ShawnSchirmer Posted April 28, 2013 ID:674560 Share Posted April 28, 2013 Hello. Five days ago I caught Chitka Malware; at the same time a red X one-quarter of an inch square began appearing in the middle of my browser page (it makes copying and pasting from text in the browser near the red X impossible), as did a popup in the lower right hand corner of the my screen that says Advertise, and Today, and includes the text of recent searches I've made. My browser also redirects one time in five or so when I click on a link. The red X disappears when I click I've run Malwarebytes Anti-Malware Pro but it detects none of these things. Nor does my copy of AVG Free. Smart Popup Blocker does not stop any of these things. Simple AdBlock sometimes removes the Chitka popup, and sometimes it doesn't. Here is the DDS.txt and ATTACH.txt as requested on the page, http://forums.malwarebytes.org//index.php?showtopic=9573 titled "I'm infected. What Do I Do Now?"Thank you for any help you can give me. S. and B. SchirmerDDS.txtDDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33Run by newjohndoe at 2:29:31 on 2013-04-28Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.1132 [GMT -4:00].AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}.============== Running Processes ================.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exeC:\Program Files\AVG\AVG10\avgwdsvc.exeC:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exeC:\Program Files\Common Files\Nuance\dgnsvc.exeC:\ASUS.SYS\config\DVMExportService.exeP:\Program Files\Java\bin\jqs.exee:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exee:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\AVG\AVG10\avgnsx.exeC:\Program Files\AVG\AVG10\avgemcx.exeC:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exee:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\alg.exe\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe\??\C:\Program Files\AVG\AVG10\avgcsrvx.exeC:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exeC:\Program Files\ASUS\TurboV EVO\TurboVHelp.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\ASUS\TurboV EVO\TurboV_EVO.exeC:\Program Files\ASUS\Six Engine\SixEngine.exeC:\Program Files\AVG\AVG10\avgtray.exeC:\Program Files\QFan3\QFanHelp.exeC:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exeC:\WINDOWS\diskediag.exeC:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exeC:\WINDOWS\stidraw32.exeC:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeP:\Program Files\WinZip\WZQKPICK32.EXEE:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Microsoft Works\msworks.exeC:\Program Files\Microsoft Works\wkswp.exeC:\Program Files\Microsoft Works\wkgdcach.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeC:\Program Files\Microsoft Works\WksWP.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeC:\WINDOWS\notepad.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeC:\Program Files\Microsoft Works\WksWP.exeC:\Program Files\Microsoft Works\WksWP.exeC:\Program Files\Microsoft Works\WksWP.exeC:\Program Files\Microsoft Works\WksWP.exeP:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exeE:\Program Files\wbridge5\Wbridge5.exeP:\Chrome\Application\chrome.exeP:\Chrome\Application\chrome.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\System32\svchost.exe -k HTTPFilter.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.com/uSearch Bar = hxxp://www.google.com/ieuSearch Page = hxxp://www.google.comuDefault_Search_URL = hxxp://www.google.com/ieuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%suURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dllBHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - p:\program files\java\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dllBHO: SpeedBit Link Verification Helper: {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - p:\program files\downloadaccelplus\LinkVerifier.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - p:\program files\java\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - p:\program files\java\lib\deploy\jqs\ie\jqs_plugin.dllBHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - c:\program files\common files\simple adblock\SimpleAdblock.dllTB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dlluRun: [iSUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -schedulermRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exemRun: [TurboV Help] "c:\program files\asus\turbov evo\TurboVHelp.exe"mRun: [TurboV EVO] "c:\program files\asus\turbov evo\TurboV_EVO.exe" -bmRun: [six Engine] "c:\program files\asus\six engine\SixEngine.exe" -bmRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exemRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resumemRun: [QFan Help] "c:\program files\qfan3\QFanHelp.exe"mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exemRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsersmRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exemRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exemRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"mRun: [QuickTime Task] "p:\program files\quicktime\qttask.exe" -atboottimemRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [MemoryMangerExi] c:\windows\diskediag.exemRun: [bCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"mRun: [vProt] "c:\program files\avg secure search\vprot.exe"mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"mRun: [DNS7reminder] "p:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini"mRun: [startCCC] "p:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRunmRunOnce: [Z1] cmd /c "e:\program files\mbar\mbar.exe" /cleanup /sStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - p:\program files\winzip\WZQKPICK32.EXEuPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1mPolicies-Explorer: NoDriveTypeAutoRun = dword:145IE: &Download with &DAP - p:\program files\downloadaccelplus\dapextie.htmIE: &Verify with DAP - p:\program files\downloadaccelplus\dapverify.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: Download &all with DAP - p:\program files\downloadaccelplus\dapextie2.htmIE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: NameServer = 192.168.1.254TCP: Interfaces\{5F2F77E2-A052-4406-9D10-E8F4DF4223CC} : DHCPNameServer = 192.168.1.254Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dllNotify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\newjohndoe\application data\mozilla\firefox\profiles\p5n82ypw.default\FF - prefs.js: browser.search.selectedEngine - SearchFF - prefs.js: browser.startup.homepage - www.google.comFF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dllFF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\14.2.0\npsitesafety.dllFF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dllFF - plugin: c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dllFF - plugin: c:\windows\system32\npdeployJava1.dllFF - plugin: c:\windows\system32\npptools.dllFF - plugin: e:\program files\canon\easy-photoprint ex\NPEZFFPI.DLLFF - plugin: e:\program files\google\picasa3\npPicasa3.dllFF - plugin: p:\program files\java\bin\plugin2\npjp2.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin2.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin3.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin4.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin5.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin6.dllFF - plugin: p:\program files\quicktime\plugins\npqtplugin7.dll.============= SERVICES / DRIVERS ===============.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [2010-8-6 257064]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 255968]R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-2-13 33112]R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.05\AsSysCtrlService.exe [2011-3-5 109056]R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-26 223464]R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2011-6-4 296808]R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [2009-7-17 319488]R2 MBAMScheduler;MBAMScheduler;e:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-12 418376]R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-14 701512]R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-3-1 968880]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-7 22856]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-27 40776]R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-4-26 64904]R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-4-26 146568]R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-3-5 2127728]S2 5613;5613;\??\c:\docume~1\newjoh~1\locals~1\temp\5613.sys --> c:\docume~1\newjoh~1\locals~1\temp\5613.sys [?]S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 167264]S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2011-3-14 11264]S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-4-27 35144]S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2010-11-19 157024]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2013-04-28 02:46:45 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2013-04-28 02:38:07 143688 ----a-w- c:\windows\system32\drivers\6FC03202.sys2013-04-28 02:20:20 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys2013-04-26 02:00:45 -------- d-----w- c:\program files\MSXML 4.02013-04-24 21:03:42 -------- d-----w- C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC32013-04-22 06:47:34 -------- d-----w- c:\documents and settings\newjohndoe\application data\JAM Software2013-04-19 12:52:23 275696 ----a-w- c:\windows\system32\mucltui.dll2013-04-19 12:52:23 214256 ----a-w- c:\windows\system32\muweb.dll2013-04-19 12:52:23 17136 ----a-w- c:\windows\system32\mucltui.dll.mui2013-04-19 12:45:38 -------- d-----w- c:\documents and settings\all users\application data\MFAData2013-04-19 07:55:41 -------- d-----w- c:\documents and settings\newjohndoe\local settings\application data\Google2013-04-19 06:59:27 -------- d-----w- c:\documents and settings\all users\application data\Sony Corporation2013-04-19 06:44:12 -------- d-----w- c:\documents and settings\newjohndoe\application data\Nuance2013-04-19 06:21:14 -------- d-----w- c:\documents and settings\newjohndoe\application data\FLEXnet2013-04-19 06:19:08 -------- d-----w- c:\program files\common files\IVA2013-04-19 06:18:54 -------- d-----w- c:\program files\common files\Nuance2013-04-19 06:16:39 -------- d-----w- c:\windows\Speech2013-04-19 06:16:39 -------- d-----w- c:\documents and settings\all users\application data\Nuance2013-04-19 04:06:22 -------- d--h--w- C:\$AVG2013-04-19 03:43:25 -------- d--h--w- c:\documents and settings\newjohndoe\local settings\application data\PCHealth2013-04-19 03:38:59 -------- d-----w- c:\program files\msn gaming zone2013-04-19 03:16:50 -------- d-----w- c:\documents and settings\all users\application data\AVG102013-04-01 06:20:47 409600 ----a-w- c:\windows\system32\wrap_oal.dll2013-04-01 06:20:47 114688 ----a-w- c:\windows\system32\OpenAL32.dll2013-04-01 06:20:47 -------- d-----w- c:\program files\OpenAL2013-04-01 06:04:54 -------- d-sh--w- c:\windows\system32\AI_RecycleBin2013-04-01 06:04:08 -------- d-sh--w- C:\AI_RecycleBin2013-04-01 06:04:02 -------- d--h--w- c:\documents and settings\newjohndoe\application data\Strongvault.