Jump to content

FBI Virus...Need Assistance...


Recommended Posts

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.



On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt



  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.


It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

Thanks very much for your help...here is the scan log...

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-09-2013 03
Ran by SYSTEM on MININT-J8HTKPU on 18-09-2013 11:48:06
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11785832 2011-03-10] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] - C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [1831016 2011-08-02] (Acer Incorporated)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [lxdfmon.exe] - C:\Program Files (x86)\Lexmark 6500 Series\lxdfmon.exe [455600 2007-06-11] ()
HKLM\...\Run: [lxdfamon] - C:\Program Files (x86)\Lexmark 6500 Series\lxdfamon.exe [20480 2007-06-01] ()
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2589992 2011-04-05] (ELAN Microelectronics Corp.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [sDTray] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [87336 2010-02-02] (CyberLink Corp.)
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1103440 2011-06-30] (Dritek System Inc.)
HKLM-x32\...\Run: [Lexmark 6500 Series] - C:\Program Files (x86)\Lexmark 6500 Series\fm3032.exe [308144 2007-06-11] ()
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [backupManagerTray] - C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe [290112 2011-03-09] (NTI Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKU\Default\...\RunOnce: [scrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [scrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Fun\...\RunOnce: [scrSav] - C:\Program Files (x86)\Gateway\Screensaver\run_Gateway.exe [154144 2010-07-29] ()
HKU\Fun\...\Policies\system: [LogonHoursAction] 2
HKU\Fun\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Guest Account\...\Policies\system: [LogonHoursAction] 2
HKU\Guest Account\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Lily\...\Run: [skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [20684656 2013-07-25] (Skype Technologies S.A.)
HKU\Lily\...\Run: [O1zy81jua.exe] - C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe [123256 2013-09-05] (Microsoft Corporation)
HKU\Lily\...\Run: [spybot-S&D Cleaning] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3642312 2013-05-16] (Safer-Networking Ltd.)
HKU\Lily\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10u_ActiveX.exe [243360 2011-08-18] (Adobe Systems, Inc.)
HKU\Lily\...\Policies\system: [LogonHoursAction] 2
HKU\Lily\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Lily\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Lily\...\Command Processor: "C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe" <===== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Guest Account\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Lily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Services (Whitelisted) =================
 
S2 DefaultTabUpdate; C:\Users\Lily\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-07-25] ()
S2 lxdfCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdfserv.exe [33712 2007-05-28] (Lexmark International, Inc.)
S2 lxdf_device; C:\Windows\system32\lxdfcoms.exe [1053104 2007-05-28] ( )
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [257344 2011-03-09] (NTI Corporation)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
 
