910 --> [Forged physical sector]

Sector 976772911 --> [Forged physical sector]

Sector 976772912 --> [Forged physical sector]

Sector 976772913 --> [Forged physical sector]

Sector 976772914 --> [Forged physical sector]

Sector 976772915 --> [Forged physical sector]

Sector 976772916 --> [Forged physical sector]

Sector 976772917 --> [Forged physical sector]

Sector 976772918 --> [Forged physical sector]

Sector 976772919 --> [Forged physical sector]

Sector 976772920 --> [Forged physical sector]

Sector 976772921 --> [Forged physical sector]

Sector 976772922 --> [Forged physical sector]

Sector 976772923 --> [Forged physical sector]

Sector 976772924 --> [Forged physical sector]

Sector 976772925 --> [Forged physical sector]

Sector 976772926 --> [Forged physical sector]

Sector 976772927 --> [Forged physical sector]

Sector 976772928 --> [Forged physical sector]

Sector 976772929 --> [Forged physical sector]

Sector 976772930 --> [Forged physical sector]

Sector 976772931 --> [Forged physical sector]

Sector 976772932 --> [Forged physical sector]

Sector 976772933 --> [Forged physical sector]

Sector 976772934 --> [Forged physical sector]

Sector 976772935 --> [Forged physical sector]

Sector 976772936 --> [Forged physical sector]

Sector 976772937 --> [Forged physical sector]

Sector 976772938 --> [Forged physical sector]

Sector 976772939 --> [Forged physical sector]

Sector 976772940 --> [Forged physical sector]

Sector 976772941 --> [Forged physical sector]

Sector 976772942 --> [Forged physical sector]

Sector 976772943 --> [Forged physical sector]

Sector 976772944 --> [Forged physical sector]

Sector 976772945 --> [Forged physical sector]

Sector 976772946 --> [Forged physical sector]

Sector 976772947 --> [Forged physical sector]

Sector 976772948 --> [Forged physical sector]

Sector 976772949 --> [Forged physical sector]

Sector 976772950 --> [Forged physical sector]

Sector 976772951 --> [Forged physical sector]

Sector 976772952 --> [Forged physical sector]

Sector 976772953 --> [Forged physical sector]

Sector 976772954 --> [Forged physical sector]

Sector 976772955 --> [Forged physical sector]

Sector 976772956 --> [Forged physical sector]

Sector 976772957 --> [Forged physical sector]

Sector 976772958 --> [Forged physical sector]

Sector 976772959 --> [Forged physical sector]

Sector 976772960 --> [Forged physical sector]

Sector 976772961 --> [Forged physical sector]

Sector 976772962 --> [Forged physical sector]

Sector 976772963 --> [Forged physical sector]

Sector 976772964 --> [Forged physical sector]

Sector 976772965 --> [Forged physical sector]

Sector 976772966 --> [Forged physical sector]

Sector 976772967 --> [Forged physical sector]

Sector 976772968 --> [Forged physical sector]

Sector 976772969 --> [Forged physical sector]

Sector 976772970 --> [Forged physical sector]

Sector 976772971 --> [Forged physical sector]

Sector 976772972 --> [Forged physical sector]

Sector 976772973 --> [Forged physical sector]

Sector 976772974 --> [Forged physical sector]

Sector 976772975 --> [Forged physical sector]

Sector 976772976 --> [Forged physical sector]

Sector 976772977 --> [Forged physical sector]

Sector 976772978 --> [Forged physical sector]

Sector 976772979 --> [Forged physical sector]

Sector 976772980 --> [Forged physical sector]

Sector 976772981 --> [Forged physical sector]

Sector 976772982 --> [Forged physical sector]

Sector 976772983 --> [Forged physical sector]

Sector 976772984 --> [Forged physical sector]

Sector 976772985 --> [Forged physical sector]

Sector 976772986 --> [Forged physical sector]

Sector 976772987 --> [Forged physical sector]

Sector 976772988 --> [Forged physical sector]

Sector 976772989 --> [Forged physical sector]

Sector 976772990 --> [Forged physical sector]

Sector 976772991 --> [Forged physical sector]

Sector 976772992 --> [Forged physical sector]

Sector 976772993 --> [Forged physical sector]

Sector 976772994 --> [Forged physical sector]

Sector 976772995 --> [Forged physical sector]

Sector 976772996 --> [Forged physical sector]

Sector 976772997 --> [Forged physical sector]

Sector 976772998 --> [Forged physical sector]

Sector 976772999 --> [Forged physical sector]

Sector 976773000 --> [Forged physical sector]

Sector 976773001 --> [Forged physical sector]