==================== Find3M ====================.2013-04-11 17:56:48 71192 ----a-w- c:\windows\system32\atimpc32.dll2013-04-11 17:56:48 71192 ----a-w- c:\windows\system32\amdpcom32.dll2013-04-11 17:54:48 6850048 ----a-w- c:\windows\system32\drivers\ati2mtag.sys2013-04-11 17:45:58 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll2013-04-11 17:44:52 306176 ----a-w- c:\windows\system32\ati2dvag.dll2013-04-11 17:22:50 212992 ----a-w- c:\windows\system32\atipdlxx.dll2013-04-11 17:22:38 163840 ----a-w- c:\windows\system32\Oemdspif.dll2013-04-11 17:22:30 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe2013-04-11 17:22:22 43520 ----a-w- c:\windows\system32\ati2edxx.dll2013-04-11 17:22:10 192512 ----a-w- c:\windows\system32\ati2evxx.dll2013-04-11 17:20:52 643072 ----a-w- c:\windows\system32\ati2evxx.exe2013-04-11 17:19:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL2013-04-11 17:05:46 4844064 ----a-w- c:\windows\system32\ati3duag.dll2013-04-11 16:49:06 18964480 ----a-w- c:\windows\system32\atioglxx.dll2013-04-11 16:43:58 2380672 ----a-w- c:\windows\system32\ativvaxx.dll2013-04-11 16:43:02 307200 ----a-w- c:\windows\system32\atiiiexx.dll2013-04-11 16:27:58 163840 ----a-w- c:\windows\system32\atiapfxx.exe2013-04-11 16:23:36 929792 ----a-w- c:\windows\system32\atikvmag.dll2013-04-11 16:18:52 245760 ----a-w- c:\windows\system32\atiadlxx.dll2013-04-11 16:18:32 17408 ----a-w- c:\windows\system32\atitvo32.dll2013-04-11 16:17:48 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll2013-04-11 16:15:54 495616 ----a-w- c:\windows\system32\atiok3x2.dll2013-04-11 16:13:08 663552 ----a-w- c:\windows\system32\ati2cqag.dll2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2013-03-08 15:13:14 71024 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-03-08 15:13:14 691568 -c--a-w- c:\windows\system32\FlashPlayerApp.exe2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-03-02 03:12:59 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys2010-03-25 15:02:12 3782272 ----a-w- c:\program files\AiSuite.exe2010-01-10 02:55:16 811648 -c--a-w- c:\program files\RegSchdTask.exe2009-12-29 01:19:28 461440 ----a-w- c:\program files\CpuLevelUpHook64.exe2009-12-29 01:19:26 326272 ----a-w- c:\program files\CpuLevelUpHook32.exe2009-12-29 01:19:24 589440 -c--a-w- c:\program files\CpuLevelUpHookLaunch.exe2009-12-29 01:19:22 887936 ----a-w- c:\program files\CpuLevelUpHelp.exe2009-06-29 20:25:36 69632 ----a-w- c:\program files\AsAcpi.dll2009-01-23 00:44:28 876 -c--a-w- c:\program files\asus.reg2009-01-23 00:44:28 292 -c--a-w- c:\program files\epu.reg2008-01-28 16:58:18 57344 ----a-w- c:\program files\AsInsHelp.dll2007-10-11 18:51:00 53248 -c--a-w- c:\program files\HookKey32.dll2007-10-11 18:50:56 48128 -c--a-w- c:\program files\HookKey64.dll2007-08-08 14:48:42 69632 -c--a-w- c:\program files\HookKey.dll2005-09-09 21:31:12 40960 ----a-w- c:\program files\AsUninsHlp.dll.============= FINISH: 2:30:10.23 ===============ATTACH.txt.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows XP Home EditionBoot Device: \Device\HarddiskVolume1Install Date: 3/5/2011 5:54:41 AMSystem Uptime: 4/27/2013 10:39:56 PM (4 hours ago).Motherboard: ASUSTeK Computer INC. | | P7P55D-E PROProcessor: Intel® Core i5 CPU 750 @ 2.67GHz | LGA1156 | 2675/133mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 20 GiB total, 0.943 GiB free.D: is CDROM ()E: is FIXED (NTFS) - 98 GiB total, 38.98 GiB free.P: is FIXED (NTFS) - 293 GiB total, 203.052 GiB free..==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP759: 4/26/2013 5:43:40 PM - Software Distribution Service 3.0.==== Installed Programs ======================.Adobe Digital Editions 2.0Adobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Reader X (10.1.1)AI SuiteAmazing Slow Downer (remove only)AMD Catalyst Install ManagerAmnesia - The Dark Descent DemoApple Software UpdateASUS VGA DriverATI AVIVO CodecsATI Catalyst RegistrationATI Stream SDK v2 DeveloperAudacity 2.0.2AVG 2011Batman: Arkham Asylum - DemoBing Bar PlatformBrowser Configuration UtilityCanon MX330 series MP DriversCanon Utilities Easy-PhotoPrint EXCatalyst Control CenterCatalyst Control Center - BrandingCatalyst Control Center Graphics Previews CommonCatalyst Control Center InstallProxyCatalyst Control Center Localization Allccc-utilityCCC Help Chinese StandardCCC Help Chinese TraditionalCCC Help CzechCCC Help DanishCCC Help DutchCCC Help EnglishCCC Help FinnishCCC Help FrenchCCC Help GermanCCC Help GreekCCC Help HungarianCCC Help ItalianCCC Help JapaneseCCC Help KoreanCCC Help NorwegianCCC Help PolishCCC Help PortugueseCCC Help RussianCCC Help SpanishCCC Help SwedishCCC Help ThaiCCC Help TurkishCCleanerComic SeerCompany of Heroes Singleplayer DemoCompatibility Pack for the 2007 Office systemDigital Voice Editor 3DivX SetupDownload Accelerator Plus (DAP)Dragon NaturallySpeaking 11EPU-6 EngineERValue5.0Express GateFallout 3Google ChromeGoogle Earth Plug-inGoogle Update HelperHalf-Life 2Half-Life 2: Episode OneHalf-Life 2: Episode TwoHEED 4 build 22 version 12.02.28Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows XP (KB954550-v5)HVAC-Calc ResidentialJava 6 Update 33JMicron JMB36X DriverK-Lite Mega Codec Pack 9.3.0Left 4 DeadLeft 4 Dead 2Malwarebytes Anti-Malware version 1.75.0.1300marvell 91xx driverMass Effect 2 DemoMicrosoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Default ManagerMicrosoft Halo TrialMicrosoft Kernel-Mode Driver Framework Feature Pack 1.7Microsoft Search Enhancement PackMicrosoft SilverlightMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.21022Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319Microsoft Works 6.0Microsoft Works and Money 2002 Setup LauncherMozilla Firefox 20.0.1 (x86 en-US)MSNMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 Parser and SDKMSXML 6 Service Pack 2 (KB973686)Nero OEMNVIDIA PhysXOpenALPC Probe IIPenumbra Episode 1 DemoPicasa 3PlatformPortalQuickTimeREALTEK GbE & FE Ethernet PCI-E NIC DriverRenesas Electronics USB 3.0 Host Controller DriverREScheck 4.4.3.0 (Current User)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Windows Internet Explorer 8 (KB2482017)Security Update for Windows Internet Explorer 8 (KB2497640)Security Update for Windows Internet Explorer 8 (KB2510531)Security Update for Windows Internet Explorer 8 (KB2530548)Security Update for Windows Internet Explorer 8 (KB2544521)Security Update for Windows Internet Explorer 8 (KB2559049)Security Update for Windows Internet Explorer 8 (KB2586448)Security Update for Windows Internet Explorer 8 (KB2618444)Security Update for Windows Internet Explorer 8 (KB2647516)Security Update for Windows Internet Explorer 8 (KB2675157)Security Update for Windows Internet Explorer 8 (KB2699988)Security Update for Windows Internet Explorer 8 (KB2722913)Security Update for Windows Internet Explorer 8 (KB2744842)Security Update for Windows Internet Explorer 8 (KB2792100)Security Update for Windows Internet Explorer 8 (KB2797052)Security Update for Windows Internet Explorer 8 (KB2799329)Security Update for Windows Internet Explorer 8 (KB2809289)Security Update for Windows Internet Explorer 8 (KB2817183)Security Update for Windows Internet Explorer 8 (KB971961)Security Update for Windows Internet Explorer 8 (KB981332)Security Update for Windows Internet Explorer 8 (KB982381)Simple AdblockSony Player Plug-in for Windows Media PlayerSound OrganizerSteamTeam Fortress 2The Walking DeadTreeSize Free V2.7TurboV EVOUnlocker 1.9.1Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Windows Internet Explorer 8 (KB976662)VC80CRTRedist - 8.0.50727.6195VIA Platform Device ManagerVisual C++ 9.0 Runtime for Dragon NaturallySpeakingWbridge5 4.9WebFldrs XPWindows Imaging ComponentWindows Internet Explorer 8Windows Live ID Sign-in AssistantWindows Media Format 11 runtimeWindows Media Player Firefox PluginWindows Presentation FoundationWindows XP Service Pack 3WinRAR 4.20 (32-bit)WinZip 16.5Works Suite OS PackXML Paper Specification Shared Components Pack 1.0Youtube Downloader HD v. 2.9.5.==== Event Viewer Messages From Past Week ========.4/27/2013 10:40:36 PM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.4/27/2013 10:38:18 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.4/26/2013 5:51:07 PM, error: Service Control Manager [7000] - The 5613 service failed to start due to the following error: The system cannot find the file specified.4/26/2013 5:49:32 PM, error: Service Control Manager [7034] - The vToolbarUpdater14.2.0 service terminated unexpectedly. It has done this 1 time(s)..==== End Of File =========================== Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 28, 2013 Staff ID:674565 Share Posted April 28, 2013 Hello ShawnSchirmerI would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.[*]Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.[*]Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.[*]Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.-Security Check-Download Security Check by screen317 from here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.-AdwCleaner-Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.Your computer will be rebooted automatically. A text file will open after the restart.Please post the content of that logfile with your next answer.You can find the logfile at C:\AdwCleaner[s1].txt as well.--RogueKiller-- Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit Quit all programs that you may have started. Please disconnect any USB or external drives from the computer before you run this scan! For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start. Wait until Prescan has finished ... Then Click on "Scan" button Wait until the Status box shows "Scan Finished"click on "delete" Wait until the Status box shows "Deleting Finished" Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+Gringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted April 28, 2013 Author ID:674690 Share Posted April 28, 2013 Thanks very much for the help, Gringo. Here are the three files you requested:*****THIS IS THE CHECKUP.TXT***** Results of screen317's Security Check version 0.99.63 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:``````````````Windows Firewall Enabled! AVG 2011 `````````Anti-malware/Other Utilities Check:`````````Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 33 Java version out of Date!Adobe Flash Player 11.5.502.146 Adobe Reader 10.1.1 Adobe Reader out of Date!Mozilla Firefox (20.0.1) ````````Process Check: objlist.exe by Laurent````````Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check`````````````````Total Fragmentation on Drive C:: 40% Defragment your hard drive soon! (Do NOT defrag if SSD!)