Jump to content

Possible To Have A "Checkup"?


Recommended Posts

This is my friends laptop, long story short, she isnt very good with computer security.

I want to check theres nothing on her computer, though I am no computer expert myself but I do have a little more knowledge than she does.

I know theres got to be some kind of virus, malware, spyware or something on it judging by her internet habits. (eg not updating java flash etc)

And she does banking and stuff on it so I want it to be clean for her.

Although there hasn't been any actual signs of infection (Aa far as I know), is it possible to have, like a 'checkup'?

Y'know, do what you nomally do if someone might be infected? Because I'm certain there has to be something on here.

The laptop has Windows 7 64-bit, Avast free and Malwarebytes free and they both do not detect anything in scans.

I have noticed though, in task manager there are 2 explorer.exe. But strangley one dissapeared after I typed this... But one was using more K then the other and both were running under my user name.

Thats all I can remember... sorry. Not sure if this is normal or not.

Also there are 2 mcorsvw.exe and 2 nvvsvc.exe running on task manager.

Also ctfmon.exe and conhost.exe come and go in thetask manager, I dont rememebr these ever being there.

ALSO it was very slow at startup. After entering password took around 1 min until it got to the desktop. Then maybe 1-3 min to load everything else like desktop items etc. but that could be because i did an avast boot time scan.. not sure.

Also in Resource Monitor, on Network, there are some TCP Connections that are just -

Image: - PID: - Local Address: xxx.xxx.xxx (they were numbers i cant just remember) etc I have no idea what this means or if I should post the full things of it if it can be used to hack me or something i dont know.

dds logs:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16457

Run by michelle at 6:24:55 on 2013-02-22

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.6072.4354 [GMT 8:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\nvvsvc.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\windows\system32\ThpSrv.exe

C:\windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe

C:\Windows\System32\ThpSrv.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wuauclt.exe

C:\Windows\SysWOW64\ctfmon.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.au/

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} -

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\Toshiba\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

TCP: NameServer = 10.0.0.138

TCP: Interfaces\{29CF25C7-69A9-4E90-BEDA-04B0826B25EC} : DHCPNameServer = 10.0.0.138

TCP: Interfaces\{29CF25C7-69A9-4E90-BEDA-04B0826B25EC}\44168747562746574656723702E4564777F627B6 : DHCPNameServer = 192.168.2.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

x64-Run: [ThpSrv] C:\Windows\System32\thpsrv /logon

x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe

x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3

x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe

x64-Run: [HDMICtrlMan] C:\Program Files (x86)\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe

x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\michelle\AppData\Roaming\Mozilla\Firefox\Profiles\pb73dy6u.default\

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\michelle\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\Windows\System32\drivers\thpdrv.sys [2009-6-30 34880]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\Windows\System32\drivers\Thpevm.sys [2009-6-30 14784]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2011-3-26 482384]

R1 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2012-11-28 21136]

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-11-29 984144]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-11-29 370288]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-11-29 25232]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-11-29 71600]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-13 44808]

R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe [2010-1-29 249200]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2009-3-11 46448]

R2 regi;regi;C:\Windows\System32\drivers\regi.sys [2011-3-26 14112]

R2 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2011-3-26 60416]

R2 risdpcie;risdpcie;C:\Windows\System32\drivers\risdpe64.sys [2011-3-26 80384]

R2 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2011-4-26 53760]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\Windows\System32\drivers\TVALZFL.sys [2009-6-20 14472]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-26 2320920]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-3-26 56344]

R3 hidshim;Service for HID-KMDF Shim layer;C:\Windows\System32\drivers\hidshim.sys [2009-9-1 6656]

R3 nuvotonhidcir;Nuvoton HID CIR Receiver;C:\Windows\System32\drivers\nuvotonhidcir.sys [2009-9-1 26624]

R3 nuvotonir;Nuvoton CIR Transceiver;C:\Windows\System32\drivers\nuvotonir.sys [2009-9-1 68096]

R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2011-3-26 35008]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-3-26 291328]

R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\System32\drivers\rtl8192se.sys [2011-3-26 1110560]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-6 137560]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-26 13336]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-7 59392]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-2-18 51712]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-26 1255736]

S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-9-14 353384]

S4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-7-29 267192]

S4 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-7-23 822192]

.