Sector 976773002 --> [Forged physical sector]

Sector 976773003 --> [Forged physical sector]

Sector 976773004 --> [Forged physical sector]

Sector 976773005 --> [Forged physical sector]

Sector 976773006 --> [Forged physical sector]

Sector 976773007 --> [Forged physical sector]

Sector 976773008 --> [Forged physical sector]

Sector 976773009 --> [Forged physical sector]

Sector 976773010 --> [Forged physical sector]

Sector 976773011 --> [Forged physical sector]

Sector 976773012 --> [Forged physical sector]

Sector 976773013 --> [Forged physical sector]

Sector 976773014 --> [Forged physical sector]

Sector 976773015 --> [Forged physical sector]

Sector 976773016 --> [Forged physical sector]

Sector 976773017 --> [Forged physical sector]

Sector 976773018 --> [Forged physical sector]

Sector 976773019 --> [Forged physical sector]

Sector 976773020 --> [Forged physical sector]

Sector 976773021 --> [Forged physical sector]

Sector 976773022 --> [Forged physical sector]

Sector 976773023 --> [Forged physical sector]

Sector 976773024 --> [Forged physical sector]

Sector 976773025 --> [Forged physical sector]

Sector 976773026 --> [Forged physical sector]

Sector 976773027 --> [Forged physical sector]

Sector 976773028 --> [Forged physical sector]

Sector 976773029 --> [Forged physical sector]

Sector 976773030 --> [Forged physical sector]

Sector 976773031 --> [Forged physical sector]

Sector 976773032 --> [Forged physical sector]

Sector 976773033 --> [Forged physical sector]

Sector 976773034 --> [Forged physical sector]

Sector 976773035 --> [Forged physical sector]

Sector 976773036 --> [Forged physical sector]

Sector 976773037 --> [Forged physical sector]

Sector 976773038 --> [Forged physical sector]

Sector 976773039 --> [Forged physical sector]

Sector 976773040 --> [Forged physical sector]

Sector 976773041 --> [Forged physical sector]

Sector 976773042 --> [Forged physical sector]

Sector 976773043 --> [Forged physical sector]

Sector 976773044 --> [Forged physical sector]

Sector 976773045 --> [Forged physical sector]

Sector 976773046 --> [Forged physical sector]

Sector 976773047 --> [Forged physical sector]

Sector 976773048 --> [Forged physical sector]

Sector 976773049 --> [Forged physical sector]

Sector 976773050 --> [Forged physical sector]

Sector 976773051 --> [Forged physical sector]

Sector 976773052 --> [Forged physical sector]

Sector 976773053 --> [Forged physical sector]

Sector 976773054 --> [Forged physical sector]

Sector 976773055 --> [Forged physical sector]

Sector 976773056 --> [Forged physical sector]

Sector 976773057 --> [Forged physical sector]

Sector 976773058 --> [Forged physical sector]

Sector 976773059 --> [Forged physical sector]

Sector 976773060 --> [Forged physical sector]

Sector 976773061 --> [Forged physical sector]

Sector 976773062 --> [Forged physical sector]

Sector 976773063 --> [Forged physical sector]

Sector 976773064 --> [Forged physical sector]

Sector 976773065 --> [Forged physical sector]

Sector 976773066 --> [Forged physical sector]

Sector 976773067 --> [Forged physical sector]

Sector 976773068 --> [Forged physical sector]

Sector 976773069 --> [Forged physical sector]

Sector 976773070 --> [Forged physical sector]

Sector 976773071 --> [Forged physical sector]

Sector 976773072 --> [Forged physical sector]

Sector 976773073 --> [Forged physical sector]

Sector 976773074 --> [Forged physical sector]

Sector 976773075 --> [Forged physical sector]

Sector 976773076 --> [Forged physical sector]

Sector 976773077 --> [Forged physical sector]

Sector 976773078 --> [Forged physical sector]

Sector 976773079 --> [Forged physical sector]

Sector 976773080 --> [Forged physical sector]

Sector 976773081 --> [Forged physical sector]

Sector 976773082 --> [Forged physical sector]

Sector 976773083 --> [Forged physical sector]

Sector 976773084 --> [Forged physical sector]

Sector 976773085 --> [Forged physical sector]

Sector 976773086 --> [Forged physical sector]

Sector 976773087 --> [Forged physical sector]

Sector 976773088 --> [Forged physical sector]

Sector 976773089 --> [Forged physical sector]

Sector 976773090 --> [Forged physical sector]

Sector 976773091 --> [Forged physical sector]

Sector 976773092 --> [Forged physical sector]