````````````````````End of Log`````````````````````` ******THIS IS THE ADWCLEANER TXT***** # AdwCleaner v2.300 - Logfile created 04/28/2013 at 18:48:40# Updated 28/04/2013 by Xplode# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)# User : newjohndoe - JOHNDOENEW# Boot Mode : Normal# Running from : P:\Temp Internet Files mved 42013 from C\Temporary Internet Files\Content.IE5\WGSNKGY4\adwcleaner[1].exe# Option [Delete]***** [services] *****Stopped & Deleted : vToolbarUpdater14.2.0***** [Files / Folders] *****Deleted on reboot : C:\Program Files\DeviceVMFolder Deleted : C:\Program Files\Common Files\AVG Secure Search***** [Registry] *****Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F7652513C62FF63448CFF05163719DB7Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]***** [internet Browsers] *****-\\ Internet Explorer v8.0.6001.18702[OK] Registry is clean.-\\ Mozilla Firefox v20.0.1 (en-US)File : C:\Documents and Settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\prefs.js[OK] File is clean.-\\ Google Chrome v26.0.1410.64File : C:\Documents and Settings\newjohndoe\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences[OK] File is clean.-\\ Opera v [unable to get version]File : C:\Documents and Settings\newjohndoe\Application Data\Opera\Opera\operaprefs.ini[OK] File is clean.*************************AdwCleaner[R1].txt - [20769 octets] - [26/04/2013 00:40:06]AdwCleaner[R2].txt - [20795 octets] - [26/04/2013 00:50:53]AdwCleaner[R3].txt - [2135 octets] - [28/04/2013 18:47:55]AdwCleaner[s1].txt - [347 octets] - [24/04/2013 23:41:40]AdwCleaner[s2].txt - [355 octets] - [26/04/2013 00:43:58]AdwCleaner[s3].txt - [21347 octets] - [26/04/2013 00:51:03]AdwCleaner[s4].txt - [2093 octets] - [28/04/2013 18:48:40]########## EOF - C:\AdwCleaner[s4].txt - [2153 octets] ########## *****THIS IS THE ROGUEKILLER TXT***** RogueKiller V8.5.4 [Mar 18 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser : newjohndoe [Admin rights]Mode : Remove -- Date : 04/28/2013 19:02:59| ARK || FAK || MBR |¤¤¤ Bad processes : 2 ¤¤¤[sUSP PATH] diskediag.exe -- C:\WINDOWS\diskediag.exe [-] -> KILLED [TermProc][sUSP PATH] stidraw32.exe -- C:\WINDOWS\stidraw32.exe [-] -> KILLED [TermProc]¤¤¤ Registry Entries : 4 ¤¤¤[RUN][sUSP PATH] HKLM\[...]\Run : MemoryMangerExi (C:\WINDOWS\diskediag.exe) [-] -> DELETED[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\5613 (C:\Documents and Settings\newjohndoe\Local Settings\Temp\5613.sys) -> DELETED[services][ROGUE ST] HKLM\[...]\ControlSet003\Services\5613 (C:\Documents and Settings\newjohndoe\Local Settings\Temp\5613.sys) -> DELETED[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([iNLINE] atapi.sys @ 0xF72E3852)¤¤¤ HOSTS File: ¤¤¤--> C:\WINDOWS\system32\drivers\etc\hosts127.0.0.1 localhost::1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST31000528AS +++++--- User ---[MBR] aa291ed75f5e158f3149d4d066f0d384[bSP] 08131a3dc49e771a00a481a554d2c356 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 20002 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 99998 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 245762370 | Size: 300002 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[2]_D_04282013_02d1902.txt >>RKreport[1]_S_04282013_02d1902.txt ; RKreport[2]_D_04282013_02d1902.txt Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 29, 2013 Staff ID:674719 Share Posted April 29, 2013 Hello ShawnSchirmer I Would like you to do the following.Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stallNote 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer"information and logs"In your next post I need the followingLog from Combofixlet me know of any problems you may have hadHow is the computer doing now?Gringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted April 29, 2013 Author ID:674835 Share Posted April 29, 2013 Sad to say, ComboFix won't complete its run. When, as instructed, I download ComboFix, after some useful looking activity I get an Error message, "You cannot rename ComboFix as ComboFix[1] Please use another name, preferably made up of alphanumeric characters." When I click OK, everything vanishes. There is no form of ComboFix anywhere except Prefetch. I deleted everything related to ComboFix, downloaded again (I tried from each of the three sites and got the same result each time).I also get this message box, but I don't know whether it relates to ComboFix. It reads, "RUNDLL An exception occurred while trying to run "Shell32.dll,Control_RunDLL wscui.cpi"My computer is behaving much better, though. Everything that was wrong, that I described in my initial post, is gone in the testing I've done in IE and in Chrome. However, a minor problem I didn't note what with all the major ones, persists: When I type www.google.com into my browser, or try to execute any sort of google search, I get a 403 Forbidden page. Also, I wondered about the redirects I was getting last night, and saw references in my search for answers to a file called C:\WINDOWS\system32\drivers\etc\hosts. Some sites referred to a localhost and associated number, but said file also includesFor example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost::1 localhost--Is it possible those examples are what was causing the redirects, and should I be alert for that kind of thing in the future. Thanks very much. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 29, 2013 Staff ID:674839 Share Posted April 29, 2013 Helloare you using firefox or IE to download? it sounds like you are using firefox and you are not saving it to the desktop.try using IE and save it to the desktop pleaseGringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted April 29, 2013 Author ID:674859 Share Posted April 29, 2013 Entirely my error. I did use IE, but from habit clicked "Run" instead of "Save". Small wonder it wasn't working as expected. Since ComboFix seemed to run as intended I did a little surfing and none of the problems have appeared. The only thing recurring is the Forbidden 403 page I get in my Chrome browser when I type www.google.com in my Address bar or otherwise try to perform a Google search. When I try to access Google in IE, I get the similar "The website declined to show this webpage."Is there anyway to restore my Googling abilities?*****HERE IS THE COMBOFIX LOG*****ComboFix 13-04-28.01 - newjohndoe 04/29/2013 6:44.1.4 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2949 [GMT -4:00]Running from: c:\documents and settings\newjohndoe\Desktop\ComboFix.exeAV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Application Data\TEMPc:\windows\system32\Cachec:\windows\system32\Cache\26c630d098e22dd5.fbc:\windows\system32\Cache\272512937d9e61a4.fbc:\windows\system32\Cache\287204568329e189.fbc:\windows\system32\Cache\28bc8f716fd76a47.fbc:\windows\system32\Cache\2c53092c95605355.fbc:\windows\system32\Cache\31a0997e9a5b5eb3.fbc:\windows\system32\Cache\32c84fe32bb74d60.fbc:\windows\system32\Cache\3917078cb68ec657.fbc:\windows\system32\Cache\590ba23ce359fd0c.fbc:\windows\system32\Cache\610289e025a3ee9a.fbc:\windows\system32\Cache\651c5d3cdbfb8bd1.fbc:\windows\system32\Cache\6c59ac5e7e7a3ad0.fbc:\windows\system32\Cache\6d03dad1035885d3.fbc:\windows\system32\Cache\95f567698be8a182.fbc:\windows\system32\Cache\969c7c5584517810.fbc:\windows\system32\Cache\a8556537add6dfc5.fbc:\windows\system32\Cache\ad10a52aff5e038d.fbc:\windows\system32\Cache\c1fa887b03019701.fbc:\windows\system32\Cache\c4d28dca2e7648be.fbc:\windows\system32\Cache\d201ef9910cd39de.fbc:\windows\system32\Cache\d2e94710a5708128.fbc:\windows\system32\Cache\d5204683d96cdf5a.fbc:\windows\system32\Cache\d5e28ee91f446e71.fbc:\windows\system32\Cache\d79b9dfe81484ec4.fbc:\windows\system32\Cache\dd3bee8933d96101.fbc:\windows\system32\Cache\e0de16f883bea794.fbc:\windows\system32\Cache\ed21d79c06a91f27.fbc:\windows\system32\Cache\f998975c9cc711ee.fbc:\windows\system32\ijl11.dllc:\windows\system32\Memman.vxdc:\windows\system32\SET466.tmpc:\windows\system32\SET46B.tmpc:\windows\system32\skinboxer43.dllc:\windows\XSxSP:\install.exep:\temp internet files mved 42013 from c\Temporary Internet Files\ab_392.tmp..((((((((((((((((((((((((( Files Created from 2013-03-28 to 2013-04-29 )))))))))))))))))))))))))))))))..2013-04-29 06:32 . 2013-04-29 06:32 562154 ----a-w- c:\windows\system32\PerfStringBackup.TMP2013-04-28 02:38 . 2013-04-28 02:38 143688 ---ha-w- c:\windows\system32\drivers\6FC03202.sys2013-04-26 21:53 . 2013-04-26 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI2013-04-26 02:00 . 2013-04-26 02:00 -------- d-----w- c:\program files\MSXML 4.02013-04-24 21:03 . 2013-04-24 21:03 -------- d-----w- C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC32013-04-22 06:47 . 2013-04-22 06:47 -------- d-----w- c:\documents and settings\newjohndoe\Application Data\JAM Software2013-04-19 12:52 . 2012-06-02 19:18 275696 ---ha-w- c:\windows\system32\mucltui.dll2013-04-19 12:52 . 2012-06-02 19:18 214256 ---ha-w- c:\windows\system32\muweb.dll2013-04-19 12:45 . 2013-04-19 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData2013-04-19 10:25 . 2013-04-19 10:25 -------- d-----w- c:\program files\Microsoft Silverlight2013-04-19 07:55 . 2013-04-28 09:00 -------- d-----w- c:\documents and settings\newjohndoe\Local Settings\Application Data\Google2013-04-19 06:59 . 2013-04-24 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation2013-04-19 06:44 . 2013-04-19 06:44 -------- d-----w- c:\documents and settings\newjohndoe\Application Data\Nuance2013-04-19 06:21 . 2013-04-19 06:21 -------- d-----w- c:\documents and settings\newjohndoe\Application Data\FLEXnet2013-04-19 06:19 . 2013-04-19 06:19 -------- d-----w- c:\program files\Common Files\IVA2013-04-19 06:18 . 2013-04-19 06:19 -------- d-----w- c:\program files\Common Files\Nuance2013-04-19 06:16 . 2013-04-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2013-04-19 06:16 . 2013-04-19 06:20 -------- d-----w- c:\windows\Speech2013-04-19 06:16 . 2013-04-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance2013-04-19 04:06 . 2013-04-19 04:06 -------- d-----w- C:\$AVG2013-04-19 03:43 . 2013-04-19 03:43 -------- d--h--w- c:\documents and settings\newjohndoe\Local Settings\Application Data\PCHealth2013-04-19 03:16 . 2013-04-19 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG102013-04-19 02:42 . 2013-04-19 02:42 -------- d-----w- c:\program files\Microsoft.NET2013-04-01 06:20 . 2013-04-01 06:20 409600 ---ha-w- c:\windows\system32\wrap_oal.dll2013-04-01 06:20 . 2013-04-01 06:20 114688 ---ha-w- c:\windows\system32\OpenAL32.dll2013-04-01 06:20 . 2013-04-01 06:20 -------- d-----w- c:\program files\OpenAL2013-04-01 06:04 . 2013-04-01 06:30 -------- d-sh--w- c:\windows\system32\AI_RecycleBin2013-04-01 06:04 . 2013-04-01 06:30 -------- d-----w- C:\AI_RecycleBin2013-04-01 06:04 . 2013-04-01 06:30 -------- d--h--w- c:\documents and settings\newjohndoe\Application Data\Strongvault...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-04-11 17:56 . 2011-03-06 07:28 71192 ---ha-w- c:\windows\system32\atimpc32.dll2013-04-11 17:56 . 2011-03-06 07:28 71192 ---ha-w- c:\windows\system32\amdpcom32.dll2013-04-11 17:54 . 2011-03-06 07:28 6850048 ---ha-w- c:\windows\system32\drivers\ati2mtag.sys2013-04-11 17:45 . 2011-03-06 07:28 442368 ---ha-w- c:\windows\system32\ATIDEMGX.dll2013-04-11 17:44 . 2011-03-06 07:28 306176 ---ha-w- c:\windows\system32\ati2dvag.dll2013-04-11 17:22 . 