=============== Created Last 30 ================

.

2013-02-21 18:44:55 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-02-21 18:44:31 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-02-15 22:04:52 208448 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

.

==================== Find3M ====================

.

2013-02-21 18:44:12 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-14 08:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-12-12 13:55:45 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 13:55:45 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-12-12 13:55:32 16363960 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe

.

============= FINISH: 6:26:08.12 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 25/03/2011 4:06:33 PM

System Uptime: 22/02/2013 3:47:41 AM (3 hours ago)

.

Motherboard: TOSHIBA | | Portable PC

Processor: Intel® Core™ i7 CPU Q 740 @ 1.73GHz | rPGA988A Socket | 919/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 686 GiB total, 593.569 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP448: 8/02/2013 3:00:14 AM - Windows Update

RP449: 9/02/2013 6:23:33 AM - Windows Update

RP450: 10/02/2013 4:28:59 AM - Windows Update

RP451: 11/02/2013 7:00:38 AM - Windows Update

RP452: 12/02/2013 9:19:10 AM - Windows Update

RP453: 13/02/2013 3:03:53 AM - Windows Update

RP454: 14/02/2013 10:03:27 AM - Windows Update

RP455: 15/02/2013 3:00:12 AM - Windows Update

RP456: 16/02/2013 3:00:11 AM - Windows Update

RP457: 17/02/2013 3:09:39 AM - Windows Update

RP458: 18/02/2013 4:42:14 AM - Windows Update

RP459: 19/02/2013 4:45:54 AM - Windows Update

RP460: 20/02/2013 3:00:16 AM - Windows Update

RP461: 21/02/2013 3:04:09 AM - Windows Update

RP462: 21/02/2013 9:42:24 PM - Removed Java™ 6 Update 20

RP463: 21/02/2013 9:49:58 PM - Removed Facebook Video Calling 1.2.0.287

RP464: 21/02/2013 10:30:25 PM - Removed Adobe Reader 9.5.2.

RP465: 22/02/2013 2:43:44 AM - Installed Java 7 Update 15

RP466: 22/02/2013 3:00:11 AM - Windows Update

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader XI (11.0.02)

Amazon Kindle For PC v1.1

Apple Application Support

Apple Mobile Device Support

Apple Software Update

avast! Free Antivirus

Barbie as The Island Princess

BigPond Broadband ADSL

Bluetooth Stack for Windows by Toshiba

Bonjour

BookSmart® 3.3.1 3.3.1

Canon MP Navigator 3.0

Canon MP160

Corel WinDVD

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Direct DiscRecorder

Disneys Digital Coloring Book Featuring Toy Story 2

DVD MovieFactory for TOSHIBA

e-tax 2011

e-tax 2012

EA Download Manager

Fashion Toolbox Unregistered Trial Version

GIMP 2.8.2

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

HDMI Control Manager

Intel® Control Center

Intel® Management Engine Components

Intel® Rapid Storage Technology

iTunes

Java 7 Update 15

Java Auto Updater

JumpStart Explorers

JumpStart Spanish

Junk Mail filter update

LEGO Digital Designer

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office 2010

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Business 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 19.0 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nuvoton CIR Device Drivers