Sector 976773093 --> [Forged physical sector]

Sector 976773094 --> [Forged physical sector]

Sector 976773095 --> [Forged physical sector]

Sector 976773096 --> [Forged physical sector]

Sector 976773097 --> [Forged physical sector]

Sector 976773098 --> [Forged physical sector]

Sector 976773099 --> [Forged physical sector]

Sector 976773100 --> [Forged physical sector]

Sector 976773101 --> [Forged physical sector]

Sector 976773102 --> [Forged physical sector]

Sector 976773103 --> [Forged physical sector]

Sector 976773104 --> [Forged physical sector]

Sector 976773105 --> [Forged physical sector]

Sector 976773106 --> [Forged physical sector]

Sector 976773107 --> [Forged physical sector]

Sector 976773108 --> [Forged physical sector]

Sector 976773109 --> [Forged physical sector]

Sector 976773110 --> [Forged physical sector]

Sector 976773111 --> [Forged physical sector]

Sector 976773112 --> [Forged physical sector]

Sector 976773113 --> [Forged physical sector]

Sector 976773114 --> [Forged physical sector]

Sector 976773115 --> [Forged physical sector]

Sector 976773116 --> [Forged physical sector]

Sector 976773117 --> [Forged physical sector]

Sector 976773118 --> [Forged physical sector]

Sector 976773119 --> [Forged physical sector]

Sector 976773120 --> [Forged physical sector]

Sector 976773121 --> [Forged physical sector]

Sector 976773122 --> [Forged physical sector]

Sector 976773123 --> [Forged physical sector]

Sector 976773124 --> [Forged physical sector]

Sector 976773125 --> [Forged physical sector]

Sector 976773126 --> [Forged physical sector]

Sector 976773127 --> [Forged physical sector]

Sector 976773128 --> [Forged physical sector]

Sector 976773129 --> [Forged physical sector]

Sector 976773130 --> [Forged physical sector]

Sector 976773131 --> [Forged physical sector]

Sector 976773132 --> [Forged physical sector]

Sector 976773133 --> [Forged physical sector]

Sector 976773134 --> [Forged physical sector]

Sector 976773135 --> [Forged physical sector]

Sector 976773136 --> [Forged physical sector]

Sector 976773137 --> [Forged physical sector]

Sector 976773138 --> [Forged physical sector]

Sector 976773139 --> [Forged physical sector]

Sector 976773140 --> [Forged physical sector]

Sector 976773141 --> [Forged physical sector]

Sector 976773142 --> [Forged physical sector]

Sector 976773143 --> [Forged physical sector]

Sector 976773144 --> [Forged physical sector]

Sector 976773145 --> [Forged physical sector]

Sector 976773146 --> [Forged physical sector]

Sector 976773147 --> [Forged physical sector]

Sector 976773148 --> [Forged physical sector]

Sector 976773149 --> [Forged physical sector]

Sector 976773150 --> [Forged physical sector]

Sector 976773151 --> [Forged physical sector]

Sector 976773152 --> [Forged physical sector]

Sector 976773153 --> [Forged physical sector]

Sector 976773154 --> [Forged physical sector]

Sector 976773155 --> [Forged physical sector]

Sector 976773156 --> [Forged physical sector]

Sector 976773157 --> [Forged physical sector]

Sector 976773158 --> [Forged physical sector]

Sector 976773159 --> [Forged physical sector]

Sector 976773160 --> [Forged physical sector]

Sector 976773161 --> [Forged physical sector]

Sector 976773162 --> [Forged physical sector]

Sector 976773163 --> [Forged physical sector]

Sector 976773164 --> [Forged physical sector]

Sector 976773165 --> [Forged physical sector]

Sector 976773166 --> [Forged physical sector]

Sector 976773167 --> [Forged physical sector]

Done!

Performing system, memory and registry scan...

Read File: File "C:\ProgramData\{D441869F-BEC4-446D-9888-C5CA29F160F9}\HP_Remote_Solution_Install.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{D441869F-BEC4-446D-9888-C5CA29F160F9}\HP_Remote_Solution_Install.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{D441869F-BEC4-446D-9888-C5CA29F160F9}\instance.dat" is compressed (flags = 1)

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Infected: C:\Windows\svchost.exe --> [Trojan.Agent]

Done!

Scan finished

Creating System Restore point...

Could not create restore point...

Scheduling clean up...

<<<2>>>

Device number: 0, partition: 2

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

BCD Entry for BOOTEMS is missing

Malicious Entry 26000022 for BOOTEMS present!

Removal scheduling successful. System shutdown needed.