2011-03-06 07:28 212992 ---ha-w- c:\windows\system32\atipdlxx.dll2013-04-11 17:22 . 2011-03-06 07:28 163840 ---ha-w- c:\windows\system32\Oemdspif.dll2013-04-11 17:22 . 2011-03-06 07:28 26112 ---ha-w- c:\windows\system32\Ati2mdxx.exe2013-04-11 17:22 . 2011-03-06 07:28 43520 ---ha-w- c:\windows\system32\ati2edxx.dll2013-04-11 17:22 . 2011-03-06 07:28 192512 ---ha-w- c:\windows\system32\ati2evxx.dll2013-04-11 17:20 . 2011-03-06 07:28 643072 ---ha-w- c:\windows\system32\ati2evxx.exe2013-04-11 17:19 . 2011-03-06 07:28 53248 ---ha-w- c:\windows\system32\ATIDDC.DLL2013-04-11 17:05 . 2011-03-06 07:28 4844064 ---ha-w- c:\windows\system32\ati3duag.dll2013-04-11 16:49 . 2011-03-06 07:28 18964480 ---ha-w- c:\windows\system32\atioglxx.dll2013-04-11 16:43 . 2011-03-06 07:28 2380672 ---ha-w- c:\windows\system32\ativvaxx.dll2013-04-11 16:43 . 2011-03-06 07:28 307200 ---ha-w- c:\windows\system32\atiiiexx.dll2013-04-11 16:27 . 2011-03-06 07:28 163840 ---ha-w- c:\windows\system32\atiapfxx.exe2013-04-11 16:23 . 2011-03-06 07:28 929792 ---ha-w- c:\windows\system32\atikvmag.dll2013-04-11 16:18 . 2011-03-06 07:28 245760 ---ha-w- c:\windows\system32\atiadlxx.dll2013-04-11 16:18 . 2011-03-06 07:28 17408 ---ha-w- c:\windows\system32\atitvo32.dll2013-04-11 16:17 . 2011-03-06 07:28 53248 ---ha-w- c:\windows\system32\drivers\ati2erec.dll2013-04-11 16:15 . 2011-03-06 07:28 495616 ---ha-w- c:\windows\system32\atiok3x2.dll2013-04-11 16:13 . 2011-03-06 07:28 663552 ---ha-w- c:\windows\system32\ati2cqag.dll2013-04-04 18:50 . 2011-03-07 07:58 22856 ---ha-w- c:\windows\system32\drivers\mbam.sys2013-03-08 15:13 . 2012-04-13 02:10 691568 -c-ha-w- c:\windows\system32\FlashPlayerApp.exe2013-03-08 15:13 . 2011-08-15 01:08 71024 -c-ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-03-08 08:36 . 2004-08-04 12:00 293376 ---ha-w- c:\windows\system32\winsrv.dll2013-03-07 01:32 . 2004-08-04 12:00 2149888 ---ha-w- c:\windows\system32\ntoskrnl.exe2013-03-07 00:50 . 2004-08-03 22:59 2028544 ---ha-w- c:\windows\system32\ntkrnlpa.exe2013-03-02 03:12 . 2013-02-13 05:18 33112 ---ha-w- c:\windows\system32\drivers\avgtpx86.sys2013-03-02 01:25 . 2004-08-04 12:00 1867264 ---ha-w- c:\windows\system32\win32k.sys2013-02-27 07:56 . 2011-03-05 10:50 2067456 ---ha-w- c:\windows\system32\mstscax.dll2013-02-12 00:32 . 2008-04-13 18:56 12928 ---h--w- c:\windows\system32\drivers\usb8023x.sys2013-02-12 00:32 . 2004-08-04 12:00 12928 ---ha-w- c:\windows\system32\drivers\usb8023.sys2010-03-25 15:02 . 2011-03-13 23:57 3782272 ----a-w- c:\program files\AiSuite.exe2010-01-10 02:55 . 2011-03-13 23:57 811648 -c--a-w- c:\program files\RegSchdTask.exe2009-12-29 01:19 . 2011-03-13 23:57 461440 ----a-w- c:\program files\CpuLevelUpHook64.exe2009-12-29 01:19 . 2011-03-13 23:57 326272 ----a-w- c:\program files\CpuLevelUpHook32.exe2009-12-29 01:19 . 2011-03-13 23:57 589440 -c--a-w- c:\program files\CpuLevelUpHookLaunch.exe2009-12-29 01:19 . 2011-03-13 23:57 887936 ----a-w- c:\program files\CpuLevelUpHelp.exe2009-06-29 20:25 . 2011-03-13 23:57 69632 ----a-w- c:\program files\AsAcpi.dll2009-01-23 00:44 . 2011-03-13 23:57 876 -c--a-w- c:\program files\asus.reg2009-01-23 00:44 . 2011-03-13 23:57 292 -c--a-w- c:\program files\epu.reg2008-01-28 16:58 . 2011-03-13 23:57 57344 ----a-w- c:\program files\AsInsHelp.dll2007-10-11 18:51 . 2011-03-13 23:57 53248 -c--a-w- c:\program files\HookKey32.dll2007-10-11 18:50 . 2011-03-13 23:57 48128 -c--a-w- c:\program files\HookKey64.dll2007-08-08 14:48 . 2011-03-13 23:57 69632 -c--a-w- c:\program files\HookKey.dll2005-09-09 21:31 . 2011-03-13 23:57 40960 ----a-w- c:\program files\AsUninsHlp.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{D5974A72-C81C-4DC3-BE77-A8A7BBC8864E}]2012-10-13 13:00 431784 ----a-w- p:\program files\DownloadAccelPlus\LinkVerifier.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-04 222496].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 40983152]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]"TurboV Help"="c:\program files\ASUS\TurboV EVO\TurboVHelp.exe" [2010-07-07 1089664]"TurboV EVO"="c:\program files\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-07 9936000]"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2009-11-27 7274496]"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]"QFan Help"="c:\program files\QFan3\QFanHelp.exe" [2010-03-25 611968]"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]"QuickTime Task"="p:\program files\QuickTime\qttask.exe" [2010-11-29 421888]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]"DNS7reminder"="p:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]"StartCCC"="p:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-04-11 98304].c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]WinZip Quick Pick.lnk - p:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536].[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver".[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]2010-03-24 21:26 243544 ----a-w- c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe.[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"AdobeFlashPlayerUpdateSvc"=3 (0x3).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"="p:\\Program Files\\Mass Effect 2 Demo\\Binaries\\MassEffect2.exe"="p:\\Program Files\\Mass Effect 2 Demo\\MassEffect2Launcher.exe"="c:\\WINDOWS\\system32\\msiexec.exe"="e:\\Program Files\\Steam\\SteamApps\\common\\batman arkham asylum - demo\\Binaries\\ShippingPC-BmGame.exe"="e:\\Program Files\\Steam\\SteamApps\\common\\Company of Heroes SP Demo\\RelicCOH.exe"="e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"="e:\\Program Files\\Steam\\SteamApps\\common\\the walking dead\\WalkingDead101.exe"="e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"="c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"="c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"="c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"51001:TCP"= 51001:TCP:Dragon Smart Phone Server.R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [8/6/2010 4:53 AM 257064]R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 255968]R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/13/2013 1:18 AM 33112]R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 2:16 PM 223464]R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [6/4/2011 10:12 AM 296808]R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [7/17/2009 4:25 PM 319488]R2 MBAMScheduler;MBAMScheduler;e:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 4:38 PM 418376]R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/14/2011 3:51 PM 701512]R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2011 3:58 AM 22856]R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [4/26/2010 9:27 PM 64904]R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [4/26/2010 9:28 PM 146568]R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/5/2011 7:05 AM 2127728]S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [3/5/2011 7:09 AM 109056]S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:38 PM 167264]S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [3/14/2011 4:31 AM 11264]S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [11/19/2010 1:18 PM 157024].--- Other Services/Drivers In Memory ---.*NewlyCreated* - WS2IFSL.Contents of the 'Scheduled Tasks' folder..------- Supplementary Scan -------.uStart Page = hxxp://www.ixquick.com/uDefault_Search_URL = hxxp://www.google.com/ieuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: &Download with &DAP - p:\program files\DownloadAccelPlus\dapextie.htmIE: &Verify with DAP - p:\program files\DownloadAccelPlus\dapverify.htmIE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: Download &all with DAP - p:\program files\DownloadAccelPlus\dapextie2.htmIE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.htmlTCP: DhcpNameServer = 192.168.1.254FF - ProfilePath - c:\documents and settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\FF - prefs.js: browser.startup.homepage - www.google.com.- - - - ORPHANS REMOVED - - - -.URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)HKLM-Run-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exeHKLM-Run-BCU - c:\program files\DeviceVM\Browser Configuration Utility\BCU.exeAddRemove-Google Chrome - c:\documents and settings\newjohndoe\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.64\Installer\setup.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2013-04-29 06:46Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .HKLM\Software\Microsoft\Windows\CurrentVersion\Run HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(840)c:\windows\system32\Ati2evxx.dllc:\windows\system32\atiadlxx.dll.Completion time: 2013-04-29 06:52:27ComboFix-quarantined-files.txt 2013-04-29 10:52.Pre-Run: 1,192,620,032 bytes freePost-Run: 1,556,254,720 bytes free.WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect.- - End Of File - - 27D65BCF78D97BED67B1FF9FFE5C47BA*************************************************************************Gringo, if you have time (I don't know if extraneous questions are welcome in this context),1. I notice that since I bought Malwarebytes PRO yesterday, that now there's a large file, of roughly 100MB, under "Processes" in "Windows Task Manager" (whereas before buying the license, it only appeared when I was actively running Malwarebytes. Does that mean Malwarebytes is now always running in the background?2. Assuming things are reasonably well healed, can I simply repeat the steps you've been kind enough to advise me to try in the future, when I catch malware of adware AVG or Malwarebytes can't get rid of?3. Can you refer me to a book or website that will enable me to learn more about fixing computers when this kind of thing happens?Thank you,Shawn Link to post Share on other sites More sharing options...
Staff gringo_pr Posted April 29, 2013 Staff ID:674863 Share Posted April 29, 2013 Hello1.If you bought Malwarebytes PRO then it is always running but not actively scanning 2. this is not a good idea - the programs that we use are not supported in the commercial sense, meaning if something goes wrong you will find it harder to get support3. they have a school here to learn about removing malware - but you will find allot of great information in the forums, just need to weed it out a little and start following some of the techs - you will learn who the real good ones arefirst I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737Then I want you to do the followingStart Internet Explorer.click on "safety"click on "Delete Browsing History"make sure all boxes are checkedclick on "Delete"click on "Tools",click "Internet Options".On the "Advanced" tab, click "Reset"put a check mark next to "Delete Personal Settings"click "Reset" to confirmwhen complete click the "Close" buttonrestart IEGringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675485 Share Posted May 1, 2013 Pardon my confusion but as I read your directions, it says go to the linked website, THEN open IE. What browser should I open the linked page in prior to opening IE? Also, fwiw, when I open IE there's no 'safety' button I'm aware of. Some sites consider that synonymous with InPrivate Browsing, but some don't.Also, at what point do I run or save the Microsoft Fixit program that appears when I click on the Fixit button in the linked page? Link to post Share on other sites More sharing options...