NVIDIA 3D Vision Driver 260.64

NVIDIA Control Panel 260.64

NVIDIA Drivers

NVIDIA Graphics Driver 260.64

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.10.0224

NVIDIA Stereoscopic 3D Driver

Origin

PlayReady PC Runtime amd64

QuickTime

Realtek Ethernet Controller Driver For Windows Vista and Later

Realtek High Definition Audio Driver

Realtek WLAN Driver

RICOH R5U230 Media Driver ver.2.09.03.01

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

SpongeBob SquarePants Employee of the Month

SPORE™

Synaptics Pointing Device Driver

TOSHIBA Assist

TOSHIBA Bulletin Board

TOSHIBA ConfigFree

TOSHIBA Disc Creator

TOSHIBA eco Utility

TOSHIBA Face Recognition

TOSHIBA HDD Protection

TOSHIBA HDD/SSD Alert

TOSHIBA Media Controller

TOSHIBA Media Controller Plug-in

TOSHIBA PC Health Monitor

TOSHIBA Recovery Media Creator

TOSHIBA ReelTime

TOSHIBA Remote Control Manager

TOSHIBA Sleep Utility

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Value Added Package

TOSHIBA VIDEO PLAYER

TOSHIBA Web Camera Application

Unity Web Player

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

Windows Driver Package - Atheros Communications Inc. (arusb_lhx) Net (09/25/2008 3.1.0.101)

Windows Driver Package - NETGEAR Inc. (RTL8187) Net (12/01/2006 6.1258.1201.2006)

Windows Driver Package - Thomson (USB_RNDIS) Net (02/15/2007 2.0.0.0)

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

Zoo Animals

.

==== Event Viewer Messages From Past Week ========

.

22/02/2013 6:01:08 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

22/02/2013 5:51:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

22/02/2013 5:50:56 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® Rapid Storage Technology service to connect.

22/02/2013 5:50:56 AM, Error: Service Control Manager [7000] - The Intel® Rapid Storage Technology service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

22/02/2013 12:53:11 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Description with the following error: Access is denied.

19/02/2013 10:42:21 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.

19/02/2013 10:42:21 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.

17/02/2013 3:11:41 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070005: Security Update for Windows 7 for x64-based Systems (KB2676562).

.

==== End Of File ===========================

Thanks and sorry if its a stupid question... Since theres no sign of infection yet, this can be a low priority topic, come here to help me AFTER your done with your jobs, you know.

btw I think thats a record for saying 'Also' the most in one post :P

Link to post
Share on other sites

  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

http://tigzy.geekstogo.com/Tools/RogueKillerX64.exe <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop. (please don't put logs in code or quotes)

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

MrC

<+>
Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>
Please stick with me until I give you the "all clear".

<+>The removal of malware isn't instantaneous, please be patient.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thanks for a reply!Okay I ran the scan:

RogueKiller V8.5.1 _x64_ [Feb 21 2013] by Tigzy

mail : tigzyRKgmailcom

Feedback : http://www.geekstogo...13-roguekiller/

Website : http://tigzy.geeksto...roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : michelle [Admin rights]

Mode : Scan -- Date : 02/22/2013 22:43:04

| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤

[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK7559GSXP +++++

--- User ---

[MBR] 45f2c5a2661d89b5f41418038f50ee56

[bSP] b7970fcac872dc62b02fb5ea5107fd9f : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 702812 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1442433024 | Size: 11091 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : >

RKreport[1]_S_02222013_02d2243.txt

btw what do you mean peer 2 peer software? Is there one on this system? If so what and where? Because I really dont think the owner of this computer would have that.Also, that bad process could be just notepad, I had it opened and forgot to close it before the scan. It closed it for me though.. Just letting you know

Link to post
Share on other sites

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Please make sure Windows Defender is disabled:

http://www.howtogeek...ow-turn-it-off/

-------------------------------------------

Then...............

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

I tried disabling Windows Defender like you said 2 windows popped up trying this:

This program is turned off, if you are using another program that checks fro hamrful or unwanted software, use the Action Center to check that programs status.

If you would like to use this program, click here to turn it on.

And:

Operation aborted (Error Code: 0x80004004)

Is that normal?

Okay I will download mbar now.

Link to post
Share on other sites

Okay when I tried running mbar, avast! behavior shield blocked it:

Program: C:\Users\michelle\Desktop\mbar-1.01.0.1020\mbar\mbar.exe

Action: Deny

Target: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mbamchameleon

Could be because I set the heuristic sensitivity high for the shields..

and mbar said:

Could not load DDA driver.

DDA Driver was not installed which may be caused by rootkit activity.