System shutdown occurred

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 2952060928, free: 1728856064

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 2952060928, free: 1736679424

------------ Kernel report ------------

12/08/2012 18:49:57

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\system32\drivers\gfibto.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\nvstor64.sys

\SystemRoot\system32\DRIVERS\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\aswSnx.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\System32\Drivers\aswTdi.SYS

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\Drivers\aswrdr2.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\System32\Drivers\aswSP.SYS

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdppm.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\nvmf6264.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\agrsm64.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\system32\DRIVERS\nvBridge.kmd

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\ks.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHD64.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_nvstor64.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\drivers\hidusb.sys

\SystemRoot\system32\drivers\HIDCLASS.SYS

\SystemRoot\system32\drivers\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\??\C:\Windows\system32\drivers\aswMonFlt.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\System32\Drivers\aswFsBlk.SYS

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\imm32.dll

\Windows\System32\lpk.dll

\Windows\System32\msvcrt.dll

\Windows\System32\setupapi.dll

\Windows\System32\msctf.dll

\Windows\System32\user32.dll

\Windows\System32\normaliz.dll

\Windows\System32\gdi32.dll

\Windows\System32\ws2_32.dll

\Windows\System32\psapi.dll

\Windows\System32\sechost.dll

\Windows\System32\kernel32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\shlwapi.dll

\Windows\System32\wininet.dll

\Windows\System32\comdlg32.dll

\Windows\System32\shell32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\ole32.dll

\Windows\System32\usp10.dll

\Windows\System32\imagehlp.dll

\Windows\System32\iertutil.dll

\Windows\System32\urlmon.dll

\Windows\System32\advapi32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\nsi.dll

\Windows\System32\difxapi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\comctl32.dll

\Windows\System32\wintrust.dll

\Windows\System32\crypt32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\devobj.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\msasn1.dll

\Windows\SysWOW64\normaliz.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa80032b4700

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000057\

Lower Device Object: 0xfffffa8002c68790

Lower Device Driver Name: \Driver\nvstor64\

Driver name found: nvstor64

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.08.07

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 2

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa80032b4700, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa80032b4150, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa80032b4700, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8002c68350, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xfffffa8002c68790, DeviceName: \Device\00000057\, DriverName: \Driver\nvstor64\

------------ End ----------

Upper DeviceData: 0xfffff8a00fbc0cf0, 0xfffffa80032b4700, 0xfffffa80026cd090

Lower DeviceData: 0xfffff8a00f959cf0, 0xfffffa8002c68790, 0xfffffa800237fcf0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 1549F232

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 204800

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 206848 Numsec = 956180480

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 956387328 Numsec = 20383744

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...

Done!

Performing system, memory and registry scan...

Read File: File "C:\ProgramData\{D441869F-BEC4-446D-9888-C5CA29F160F9}\HP_Remote_Solution_Install.dat" is compressed (flags = 1)

Read File: File "C:\ProgramData\{D441869F-BEC4-446D-9888-C5CA29F160F9}\HP_Remote_Solution_Install.lan" is compressed (flags = 1)

Read File: File "C:\ProgramData\{D441869F-BEC4-446D-9888-C5CA29F160F9}\instance.dat" is compressed (flags = 1)

Done!

Scan finished

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_31

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED

CPU speed: 2.812000 GHz

Memory total: 2952060928, free: 1809739776

Link to post
Share on other sites

  • Staff

that's good news, I'd like to run a couple more scans just to make sure there are no leftovers, quite often this infections brings along others.

Please run the following:

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Here is the log from Combo Fix. I believe it's saying that Windows Defender was enabled during the run of Combo Fix. Does that invalidate the result?

ComboFix 12-12-07.01 - Blanchard 12/08/2012 20:22:42.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.1523 [GMT -6:00]

Running from: c:\users\Blanchard\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\prefs.js

c:\program files (x86)\Search Toolbar

c:\program files (x86)\Search Toolbar\SearchToolbar.dll

c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe

c:\programdata\gifnocsm.pad

c:\users\Blanchard\AppData\Roaming\.#

c:\users\Blanchard\Documents\~WRL2300.tmp

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\security\Database\tmp.edb

c:\windows\SysWow64\regobj.dll

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-11-09 to 2012-12-09 )))))))))))))))))))))))))))))))

.

.