Staff gringo_pr Posted May 1, 2013 Staff ID:675488 Share Posted May 1, 2013 Pardon my confusion but as I read your directions, it says go to the linked website, THEN open IE. - you can go to the fixit page in any browser you want to when you get there click on the button and follow the prompts and run what it asks youWhat browser should I open the linked page in prior to opening IE? - use which ever one you want if IE happens to be the one you use then you do not have to open another one Also, fwiw, when I open IE there's no 'safety' button I'm aware of. Some sites consider that synonymous with InPrivate Browsing, but some don't. - in the same area where it has the InPrivate Browsing you will also see the delete browsing historygringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675493 Share Posted May 1, 2013 Done, and it seemed to go well. When I re-opened IE it announced it had upgraded itself. Shawn Link to post Share on other sites More sharing options...
Staff gringo_pr Posted May 1, 2013 Staff ID:675494 Share Posted May 1, 2013 Hello ShawnSchirmer At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.:Run CFScript:Please start by opening Notepad and copy/paste the text in the box into the window:ClearJavaCache::Folder::c:\documents and settings\newjohndoe\Application Data\StrongvaultDDS::IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.htmlSave it to your desktop as CFScript.txtReferring to the picture above, drag CFScript.txt into ComboFix.exeThis will let ComboFix run again.Restart if you have to.Save the produced logfile to your desktop.Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stallNote 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer"information and logs"In your next post I need the followingreport from Combofixlet me know of any problems you may have hadHow is the computer doing now after running the script?Gringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675495 Share Posted May 1, 2013 I should have mentioned that when I try to search with Google I still get a page that says "Forbidden 403" at the top of the page, followed immediately by a horizontal line going across the entire page, then the letters "nginx".Otherwise my computer is running smoothly. Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675496 Share Posted May 1, 2013 Didn't realize you were aware and here, Gringo. I will execute the instructions in your most recent post now. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted May 1, 2013 Staff ID:675497 Share Posted May 1, 2013 also let me know what browser has the problemgringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675498 Share Posted May 1, 2013 <p> </p><div>I dragged CFScript.txt into ComboFix.exe, but as soon as they overlapped, the "Run" or "Save" window for ComboFix appeared. I had no way of knowing if it accepted CFScript.txt. I did go ahead and run ComboFix. Here is the log. </div><div> </div><div>I still cannot access Google.com from either Chrome or IE. Everything else seems fine. </div><div> </div><div> </div><div>ComboFix 13-04-29.01 - newjohndoe 05/01/2013 4:59.2.4 - x86</div><div>Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.1378 [GMT -4:00]</div><div>Running from: c:\documents and settings\newjohndoe\Desktop\ComboFix.exe</div><div>Command switches used :: c:\documents and settings\newjohndoe\Desktop\CFScript.txt</div><div>AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}</div><div>.</div><div>.</div><div>((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))</div><div>.</div><div>.</div><div>c:\documents and settings\newjohndoe\Application Data\Strongvault</div><div>.</div><div>.</div><div>((((((((((((((((((((((((( Files Created from 2013-04-01 to 2013-05-01 )))))))))))))))))))))))))))))))</div><div>.</div><div>.</div><div>2013-04-28 02:38 . 2013-04-28 02:38<span class="Apple-tab-span" style="white-space:pre"> </span>143688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\6FC03202.sys</div><div>2013-04-26 21:53 . 2013-04-26 21:53<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\ATI</div><div>2013-04-26 02:00 . 2013-04-26 02:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSXML 4.0</div><div>2013-04-24 21:03 . 2013-04-24 21:03<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC3</div><div>2013-04-22 06:47 . 2013-04-22 06:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\JAM Software</div><div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>275696<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mucltui.dll</div><div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>214256<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\muweb.dll</div><div>2013-04-19 12:45 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\MFAData</div><div>2013-04-19 10:25 . 2013-04-19 10:25<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft Silverlight</div><div>2013-04-19 07:55 . 2013-04-28 09:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\Google</div><div>2013-04-19 06:59 . 2013-04-24 21:08<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Sony Corporation</div><div>2013-04-19 06:44 . 2013-04-19 06:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\Nuance</div><div>2013-04-19 06:21 . 2013-04-19 06:21<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\FLEXnet</div><div>2013-04-19 06:19 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\IVA</div><div>2013-04-19 06:18 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\Nuance</div><div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\FLEXnet</div><div>2013-04-19 06:16 . 2013-04-19 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\Speech</div><div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Nuance</div><div>2013-04-19 04:06 . 2013-04-19 04:06<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\$AVG</div><div>2013-04-19 03:43 . 2013-04-19 03:43<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\PCHealth</div><div>2013-04-19 03:16 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\AVG10</div><div>2013-04-19 02:42 . 2013-04-19 02:42<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft.NET</div><div>.</div><div>.</div><div>.</div><div>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</div><div>.</div><div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atimpc32.dll</div><div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\amdpcom32.dll</div><div>2013-04-11 17:54 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>6850048<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2mtag.sys</div><div>2013-04-11 17:45 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>442368<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDEMGX.dll</div><div>2013-04-11 17:44 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>306176<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2dvag.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>212992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atipdlxx.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Oemdspif.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>26112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Ati2mdxx.exe</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>43520<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2edxx.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>192512<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.dll</div><div>2013-04-11 17:20 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>643072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.exe</div><div>2013-04-11 17:19 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDDC.DLL</div><div>2013-04-11 17:05 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>4844064<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati3duag.dll</div><div>2013-04-11 16:49 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>18964480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atioglxx.dll</div><div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>2380672<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ativvaxx.dll</div><div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>307200<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiiiexx.dll</div><div>2013-04-11 16:27 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiapfxx.exe</div><div>2013-04-11 16:23 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>929792<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atikvmag.dll</div><div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>245760<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiadlxx.dll</div><div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>17408<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atitvo32.dll</div><div>2013-04-11 16:17 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2erec.dll</div><div>2013-04-11 16:15 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>495616<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiok3x2.dll</div><div>2013-04-11 16:13 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>663552<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2cqag.dll</div><div>2013-04-04 18:50 . 2011-03-07 07:58<span class="Apple-tab-span" style="white-space:pre"> </span>22856<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div><div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>409600<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\wrap_oal.dll</div><div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>114688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\OpenAL32.dll</div><div>2013-03-08 15:13 . 2012-04-13 02:10<span class="Apple-tab-span" style="white-space:pre"> </span>691568<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div><div>2013-03-08 15:13 . 2011-08-15 01:08<span class="Apple-tab-span" style="white-space:pre"> </span>71024<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div><div>2013-03-08 08:36 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>293376<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\winsrv.dll</div><div>2013-03-07 01:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>2149888<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntoskrnl.exe</div><div>2013-03-07 00:50 . 2004-08-03 22:59<span class="Apple-tab-span" style="white-space:pre"> </span>2028544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntkrnlpa.exe</div><div>2013-03-02 03:12 . 2013-02-13 05:18<span class="Apple-tab-span" style="white-space:pre"> </span>33112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\avgtpx86.sys</div><div>2013-03-02 01:25 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>1867264<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\win32k.sys</div><div>2013-02-27 07:56 . 