Do you want to reboot the computer to install DDA driver (Scan will continue after reboot)?

Sorry, I may have missed something, was I supposed to turn off avast?Do I do yes to restart or no?

Link to post
Share on other sites

Forget about MBAR and CAREFULLY run TDSSKiller:

-----------------------------------

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
    If in doubt about an entry....please ask or choose Skip
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Okay i hope i did everything right.

It detected 1 suspicious item, i did skip.

1st log:

00:17:11.0925 5012 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42

00:17:13.0204 5012 ============================================================

00:17:13.0204 5012 Current date / time: 2013/02/23 00:17:13.0204

00:17:13.0204 5012 SystemInfo:

00:17:13.0204 5012

00:17:13.0204 5012 OS Version: 6.1.7601 ServicePack: 1.0

00:17:13.0204 5012 Product type: Workstation

00:17:13.0204 5012 ComputerName: MICHELLE-PC

00:17:13.0204 5012 UserName: michelle

00:17:13.0204 5012 Windows directory: C:\Windows

00:17:13.0204 5012 System windows directory: C:\Windows

00:17:13.0204 5012 Running under WOW64

00:17:13.0204 5012 Processor architecture: Intel x64

00:17:13.0204 5012 Number of processors: 8

00:17:13.0204 5012 Page size: 0x1000

00:17:13.0204 5012 Boot type: Normal boot

00:17:13.0204 5012 ============================================================

00:17:13.0750 5012 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

00:17:13.0750 5012 ============================================================

00:17:13.0750 5012 \Device\Harddisk0\DR0:

00:17:13.0750 5012 MBR partitions:

00:17:13.0750 5012 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x55CAE000

00:17:13.0750 5012 ============================================================

00:17:13.0813 5012 C: <-> \Device\Harddisk0\DR0\Partition1

00:17:13.0813 5012 ============================================================

00:17:13.0813 5012 Initialize success

00:17:13.0813 5012 ============================================================

00:19:10.0938 5760 Deinitialize success

2nd log:

Too long, attached it.

I hope thats right. I also noticed above the 2 tdss killer logs a file called:

bootsqm.dat, not sure if this is related to tdss killer or not just thought id say anyway.

btw when I tried logging in to the forum it said this:

forums.malwarebytes.org Driver Error

There appears to be an error with the database.

If you are seeing this page, it means there was a problem communicating with our database. Sometimes this error is temporary and will go away when you refresh the page. Sometimes the error will need to be fixed by an administrator before the site will become accessible again.

You can try to refresh the page by clicking here

But it worked after another try.

EDIT: forgot to attach it whoops

TDSSKiller.2.8.16.0_23.02.2013_00.22.11_log.txt

Link to post
Share on other sites

That file is OK.....Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Combofix is running, (Im using a differant computer to post)

Its done its 50 stages, its deleting some temporary internet files, but it hasnt done anything since. its been 5 minutes. Ill give it some more time. It looks like i can scroll down the list but Im not sure if I should... I tried moving the mouse the tiniest tiniest bit and it didn't move, im not sure if its just it stalling because combofix probably uses alot of resources or something or if the computer actually froze. The little thing on the blue box is still flashing so im guessing not.

EDIT: Okay its creating log report now. But taking a little while... Ill post it when its done..

EDIT2: Okay its done:

(Note: the Xxxxxxxxxxxxxxxxxxxxxxxxxxx.doc.url file I blanked out, its not really called that)

ComboFix 13-02-22.01 - michelle 23/02/2013 1:03.4.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.6072.4669 [GMT 8:00]