2012-12-09 02:33 . 2012-12-09 02:33 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-09 02:05 . 2012-12-09 02:05 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B68AEC25-C55E-497F-9A1B-CF19C4A8A0C9}\offreg.dll

2012-12-08 04:26 . 2012-11-19 07:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B68AEC25-C55E-497F-9A1B-CF19C4A8A0C9}\mpengine.dll

2012-12-06 04:35 . 2012-12-06 04:44 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer

2012-12-05 17:01 . 2012-12-08 23:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-05 17:01 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-05 03:48 . 2012-12-05 03:48 -------- d-----w- c:\users\Blanchard\AppData\Roaming\LavasoftStatistics

2012-12-05 03:48 . 2012-12-05 03:48 -------- d-----w- c:\users\Blanchard\AppData\Local\Downloaded Installations

2012-12-05 03:48 . 2012-12-05 03:48 47496 ----a-w- c:\windows\system32\sbbd.exe

2012-12-05 03:48 . 2012-12-05 03:48 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-12-05 03:48 . 2012-12-05 03:53 -------- d-----w- c:\programdata\Search Protection

2012-12-05 03:47 . 2012-12-05 03:47 -------- d-----w- c:\users\Blanchard\AppData\Roaming\Ad-Aware Antivirus

2012-12-04 17:23 . 2012-12-04 17:23 -------- d-----w- c:\users\Blanchard\AppData\Local\McAfee Anti-Theft

2012-12-04 14:25 . 2012-12-04 14:25 -------- d-----w- c:\programdata\Tarma Installer

2012-12-04 04:09 . 2012-12-04 04:09 -------- d-----w- c:\users\Blanchard\AppData\Roaming\SpeedyPC Software

2012-12-04 04:09 . 2012-12-04 04:09 -------- d-----w- c:\users\Blanchard\AppData\Roaming\DriverCure

2012-12-04 04:09 . 2012-12-04 04:17 -------- d-----w- c:\programdata\SpeedyPC Software

2012-12-03 13:46 . 2012-12-03 13:46 -------- d-----w- c:\users\Blanchard\AppData\Roaming\Sammsoft

2012-12-01 23:22 . 2012-12-05 04:19 -------- d-----w- c:\program files (x86)\ARO 2012

2012-12-01 23:21 . 2012-12-05 04:19 -------- d-----w- c:\program files (x86)\Ask.com

2012-12-01 23:21 . 2012-12-01 23:21 -------- d-----w- c:\users\Blanchard\AppData\Local\APN

2012-12-01 21:38 . 2012-10-30 23:51 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-12-01 21:38 . 2012-10-30 23:51 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-12-01 21:38 . 2012-10-30 23:51 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-12-01 21:38 . 2012-10-30 23:51 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-12-01 21:38 . 2012-10-15 16:59 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-12-01 21:37 . 2012-10-30 23:51 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-12-01 21:37 . 2012-10-30 23:50 285328 ----a-w- c:\windows\system32\aswBoot.exe

2012-12-01 21:37 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-12-01 21:37 . 2012-10-30 23:50 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe

2012-12-01 21:37 . 2012-12-05 03:54 -------- d-----w- c:\programdata\AVAST Software

2012-12-01 21:37 . 2012-12-05 03:52 -------- d-----w- c:\program files\AVAST Software

2012-11-29 04:30 . 2012-11-29 04:30 -------- d-----w- c:\programdata\dvdfab

2012-11-29 04:25 . 2012-12-05 04:19 -------- d-----w- c:\program files (x86)\DVDFab 8 Qt

2012-11-26 01:43 . 2012-11-26 01:43 -------- d-----w- c:\users\Blanchard\AppData\Roaming\RealNetworks

2012-11-25 20:04 . 2012-11-25 20:01 179328 ----a-w- c:\program files (x86)\pares.dll

2012-11-20 12:35 . 2012-12-05 04:22 -------- d-----w- c:\windows\Hewlett-Packard

2012-11-16 13:09 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-16 13:09 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-16 13:09 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-16 13:09 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-16 13:01 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-16 13:01 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-16 13:01 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-16 13:01 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-16 13:01 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-16 13:01 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-11-16 13:01 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-16 11:18 . 2012-10-03 17:44 70656 ----a-w- c:\windows\system32\nlaapi.dll

2012-11-16 11:18 . 2012-10-03 17:44 18944 ----a-w- c:\windows\system32\netevent.dll

2012-11-16 11:18 . 2012-10-03 16:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll

2012-11-16 11:18 . 2012-10-03 16:07 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

2012-11-16 11:18 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-16 11:18 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-01 15:21 . 2012-04-01 12:28 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-01 15:21 . 2011-09-29 22:50 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-30 03:04 . 2010-01-24 13:59 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-20 01:58 . 2011-11-27 15:44 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll

2012-10-20 01:58 . 2011-11-27 15:44 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll

2012-10-16 08:38 . 2012-11-28 13:10 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-28 13:10 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-28 13:10 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-09-14 19:19 . 2012-10-10 11:39 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-10 11:39 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-10-18 1527496]

.