2011-03-05 10:50<span class="Apple-tab-span" style="white-space:pre"> </span>2067456<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mstscax.dll</div><div>2013-02-12 00:32 . 2008-04-13 18:56<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>------w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023x.sys</div><div>2013-02-12 00:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023.sys</div><div>2010-03-25 15:02 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>3782272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AiSuite.exe</div><div>2010-01-10 02:55 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>811648<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\RegSchdTask.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>461440<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook64.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>326272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook32.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>589440<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHookLaunch.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>887936<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHelp.exe</div><div>2009-06-29 20:25 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsAcpi.dll</div><div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>876<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\asus.reg</div><div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>292<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\epu.reg</div><div>2008-01-28 16:58 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>57344<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsInsHelp.dll</div><div>2007-10-11 18:51 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey32.dll</div><div>2007-10-11 18:50 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>48128<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey64.dll</div><div>2007-08-08 14:48 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey.dll</div><div>2005-09-09 21:31 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>40960<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsUninsHlp.dll</div><div>.</div><div>.</div><div>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</div><div>.</div><div>.</div><div>*Note* empty entries & legit default entries are not shown </div><div>REGEDIT4</div><div>.</div><div>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div><div>"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-04 222496]</div><div>.</div><div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div><div>"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 40983152]</div><div>"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]</div><div>"TurboV Help"="c:\program files\ASUS\TurboV EVO\TurboVHelp.exe" [2010-07-07 1089664]</div><div>"TurboV EVO"="c:\program files\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-07 9936000]</div><div>"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2009-11-27 7274496]</div><div>"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]</div><div>"QFan Help"="c:\program files\QFan3\QFanHelp.exe" [2010-03-25 611968]</div><div>"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]</div><div>"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]</div><div>"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]</div><div>"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]</div><div>"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]</div><div>"QuickTime Task"="p:\program files\QuickTime\qttask.exe" [2010-11-29 421888]</div><div>"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]</div><div>"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]</div><div>"DNS7reminder"="p:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]</div><div>"StartCCC"="p:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-04-11 98304]</div><div>"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [bU]</div><div>.</div><div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div><div>Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]</div><div>WinZip Quick Pick.lnk - p:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]</div><div>.</div><div>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]</div><div>BootExecute<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ <span class="Apple-tab-span" style="white-space:pre"> </span>autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart</div><div>.</div><div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]</div><div>@="Driver"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]</div><div>2010-03-24 21:26<span class="Apple-tab-span" style="white-space:pre"> </span>243544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]</div><div>"AdobeFlashPlayerUpdateSvc"=3 (0x3)</div><div>.</div><div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div><div>"%windir%\\system32\\sessmgr.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=</div><div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div><div>"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=</div><div>"p:\\Program Files\\Mass Effect 2 Demo\\Binaries\\MassEffect2.exe"=</div><div>"p:\\Program Files\\Mass Effect 2 Demo\\MassEffect2Launcher.exe"=</div><div>"c:\\WINDOWS\\system32\\msiexec.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\batman arkham asylum - demo\\Binaries\\ShippingPC-BmGame.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\Company of Heroes SP Demo\\RelicCOH.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\the walking dead\\WalkingDead101.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=</div><div>.</div><div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div><div>"51001:TCP"= 51001:TCP:Dragon Smart Phone Server</div><div>.</div><div>R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]</div><div>R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]</div><div>R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [8/6/2010 4:53 AM 257064]</div><div>R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 255968]</div><div>R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]</div><div>R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/13/2013 1:18 AM 33112]</div><div>R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]</div><div>R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [6/4/2011 10:12 AM 296808]</div><div>R2 MBAMScheduler;MBAMScheduler;e:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 4:38 PM 418376]</div><div>R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/14/2011 3:51 PM 701512]</div><div>R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]</div><div>R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]</div><div>R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]</div><div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2011 3:58 AM 22856]</div><div>R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [4/26/2010 9:27 PM 64904]</div><div>R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [4/26/2010 9:28 PM 146568]</div><div>R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/5/2011 7:05 AM 2127728]</div><div>S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [3/5/2011 7:09 AM 109056]</div><div>S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]</div><div>S2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 2:16 PM 223464]</div><div>S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [7/17/2009 4:25 PM 319488]</div><div>S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:38 PM 167264]</div><div>S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [3/14/2011 4:31 AM 11264]</div><div>S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [11/19/2010 1:18 PM 157024]</div><div>.</div><div>.</div><div>------- Supplementary Scan -------</div><div>.</div><div>uSearchAssistant = hxxp://www.google.com/ie</div><div>uSearchURL,(Default) = hxxp://www.google.com/search?q=%s</div><div>TCP: DhcpNameServer = 192.168.1.254</div><div>FF - ProfilePath - c:\documents and settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\</div><div>FF - prefs.js: browser.startup.homepage - www.google.com</div><div>.</div><div>- - - - ORPHANS REMOVED - - - -</div><div>.</div><div>Toolbar-Locked - (no file)</div><div>.</div><div>.</div><div>.</div><div>**************************************************************************</div><div>.</div><div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div><div>Rootkit scan 2013-05-01 05:03</div><div>Windows 5.1.2600 Service Pack 3 NTFS</div><div>.</div><div>scanning hidden processes ... </div><div>.</div><div>scanning hidden autostart entries ... </div><div>.</div><div>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</div><div> HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? </div><div>.</div><div>scanning hidden files ... </div><div>.</div><div>scan completed successfully</div><div>hidden files: 0</div><div>.</div><div>**************************************************************************</div><div>.</div><div>--------------------- LOCKED REGISTRY KEYS ---------------------</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</div><div>@Denied: (A 2) (Everyone)</div><div>@="FlashBroker"</div><div>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</div><div>"Enabled"=dword:00000001</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</div><div>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</div><div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</div><div>@Denied: (A 2) (Everyone)</div><div>@="IFlashBroker5"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</div><div>@="{00020424-0000-0000-C000-000000000046}"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</div><div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div><div>"Version"="1.0"</div><div>.</div><div>--------------------- DLLs Loaded Under Running Processes ---------------------</div><div>.</div><div>- - - - - - - > 'winlogon.exe'(836)</div><div>c:\windows\system32\Ati2evxx.dll</div><div>c:\windows\system32\atiadlxx.dll</div><div>.</div><div>- - - - - - - > 'explorer.exe'(8128)</div><div>c:\windows\system32\WININET.dll</div><div>c:\windows\system32\ieframe.dll</div><div>c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll</div><div>c:\windows\system32\webcheck.dll</div><div>c:\windows\system32\WPDShServiceObj.dll</div><div>c:\windows\system32\PortableDeviceTypes.dll</div><div>c:\windows\system32\PortableDeviceApi.dll</div><div>.</div><div>Completion time: 2013-05-01 05:03:53</div><div>ComboFix-quarantined-files.txt 2013-05-01 09:03</div><div>ComboFix2.txt 2013-04-29 10:52</div><div>.</div><div>Pre-Run: 1,392,050,176 bytes free</div><div>Post-Run: 1,393,979,392 bytes free</div><div>.</div><div>- - End Of File - - 64E01921395094C97B40E53E3A009A88</div><div> </div> Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675499 Share Posted May 1, 2013 <p>Sorry, Gringo. My post was truncated for some reason. Below is the ComboFix log. I still can't access www.google.com from IE or Chrome. Everything else seems fine. </p><p> </p><p> </p><div>ComboFix 13-04-29.01 - newjohndoe 05/01/2013 4:59.2.4 - x86</div><div>Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.1378 [GMT -4:00]</div><div>Running from: c:\documents and settings\newjohndoe\Desktop\ComboFix.exe</div><div>Command switches used :: c:\documents and settings\newjohndoe\Desktop\CFScript.txt</div><div>AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}</div><div>.