Running from: c:\users\michelle\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0228EB75-2B65-4A9C-A91E-87EB67763250}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{04580C5C-AADE-4156-8B3E-60D96EBD5619}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{22C3F479-CBB6-402A-9850-A5D34CF045B6}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{238D25C0-0807-4E06-A875-12E143F5C37B}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3343A7D0-129D-4EBF-9995-6123EDBB9B43}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{35F9C242-3F20-4395-A0A1-DD7439AAF30E}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{39F6315C-87FC-40E9-B414-5B46BB985BA1}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{48217826-70E0-48B2-9BAF-208B964705A3}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5DF293B8-0361-41D9-AB5B-F452AAA5F811}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{646786F5-2241-4B87-912C-74B3DFFCAB48}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{655B3F82-CD38-4D66-B0B1-8330206C2A99}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{689C4334-4EC2-40FE-AD86-0A4A74048F63}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7DA095F7-2B00-451B-BF85-A16FB62E061E}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{827839EF-D7DB-4C34-9E48-F828439F344D}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{85AD52CD-CA25-4675-94E5-1E44F5842236}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8CE6CE51-006D-4899-8430-289206404199}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{94700790-5E4C-4CD4-BC7D-0DD3C8255AF0}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{97170214-BAF2-4A2D-A71F-07210E3CE3B9}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9FA47A3D-E656-48F8-867A-4B55E55A34BD}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9FDBC374-528B-44A9-A585-66502E4C8FB0}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{AC23C443-8F78-4131-8A7A-49D34023AC2F}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CE02F8E8-7ABA-4937-BC10-A2559F32535D}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E773A8A2-D3CA-4817-A86F-0863974810DD}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F53C8705-2C1A-4A24-AE95-09B867BF9F62}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F80CD8F7-CB65-4A18-AC01-92DAEF54AC35}.xps

c:\users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FB2C67A1-5EA5-4B02-AE74-EC6A1495DCC6}.xps

c:\users\michelle\AppData\Roaming\Microsoft\Windows\Recent\Xxxxxxxxxxxxxxxxxxxxxxxxxxx.doc.url

.

.

((((((((((((((((((((((((( Files Created from 2013-01-22 to 2013-02-22 )))))))))))))))))))))))))))))))

.

.

2013-02-22 17:09 . 2013-02-22 17:09 -------- d-----w- c:\users\Public\AppData\Local\temp

2013-02-22 17:09 . 2013-02-22 17:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-22 15:42 . 2013-02-22 15:42 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-02-22 15:42 . 2013-02-22 15:42 157000 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-02-21 18:45 . 2013-02-21 18:45 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-02-21 18:44 . 2013-02-21 18:44 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-02-21 18:44 . 2013-02-21 18:44 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-02-21 15:49 . 2013-02-21 15:49 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2013-02-15 22:04 . 2013-02-15 22:04 208448 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-21 18:44 . 2010-09-07 02:21 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-01-13 07:33 . 2011-03-27 07:14 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll

2013-01-13 07:33 . 2011-05-06 00:51 336208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll

2013-01-11 06:19 . 2011-04-25 10:59 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll

2013-01-11 06:19 . 2011-03-27 07:13 336208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-12-16 17:11 . 2012-12-21 20:10 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 14:45 . 2012-12-21 20:10 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:13 . 2012-12-21 20:10 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-16 14:13 . 2012-12-21 20:10 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-14 08:49 . 2013-01-09 14:23 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-13 10:00 . 2011-11-29 03:06 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-12 13:55 . 2012-04-01 06:48 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-12 13:55 . 2011-12-19 21:21 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 13:55 . 2012-12-12 13:55 16363960 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer3"=wdmaud.drv

.

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-02-18 51712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-03-25 1255736]

R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-09-14 353384]

R4 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-07-28 267192]

R4 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-07-22 822192]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]

S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2010-09-02 482384]

S1 aswKbd;aswKbd; [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 14112]

S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]

S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-05-08 80384]

S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2011-04-25 53760]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 hidshim;Service for HID-KMDF Shim layer;c:\windows\system32\DRIVERS\hidshim.sys [2009-08-31 6656]

S3 nuvotonhidcir;Nuvoton HID CIR Receiver;c:\windows\system32\DRIVERS\nuvotonhidcir.sys [2009-08-31 26624]

S3 nuvotonir;Nuvoton CIR Transceiver;c:\windows\system32\DRIVERS\nuvotonir.sys [2009-08-31 68096]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-11-06 291328]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-06-11 1110560]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 02750089

*NewlyCreated* - 13685351

*Deregistered* - 02750089

*Deregistered* - 13685351

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-02-01 18:46 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-22 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 13:55]

.