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2012-10-18 04:08 1527496 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-10-18 1527496]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]

"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"AROReminder"="c:\program files (x86)\ARO 2012\ARO.exe" [2012-07-27 2553752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]

"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]

"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-10-20 296096]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-10-18 1645256]

.

c:\users\Blanchard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-06-30 35840]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1255736]

R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-05 14456]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-09 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 15:21]

.

2012-11-30 c:\windows\Tasks\EasyShare Registration Task.job

- c:\windows\system32\rundll32.exe [2009-07-13 01:14]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-07 14:07]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-07 14:07]

.

2012-11-28 c:\windows\Tasks\HPCeeScheduleForBlanchard.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]

.

2012-12-01 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-29 16333856]

"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mDefault_Page_URL = hxxp://www.yahoo.com

mStart Page = hxxp://www.yahoo.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105

Trusted Zone: moove.com

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{c2db4fe6-8409-45ce-8010-189a7b5cce86} - (no file)

BHO-{9D425283-D487-4337-BAB6-AB8354A81457} - c:\program files (x86)\Search Toolbar\SearchToolbar.dll

Toolbar-{9D425283-D487-4337-BAB6-AB8354A81457} - c:\program files (x86)\Search Toolbar\SearchToolbar.dll

Toolbar-10 - (no file)

Wow6432Node-HKCU-Run-Itibiti.exe - c:\program files (x86)\Itibiti Soft Phone\Itibiti.exe

Wow6432Node-HKLM-Run-DivXUpdate - c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

Wow6432Node-HKLM-Run-SearchProtection - c:\programdata\Search Protection\_run.bat

Toolbar-10 - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - (no file)

WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1275306150-1254451135-4285018478-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-1275306150-1254451135-4285018478-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-08 20:47:37

ComboFix-quarantined-files.txt 2012-12-09 02:47

.

Pre-Run: 423,138,504,704 bytes free

Post-Run: 425,128,902,656 bytes free

.

- - End Of File - - B5F772D9E516C9CA25BE458766066625

Link to post
Share on other sites

  • Staff

there are some junk files left which we can clean up, please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

Here is JRT.txt, the adware text file, the MalwareBytes log. ESET has been running for almost an hour and is only 1/2 done. So far, it has found 3 threats and they are all Win32 toolbars (2 Zugo toolbars and a MyWebSearch toolbar). ESET says that it also just found a variant of a java/exploit Trojan. I'll send the log when is finishes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.0.0 (12.08.2012:4)

OS: Windows 7 Home Premium x64

Ran by Blanchard on Sat 12/08/2012 at 21:59:50.53

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\apnupdater

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{30f9b915-b755-4826-820b-08fba6bd249d}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1275306150-1254451135-4285018478-1001\software\microsoft\internet explorer\searchscopes\\DefaultScope

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{00000000-6e41-4fd3-8538-502f5495e5fc}

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440}

~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\searchqutoolbar"

Successfully deleted: [Registry Key] "hkey_current_user\software\conduit"

Successfully deleted: [Registry Key] "hkey_current_user\software\softonic"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\conduit.engine"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fef"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9"

Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"

Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\tracing\searchqumediabar_rasapi32"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\tracing\searchqumediabar_rasmancs"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\tracing\setupdatamngr_searchqu_rasapi32"

Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\tracing\setupdatamngr_searchqu_rasmancs"

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{99079a25-328f-4bd4-be04-00955acaa0a7}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{9bb47c17-9c68-4bb3-b188-dd9af0fd2406}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{9bb47c17-9c68-4bb3-b188-dd9af0fd2406}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{9d425283-d487-4337-bab6-ab8354a81457}

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d824f0de-3d60-4f57-9eb1-66033ecd8abb}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}

Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440}

Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd"

Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd.1"

Successfully deleted: [Registry Key] "hkey_current_user\software\apn"

Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"

Successfully deleted: [Registry Key] "hkey_local_machine\software\apn"

Successfully deleted: [Registry Key] "hkey_local_machine\software\asktoolbar"

Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll"

~~~ Files

Successfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\search protection"

Successfully deleted: [Folder] "C:\ProgramData\speedypc software"

Successfully deleted: [Folder] "C:\ProgramData\tarma installer"

Successfully deleted: [Folder] "C:\ProgramData\wecarereminder"

Successfully deleted: [Folder] "C:\Users\Blanchard\AppData\Roaming\speedypc software"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\local\apn"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\local\conduit"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\local\ilivid player"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\locallow\datamngr"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\locallow\searchquband"

Successfully deleted: [Folder] "C:\Program Files (x86)\free offers from freeze.com"

Successfully deleted: [Folder] "C:\ProgramData\ask"

Successfully deleted: [Folder] "C:\Users\Blanchard\appdata\locallow\asktoolbar"

Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com"

Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 12/08/2012 at 22:08:19.33

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# AdwCleaner v2.011 - Logfile created 12/08/2012 at 23:05:28

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : Blanchard - BLANCHARD-PC

# Boot Mode : Normal

# Running from : C:\Users\Blanchard\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2117678

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2405280

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{13119113-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{33119133-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23119123-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

Key Deleted : HKLM\SOFTWARE\Software

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.95

File : C:\Users\Blanchard\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [3016 octets] - [08/12/2012 23:05:28]

########## EOF - C:\AdwCleaner[s1].txt - [3076 octets] ##########

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.09.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Blanchard :: BLANCHARD-PC [administrator]

12/8/2012 11:12:14 PM

mbam-log-2012-12-08 (23-12-14).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 221891

Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Here is the result of ESET. It found 2 final threats that it said were HTML/Scrinject.B.Gen Virus.

Interesting that Adware Cleaner did so much with the registry for HKLM/Software. I had to watch an old movie for a class and didn't have time to order it online, so I downloaded a FilmFinder toolbar. I have had suspicions that that is where my problems originated.

C:\Program Files (x86)\iWonEI\Installr\1.bin\jfEIPlug.dll a variant of Win32/Toolbar.MyWebSearch application

C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application

C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbarUpdater.exe.vir Win32/Toolbar.Zugo application

C:\Users\Blanchard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\7295922c-75c69f69 a variant of Java/Exploit.CVE-2012-1723.EP trojan

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm HTML/ScrInject.B.Gen virus

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm HTML/ScrInject.B.Gen virus

Link to post
Share on other sites

  • Staff

yes, that very likely was the cause of the issues, toolbars seem to bring in a lot of junk with them

Please run the following

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Press the WinKey + R to open a run box, type Notepad > click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


File::
C:\Program Files (x86)\iWonEI\Installr\1.bin\jfEIPlug.dll
C:\Users\Blanchard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\7295922c-75c69f69
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version XI)

Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version
  • Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Link to post
Share on other sites

I find no issues with my computer. Thank you! It's running better than ever.

ComboFix 12-12-07.01 - Blanchard 12/09/2012 10:41:27.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.1731 [GMT -6:00]

Running from: c:\users\Blanchard\Desktop\ComboFix.exe

Command switches used :: c:\users\Blanchard\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\program files (x86)\iWonEI\Installr\1.bin\jfEIPlug.dll"

"c:\users\Blanchard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\7295922c-75c69f69"

"c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm"

"c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\iWonEI\Installr\1.bin\jfEIPlug.dll

c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZKZ04QZ\kitty-goes-crazy-for-laser[1].htm

.

.

((((((((((((((((((((((((( Files Created from 2012-11-09 to 2012-12-09 )))))))))))))))))))))))))))))))

.

.

2012-12-09 16:52 . 2012-12-09 16:52 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2012-12-09 16:52 . 2012-12-09 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-09 05:21 . 2012-12-09 05:21 -------- d-----w- c:\program files (x86)\ESET

2012-12-09 03:59 . 2012-12-09 03:59 -------- d-----w- c:\windows\ERUNT

2012-12-09 03:57 . 2012-12-09 04:14 -------- d-----w- C:\JRT

2012-12-08 04:26 . 2012-11-19 07:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B68AEC25-C55E-497F-9A1B-CF19C4A8A0C9}\mpengine.dll

2012-12-06 04:35 . 2012-12-06 04:44 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer

2012-12-05 17:01 . 2012-12-08 23:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-05 17:01 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-05 03:48 . 2012-12-05 03:48 -------- d-----w- c:\users\Blanchard\AppData\Roaming\LavasoftStatistics

2012-12-05 03:48 . 2012-12-05 03:48 -------- d-----w- c:\users\Blanchard\AppData\Local\Downloaded Installations

2012-12-05 03:48 . 2012-12-05 03:48 47496 ----a-w- c:\windows\system32\sbbd.exe

2012-12-05 03:48 . 2012-12-05 03:48 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2012-12-05 03:47 . 2012-12-05 03:47 -------- d-----w- c:\users\Blanchard\AppData\Roaming\Ad-Aware Antivirus