</div><div>.</div><div>((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))</div><div>.</div><div>.</div><div>c:\documents and settings\newjohndoe\Application Data\Strongvault</div><div>.</div><div>.</div><div>((((((((((((((((((((((((( Files Created from 2013-04-01 to 2013-05-01 )))))))))))))))))))))))))))))))</div><div>.</div><div>.</div><div>2013-04-28 02:38 . 2013-04-28 02:38<span class="Apple-tab-span" style="white-space:pre"> </span>143688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\6FC03202.sys</div><div>2013-04-26 21:53 . 2013-04-26 21:53<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\ATI</div><div>2013-04-26 02:00 . 2013-04-26 02:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSXML 4.0</div><div>2013-04-24 21:03 . 2013-04-24 21:03<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC3</div><div>2013-04-22 06:47 . 2013-04-22 06:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\JAM Software</div><div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>275696<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mucltui.dll</div><div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>214256<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\muweb.dll</div><div>2013-04-19 12:45 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\MFAData</div><div>2013-04-19 10:25 . 2013-04-19 10:25<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft Silverlight</div><div>2013-04-19 07:55 . 2013-04-28 09:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\Google</div><div>2013-04-19 06:59 . 2013-04-24 21:08<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Sony Corporation</div><div>2013-04-19 06:44 . 2013-04-19 06:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\Nuance</div><div>2013-04-19 06:21 . 2013-04-19 06:21<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\FLEXnet</div><div>2013-04-19 06:19 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\IVA</div><div>2013-04-19 06:18 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\Nuance</div><div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\FLEXnet</div><div>2013-04-19 06:16 . 2013-04-19 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\Speech</div><div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Nuance</div><div>2013-04-19 04:06 . 2013-04-19 04:06<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\$AVG</div><div>2013-04-19 03:43 . 2013-04-19 03:43<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\PCHealth</div><div>2013-04-19 03:16 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\AVG10</div><div>2013-04-19 02:42 . 2013-04-19 02:42<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft.NET</div><div>.</div><div>.</div><div>.</div><div>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</div><div>.</div><div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atimpc32.dll</div><div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\amdpcom32.dll</div><div>2013-04-11 17:54 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>6850048<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2mtag.sys</div><div>2013-04-11 17:45 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>442368<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDEMGX.dll</div><div>2013-04-11 17:44 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>306176<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2dvag.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>212992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atipdlxx.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Oemdspif.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>26112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Ati2mdxx.exe</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>43520<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2edxx.dll</div><div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>192512<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.dll</div><div>2013-04-11 17:20 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>643072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.exe</div><div>2013-04-11 17:19 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDDC.DLL</div><div>2013-04-11 17:05 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>4844064<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati3duag.dll</div><div>2013-04-11 16:49 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>18964480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atioglxx.dll</div><div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>2380672<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ativvaxx.dll</div><div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>307200<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiiiexx.dll</div><div>2013-04-11 16:27 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiapfxx.exe</div><div>2013-04-11 16:23 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>929792<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atikvmag.dll</div><div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>245760<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiadlxx.dll</div><div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>17408<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atitvo32.dll</div><div>2013-04-11 16:17 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2erec.dll</div><div>2013-04-11 16:15 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>495616<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiok3x2.dll</div><div>2013-04-11 16:13 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>663552<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2cqag.dll</div><div>2013-04-04 18:50 . 2011-03-07 07:58<span class="Apple-tab-span" style="white-space:pre"> </span>22856<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div><div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>409600<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\wrap_oal.dll</div><div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>114688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\OpenAL32.dll</div><div>2013-03-08 15:13 . 2012-04-13 02:10<span class="Apple-tab-span" style="white-space:pre"> </span>691568<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div><div>2013-03-08 15:13 . 2011-08-15 01:08<span class="Apple-tab-span" style="white-space:pre"> </span>71024<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div><div>2013-03-08 08:36 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>293376<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\winsrv.dll</div><div>2013-03-07 01:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>2149888<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntoskrnl.exe</div><div>2013-03-07 00:50 . 2004-08-03 22:59<span class="Apple-tab-span" style="white-space:pre"> </span>2028544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntkrnlpa.exe</div><div>2013-03-02 03:12 . 2013-02-13 05:18<span class="Apple-tab-span" style="white-space:pre"> </span>33112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\avgtpx86.sys</div><div>2013-03-02 01:25 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>1867264<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\win32k.sys</div><div>2013-02-27 07:56 . 2011-03-05 10:50<span class="Apple-tab-span" style="white-space:pre"> </span>2067456<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mstscax.dll</div><div>2013-02-12 00:32 . 2008-04-13 18:56<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>------w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023x.sys</div><div>2013-02-12 00:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023.sys</div><div>2010-03-25 15:02 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>3782272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AiSuite.exe</div><div>2010-01-10 02:55 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>811648<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\RegSchdTask.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>461440<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook64.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>326272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook32.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>589440<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHookLaunch.exe</div><div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>887936<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHelp.exe</div><div>2009-06-29 20:25 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsAcpi.dll</div><div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>876<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\asus.reg</div><div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>292<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\epu.reg</div><div>2008-01-28 16:58 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>57344<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsInsHelp.dll</div><div>2007-10-11 18:51 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey32.dll</div><div>2007-10-11 18:50 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>48128<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey64.dll</div><div>2007-08-08 14:48 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey.dll</div><div>2005-09-09 21:31 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>40960<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsUninsHlp.dll</div><div>.</div><div>.</div><div>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</div><div>.</div><div>.</div><div>*Note* empty entries & legit default entries are not shown </div><div>REGEDIT4</div><div>.</div><div>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div><div>"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-04 222496]</div><div>.</div><div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div><div>"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 40983152]</div><div>"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]</div><div>"TurboV Help"="c:\program files\ASUS\TurboV EVO\TurboVHelp.exe" [2010-07-07 1089664]</div><div>"TurboV EVO"="c:\program files\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-07 9936000]</div><div>"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2009-11-27 7274496]</div><div>"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]</div><div>"QFan Help"="c:\program files\QFan3\QFanHelp.exe" [2010-03-25 611968]</div><div>"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]</div><div>"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]</div><div>"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]</div><div>"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]</div><div>"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]</div><div>"QuickTime Task"="p:\program files\QuickTime\qttask.exe" [2010-11-29 421888]</div><div>"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]</div><div>"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]</div><div>"DNS7reminder"="p:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]</div><div>"StartCCC"="p:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-04-11 98304]</div><div>"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [bU]</div><div>.