2013-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-19 21:21]

.

2013-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-19 21:21]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 22:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-10 10103840]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-10 896032]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com.au/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 10.0.0.138

FF - ProfilePath - c:\users\michelle\AppData\Roaming\Mozilla\Firefox\Profiles\pb73dy6u.default\

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-02750089.sys

HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-HDMICtrlMan - c:\program files (x86)\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1973585710-1515046713-2421341157-1001\Software\SecuROM\License information*]

"datasecu"=hex:25,15,87,64,f1,b8,dd,5e,91,be,63,db,b0,bb,53,e4,46,c4,74,6e,5e,

2a,37,dc,1c,a2,5d,47,5e,30,73,42,0e,3e,71,8d,cb,8c,a9,79,1e,4d,1c,d2,b0,56,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-02-23 01:21:08

ComboFix-quarantined-files.txt 2013-02-22 17:21

.

Pre-Run: 637,484,216,320 bytes free

Post-Run: 638,799,400,960 bytes free

.

- - End Of File - - 5FBF99D2213695ACC02C4CBE0DD3876F

Also a file got deleted that my friend needs, can I recover it??

Link to post
Share on other sites

This one? Because I didnt see combofix-quarantined-files.txt where else do I look?

Nevermind I found it:

2013-02-22 17:20:07 . 2013-02-22 17:20:07 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-00TCrdMain.reg.dat

2013-02-22 17:20:07 . 2013-02-22 17:20:07 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HDMICtrlMan.reg.dat

2013-02-22 17:20:07 . 2013-02-22 17:20:07 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HSON.reg.dat

2013-02-22 17:20:07 . 2013-02-22 17:20:07 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat

2013-02-22 17:20:07 . 2013-02-22 17:20:07 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TosReelTimeMonitor.reg.dat

2013-02-22 17:19:57 . 2013-02-22 17:19:57 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-02750089.sys.reg.dat

2013-02-22 17:19:48 . 2013-02-22 17:19:48 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat

2013-02-22 17:07:24 . 2013-02-22 17:07:24 6,892 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2013-02-22 17:01:31 . 2013-02-22 17:01:31 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

2012-09-10 04:52:56 . 2012-09-10 04:52:56 145 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Roaming\Microsoft\Windows\Recent\xxxxxxxxxxxxx.doc.url.vir

2012-04-03 11:18:12 . 2012-04-03 11:18:12 154,759 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CE02F8E8-7ABA-4937-BC10-A2559F32535D}.xps.vir

2012-04-03 11:17:12 . 2012-04-03 11:17:12 154,777 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E773A8A2-D3CA-4817-A86F-0863974810DD}.xps.vir

2012-03-31 09:08:27 . 2012-03-31 09:08:27 159,380 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{827839EF-D7DB-4C34-9E48-F828439F344D}.xps.vir

2012-03-17 03:35:21 . 2012-03-17 03:35:21 67,030 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0228EB75-2B65-4A9C-A91E-87EB67763250}.xps.vir

2012-01-13 08:09:16 . 2012-01-13 08:09:16 281,173 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{35F9C242-3F20-4395-A0A1-DD7439AAF30E}.xps.vir

2012-01-13 08:06:30 . 2012-01-13 08:06:30 281,202 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{646786F5-2241-4B87-912C-74B3DFFCAB48}.xps.vir

2012-01-13 07:55:58 . 2012-01-13 07:56:00 281,180 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{85AD52CD-CA25-4675-94E5-1E44F5842236}.xps.vir

2012-01-11 18:59:32 . 2012-01-11 18:59:32 137,290 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F80CD8F7-CB65-4A18-AC01-92DAEF54AC35}.xps.vir

2012-01-11 18:59:05 . 2012-01-11 18:59:05 137,290 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5DF293B8-0361-41D9-AB5B-F452AAA5F811}.xps.vir