2012-12-04 17:23 . 2012-12-04 17:23 -------- d-----w- c:\users\Blanchard\AppData\Local\McAfee Anti-Theft

2012-12-04 04:09 . 2012-12-04 04:09 -------- d-----w- c:\users\Blanchard\AppData\Roaming\DriverCure

2012-12-03 13:46 . 2012-12-03 13:46 -------- d-----w- c:\users\Blanchard\AppData\Roaming\Sammsoft

2012-12-01 23:22 . 2012-12-05 04:19 -------- d-----w- c:\program files (x86)\ARO 2012

2012-12-01 21:38 . 2012-10-30 23:51 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-12-01 21:38 . 2012-10-30 23:51 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-12-01 21:38 . 2012-10-30 23:51 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-12-01 21:38 . 2012-10-30 23:51 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-12-01 21:38 . 2012-10-15 16:59 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-12-01 21:37 . 2012-10-30 23:51 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-12-01 21:37 . 2012-10-30 23:50 285328 ----a-w- c:\windows\system32\aswBoot.exe

2012-12-01 21:37 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-12-01 21:37 . 2012-10-30 23:50 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe

2012-12-01 21:37 . 2012-12-05 03:54 -------- d-----w- c:\programdata\AVAST Software

2012-12-01 21:37 . 2012-12-05 03:52 -------- d-----w- c:\program files\AVAST Software

2012-11-29 04:30 . 2012-11-29 04:30 -------- d-----w- c:\programdata\dvdfab

2012-11-29 04:25 . 2012-12-05 04:19 -------- d-----w- c:\program files (x86)\DVDFab 8 Qt

2012-11-26 01:43 . 2012-11-26 01:43 -------- d-----w- c:\users\Blanchard\AppData\Roaming\RealNetworks

2012-11-25 20:04 . 2012-11-25 20:01 179328 ----a-w- c:\program files (x86)\pares.dll

2012-11-20 12:35 . 2012-12-05 04:22 -------- d-----w- c:\windows\Hewlett-Packard

2012-11-16 13:09 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-11-16 13:09 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-11-16 13:09 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-11-16 13:09 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-11-16 13:01 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-11-16 13:01 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-11-16 13:01 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-11-16 13:01 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-11-16 13:01 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-11-16 13:01 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-11-16 13:01 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-11-16 11:18 . 2012-10-03 17:44 70656 ----a-w- c:\windows\system32\nlaapi.dll

2012-11-16 11:18 . 2012-10-03 17:44 18944 ----a-w- c:\windows\system32\netevent.dll

2012-11-16 11:18 . 2012-10-03 16:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll

2012-11-16 11:18 . 2012-10-03 16:07 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

2012-11-16 11:18 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll

2012-11-16 11:18 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-01 15:21 . 2012-04-01 12:28 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-01 15:21 . 2011-09-29 22:50 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-30 03:04 . 2010-01-24 13:59 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-20 01:58 . 2011-11-27 15:44 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll

2012-10-20 01:58 . 2011-11-27 15:44 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll

2012-10-16 08:38 . 2012-11-28 13:10 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-11-28 13:10 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-11-28 13:10 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-09-14 19:19 . 2012-10-10 11:39 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-14 18:28 . 2012-10-10 11:39 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]

"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"AROReminder"="c:\program files (x86)\ARO 2012\ARO.exe" [2012-07-27 2553752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]

"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]

"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-10-20 296096]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

.

c:\users\Blanchard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2010-04-29 32768]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-06-30 35840]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1255736]

R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-05 14456]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-09 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 15:21]

.

2012-11-30 c:\windows\Tasks\EasyShare Registration Task.job

- c:\windows\system32\rundll32.exe [2009-07-13 01:14]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-07 14:07]

.

2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-07 14:07]

.

2012-11-28 c:\windows\Tasks\HPCeeScheduleForBlanchard.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]

.

2012-12-01 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-29 16333856]

"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mDefault_Page_URL = hxxp://www.yahoo.com

mStart Page = hxxp://www.yahoo.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105

Trusted Zone: moove.com

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-10 - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1275306150-1254451135-4285018478-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-1275306150-1254451135-4285018478-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-09 11:08:11

ComboFix-quarantined-files.txt 2012-12-09 17:08

ComboFix2.txt 2012-12-09 02:47

.

Pre-Run: 424,446,103,552 bytes free

Post-Run: 424,492,466,176 bytes free

.

- - End Of File - - FFB97304F1ED3916243D43B636DEEDF1

Link to post
Share on other sites

  • Staff

We just have some housekeeping to do now,

Please do the following:

You can delete the DDS, JRT and MBAR logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

    PC Safety and Security--What Do I Need?.

    [*]Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.