</div><div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div><div>Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]</div><div>WinZip Quick Pick.lnk - p:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]</div><div>.</div><div>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]</div><div>BootExecute<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ <span class="Apple-tab-span" style="white-space:pre"> </span>autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart</div><div>.</div><div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]</div><div>@="Driver"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]</div><div>2010-03-24 21:26<span class="Apple-tab-span" style="white-space:pre"> </span>243544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]</div><div>"AdobeFlashPlayerUpdateSvc"=3 (0x3)</div><div>.</div><div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div><div>"%windir%\\system32\\sessmgr.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=</div><div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div><div>"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=</div><div>"p:\\Program Files\\Mass Effect 2 Demo\\Binaries\\MassEffect2.exe"=</div><div>"p:\\Program Files\\Mass Effect 2 Demo\\MassEffect2Launcher.exe"=</div><div>"c:\\WINDOWS\\system32\\msiexec.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\batman arkham asylum - demo\\Binaries\\ShippingPC-BmGame.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\Company of Heroes SP Demo\\RelicCOH.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\the walking dead\\WalkingDead101.exe"=</div><div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=</div><div>"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=</div><div>.</div><div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div><div>"51001:TCP"= 51001:TCP:Dragon Smart Phone Server</div><div>.</div><div>R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]</div><div>R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]</div><div>R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [8/6/2010 4:53 AM 257064]</div><div>R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 255968]</div><div>R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]</div><div>R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/13/2013 1:18 AM 33112]</div><div>R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]</div><div>R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [6/4/2011 10:12 AM 296808]</div><div>R2 MBAMScheduler;MBAMScheduler;e:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 4:38 PM 418376]</div><div>R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/14/2011 3:51 PM 701512]</div><div>R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]</div><div>R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]</div><div>R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]</div><div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2011 3:58 AM 22856]</div><div>R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [4/26/2010 9:27 PM 64904]</div><div>R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [4/26/2010 9:28 PM 146568]</div><div>R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/5/2011 7:05 AM 2127728]</div><div>S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [3/5/2011 7:09 AM 109056]</div><div>S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]</div><div>S2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 2:16 PM 223464]</div><div>S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [7/17/2009 4:25 PM 319488]</div><div>S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:38 PM 167264]</div><div>S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [3/14/2011 4:31 AM 11264]</div><div>S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [11/19/2010 1:18 PM 157024]</div><div>.</div><div>.</div><div>------- Supplementary Scan -------</div><div>.</div><div>uSearchAssistant = hxxp://www.google.com/ie</div><div>uSearchURL,(Default) = hxxp://www.google.com/search?q=%s</div><div>TCP: DhcpNameServer = 192.168.1.254</div><div>FF - ProfilePath - c:\documents and settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\</div><div>FF - prefs.js: browser.startup.homepage - www.google.com</div><div>.</div><div>- - - - ORPHANS REMOVED - - - -</div><div>.</div><div>Toolbar-Locked - (no file)</div><div>.</div><div>.</div><div>.</div><div>**************************************************************************</div><div>.</div><div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div><div>Rootkit scan 2013-05-01 05:03</div><div>Windows 5.1.2600 Service Pack 3 NTFS</div><div>.</div><div>scanning hidden processes ... </div><div>.</div><div>scanning hidden autostart entries ... </div><div>.</div><div>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</div><div> HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? </div><div>.</div><div>scanning hidden files ... </div><div>.</div><div>scan completed successfully</div><div>hidden files: 0</div><div>.</div><div>**************************************************************************</div><div>.</div><div>--------------------- LOCKED REGISTRY KEYS ---------------------</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</div><div>@Denied: (A 2) (Everyone)</div><div>@="FlashBroker"</div><div>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</div><div>"Enabled"=dword:00000001</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</div><div>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</div><div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</div><div>@Denied: (A 2) (Everyone)</div><div>@="IFlashBroker5"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</div><div>@="{00020424-0000-0000-C000-000000000046}"</div><div>.</div><div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</div><div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div><div>"Version"="1.0"</div><div>.</div><div>--------------------- DLLs Loaded Under Running Processes ---------------------</div><div>.</div><div>- - - - - - - > 'winlogon.exe'(836)</div><div>c:\windows\system32\Ati2evxx.dll</div><div>c:\windows\system32\atiadlxx.dll</div><div>.</div><div>- - - - - - - > 'explorer.exe'(8128)</div><div>c:\windows\system32\WININET.dll</div><div>c:\windows\system32\ieframe.dll</div><div>c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll</div><div>c:\windows\system32\webcheck.dll</div><div>c:\windows\system32\WPDShServiceObj.dll</div><div>c:\windows\system32\PortableDeviceTypes.dll</div><div>c:\windows\system32\PortableDeviceApi.dll</div><div>.</div><div>Completion time: 2013-05-01 05:03:53</div><div>ComboFix-quarantined-files.txt 2013-05-01 09:03</div><div>ComboFix2.txt 2013-04-29 10:52</div><div>.</div><div>Pre-Run: 1,392,050,176 bytes free</div><div>Post-Run: 1,393,979,392 bytes free</div><div>.</div><div>- - End Of File - - 64E01921395094C97B40E53E3A009A88</div><div> </div> Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675500 Share Posted May 1, 2013 I do not know why code is appearing along with the ComboFix Log text. It does not appear in the log itself. Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675501 Share Posted May 1, 2013 Okay--I just opened my Firefox browser, something i very rarely use. It gets to www.google.com just fine, and searches work fine too. Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675502 Share Posted May 1, 2013 I just opened my Opera browser for the first time in months and also got the Forbidden 403 window, though everything else about Opera seemed okay. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted May 1, 2013 Staff ID:675518 Share Posted May 1, 2013 Hello ShawnSchirmer first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737Then I want you to do the followingStart Internet Explorer.click on "safety"click on "Delete Browsing History"make sure all boxes are checkedclick on "Delete"click on "Tools",click "Internet Options".On the "Advanced" tab, click "Reset"put a check mark next to "Delete Personal Settings"click "Reset" to confirmwhen complete click the "Close" buttonrestart IEGringo Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675538 Share Posted May 1, 2013 Uh-oh.Even though my browser issues seem resolved with the exception of not being able to use Google in three browsers, I'm now having unprecedented problems opening .wps files. I just permanently lost an 8MB file detailing a building I'm designing. Works wasn't opening it (I've never had that problem before) so I tried opening it in Wordpad just to see if that worked, and my 8MB file turned into a 4KB file. Only a recent backup saved most of forty hours work. Other essential Word files are now impossible to open. I don't know if any of the programs we ran contributed to or caused this. Is there anyway to pinpoint the source of the problem without destroying data?Thanks,Shawn Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675540 Share Posted May 1, 2013 I refreshed several times in the last two hours but your latest post did not appear until after I posted number 22. I see you posted number 21 over two hours ago, but it only just now appeared.In light of my previous post, 22, shall I go ahead and execute the instructions in your post 21, or is there something else I should do. Link to post Share on other sites More sharing options...
ShawnSchirmer Posted May 1, 2013 Author ID:675556 Share Posted May 1, 2013 Okay, I went ahead and followed the instructions in your post 21. After restarting IE, it still will not allow searches using Google. I cannot search with Google in Chrome, either. Everything else seems to be running smoothly. Link to post Share on other sites More sharing options...
Staff gringo_pr Posted May 1, 2013 Staff ID:675590 Share Posted May 1, 2013 Hello ShawnSchirmer We need to reset Chrome back to defaults to completely clear out what is going on.We can keep the bookmarks by exporting them - Export BookmarksThen I need you to go Google Sync and sign into your accountscroll down untill you see the "Stop and Clear" button and click on buttonAt the prompt click on "Ok"Now we need to uninstall chrome I want you to uninstall Chrome and if asked about user data or settings then remove this alsorestart the computer and reinstall chrome, You can download The latest version from here - Google ChromeAfter you have Chrome reinstalled please check things out and let me know how it is doing.Gringo Link to post Share on other sites More sharing options...
Recommended Posts