2012-01-09 12:47:20 . 2012-01-09 12:47:20 159,934 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{3343A7D0-129D-4EBF-9995-6123EDBB9B43}.xps.vir

2012-01-05 19:18:36 . 2012-01-05 19:18:36 41,634 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{689C4334-4EC2-40FE-AD86-0A4A74048F63}.xps.vir

2012-01-05 19:18:04 . 2012-01-05 19:18:04 337,860 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{04580C5C-AADE-4156-8B3E-60D96EBD5619}.xps.vir

2012-01-05 19:17:43 . 2012-01-05 19:17:43 41,634 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9FA47A3D-E656-48F8-867A-4B55E55A34BD}.xps.vir

2012-01-05 19:17:14 . 2012-01-05 19:17:14 41,634 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{94700790-5E4C-4CD4-BC7D-0DD3C8255AF0}.xps.vir

2012-01-05 16:57:56 . 2012-01-05 16:57:56 276,743 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8CE6CE51-006D-4899-8430-289206404199}.xps.vir

2012-01-05 12:42:40 . 2012-01-05 12:42:40 45,565 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7DA095F7-2B00-451B-BF85-A16FB62E061E}.xps.vir

2012-01-05 12:41:46 . 2012-01-05 12:41:46 45,565 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{655B3F82-CD38-4D66-B0B1-8330206C2A99}.xps.vir

2012-01-05 12:41:19 . 2012-01-05 12:41:19 45,565 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{22C3F479-CBB6-402A-9850-A5D34CF045B6}.xps.vir

2012-01-05 12:40:37 . 2012-01-05 12:40:37 56,198 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FB2C67A1-5EA5-4B02-AE74-EC6A1495DCC6}.xps.vir

2012-01-03 16:10:40 . 2012-01-03 16:10:40 287,858 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{48217826-70E0-48B2-9BAF-208B964705A3}.xps.vir

2012-01-01 13:01:01 . 2012-01-01 13:01:01 110,254 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{238D25C0-0807-4E06-A875-12E143F5C37B}.xps.vir

2012-01-01 12:53:59 . 2012-01-01 12:53:59 110,254 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{9FDBC374-528B-44A9-A585-66502E4C8FB0}.xps.vir

2012-01-01 12:50:00 . 2012-01-01 12:50:00 110,254 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{39F6315C-87FC-40E9-B414-5B46BB985BA1}.xps.vir

2012-01-01 12:49:24 . 2012-01-01 12:49:24 110,254 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{97170214-BAF2-4A2D-A71F-07210E3CE3B9}.xps.vir

2011-12-07 06:33:50 . 2011-12-07 06:33:50 230,064 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{AC23C443-8F78-4131-8A7A-49D34023AC2F}.xps.vir

2011-12-07 05:41:20 . 2011-12-07 05:41:20 230,061 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F53C8705-2C1A-4A24-AE95-09B867BF9F62}.xps.vir

Link to post
Share on other sites

You'll have to fill in the rest for the XXXX

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

DeQuarantine::

2012-09-10 04:52:56 . 2012-09-10 04:52:56 145 ----a-w- C:\Qoobox\Quarantine\C\Users\michelle\AppData\Roaming\Microsoft\Windows\Recent\xxxxxxxxxxxxx.doc.url.vir

QUIT::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

In resource monitor under Network, under TCP Connections there are connections that are just:

-

Normally that have a name but there are a few that are just this sign: -

My other computer doesn't do this.

I could take a screenshot, but will it give away network information that could be used to hack me or something?

Link to post
Share on other sites

lol thats what ive been reading which is why I started asking that.. But it looks like resource monitor shows most of that stuff tcpview does. It shows PID, local address, local port, remote address, remote port, packet loss (%) and latency. The only thing it looks like it doesn't show is Protocol and State. Well, nevermind then Just wanted to see if it was a hacker maybe.. But you would've seen a trojan on one of those logs right?? Anyway, I will de-quarantine that file after avast has done its scheduled scan... Which can take 1-3 hours..........

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.