==================== Drivers (Whitelisted) ====================
 
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-18 11:47 - 2013-09-18 11:47 - 00000000 ____D C:\FRST
2013-09-18 07:12 - 2013-09-18 07:12 - 00183296 _____ C:\Users\Lily\AppData\Roaming\hFLtNviPF
2013-09-18 07:12 - 2013-09-18 07:12 - 00183296 _____ C:\Users\Lily\AppData\Local\h9txidqc
2013-09-18 07:12 - 2013-09-18 07:12 - 00183296 _____ C:\ProgramData\RW7S8MJO
2013-09-17 12:28 - 2013-09-18 11:09 - 00000000 ____D C:\users\Fun
2013-09-17 12:28 - 2013-09-17 12:28 - 00000000 ____D C:\Users\Fun\AppData\Local\VirtualStore
2013-09-17 12:28 - 2012-08-26 10:12 - 00000000 ____D C:\Users\Fun\AppData\Local\Microsoft Help
2013-09-17 11:32 - 2013-09-17 11:32 - 00183296 _____ C:\Users\Lily\AppData\Roaming\4vX7znEub4f
2013-09-17 11:32 - 2013-09-17 11:32 - 00183296 _____ C:\Users\Lily\AppData\Local\XEHZrne4S
2013-09-17 11:32 - 2013-09-17 11:32 - 00183296 _____ C:\ProgramData\58Rd0RCT
2013-09-17 11:17 - 2013-09-17 11:17 - 00183296 _____ C:\Users\Lily\AppData\Roaming\oHXXE2vitV
2013-09-17 11:17 - 2013-09-17 11:17 - 00183296 _____ C:\Users\Lily\AppData\Local\5QZKzNh64N
2013-09-17 11:17 - 2013-09-17 11:17 - 00183296 _____ C:\ProgramData\eiHt3SbtEil
2013-09-13 16:50 - 2013-09-13 16:50 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-13 16:03 - 2013-09-18 11:08 - 00000000 ____D C:\Users\Guest Account\AppData\Roaming\Skype
2013-09-13 16:02 - 2013-09-13 16:02 - 01492848 _____ (Skype Technologies S.A.) C:\Users\Guest Account\Downloads\SkypeSetup.exe
2013-09-13 11:25 - 2013-08-09 21:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-13 11:25 - 2013-08-09 21:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-13 11:25 - 2013-08-09 21:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-09-13 11:25 - 2013-08-09 21:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-13 11:25 - 2013-08-09 21:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-13 11:25 - 2013-08-09 21:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-09-13 11:25 - 2013-08-09 21:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-09-13 11:25 - 2013-08-09 19:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-13 11:25 - 2013-08-09 19:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-13 11:25 - 2013-08-09 19:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-13 11:25 - 2013-08-09 19:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-13 11:25 - 2013-08-09 19:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-13 11:25 - 2013-08-09 18:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-13 11:25 - 2013-08-09 18:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-13 11:24 - 2013-08-09 19:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-12 16:06 - 2013-08-07 17:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-09-12 16:06 - 2013-08-04 18:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ataport.sys
2013-09-12 16:06 - 2013-08-01 18:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-09-12 16:06 - 2013-08-01 18:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-09-12 16:06 - 2013-08-01 18:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2013-09-12 16:06 - 2013-08-01 18:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-09-12 16:06 - 2013-08-01 18:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2013-09-12 16:06 - 2013-08-01 18:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2013-09-12 16:06 - 2013-08-01 18:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2013-09-12 16:06 - 2013-08-01 18:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2013-09-12 16:06 - 2013-08-01 18:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\System32\apisetschema.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 18:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-09-12 16:06 - 2013-08-01 17:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-09-12 16:06 - 2013-08-01 17:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-09-12 16:06 - 2013-08-01 17:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-09-12 16:06 - 2013-08-01 17:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-09-12 16:06 - 2013-08-01 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 17:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\System32\conhost.exe
2013-09-12 16:06 - 2013-08-01 16:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-09-12 16:06 - 2013-08-01 16:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-09-12 16:06 - 2013-08-01 16:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-09-12 16:06 - 2013-08-01 16:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-09-12 16:06 - 2013-08-01 16:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-09-12 16:06 - 2013-08-01 16:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 16:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 16:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 16:06 - 2013-08-01 16:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-12 16:06 - 2013-07-25 18:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-09-12 16:06 - 2013-07-25 18:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-09-12 16:06 - 2013-07-25 17:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-09-12 16:06 - 2013-07-25 17:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-09-12 13:24 - 2013-09-12 13:24 - 00183296 _____ C:\Users\Lily\AppData\Roaming\tgrpLYMp
2013-09-12 13:24 - 2013-09-12 13:24 - 00183296 _____ C:\Users\Lily\AppData\Local\lje0cnuiz
2013-09-12 13:24 - 2013-09-12 13:24 - 00183296 _____ C:\ProgramData\28BAxRijF7
2013-09-06 05:27 - 2013-09-06 05:27 - 00183296 _____ C:\Users\Lily\AppData\Roaming\JzTaO0P22L
2013-09-06 05:27 - 2013-09-06 05:27 - 00183296 _____ C:\Users\Lily\AppData\Local\NTlPI07Y
2013-09-06 05:27 - 2013-09-06 05:27 - 00183296 _____ C:\ProgramData\raDu2xeEaov
2013-09-06 04:29 - 2013-09-06 04:29 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-09-06 04:09 - 2013-09-06 05:23 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-09-06 04:08 - 2013-09-06 04:28 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-09-06 04:08 - 2013-09-06 04:08 - 00001386 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-09-06 04:08 - 2013-09-06 04:08 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-09-06 04:08 - 2013-09-06 04:08 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-09-06 04:08 - 2013-09-06 04:08 - 00000458 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-09-06 04:08 - 2009-01-25 09:14 - 00017272 _____ (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
2013-09-06 04:07 - 2013-09-06 04:07 - 37672592 _____ (Safer-Networking Ltd.                                       ) C:\Users\Guest Account\Downloads\spybotsd-2.1.21-SR2.exe
2013-09-06 04:04 - 2013-09-06 04:04 - 05709144 _____ (Systweak Inc                                                ) C:\Users\Guest Account\Downloads\rcpsetup_dcomnew_sec_728_dcomnew_sec_728.exe
2013-09-06 04:03 - 2013-09-06 04:03 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Guest Account\Downloads\mbam-setup-1.75.0.1300 (2).exe
2013-09-06 04:02 - 2013-09-06 04:02 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Guest Account\Downloads\mbam-setup-1.75.0.1300 (1).exe
2013-09-06 04:00 - 2013-09-06 04:00 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Guest Account\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-06 03:44 - 2013-09-06 03:44 - 00183296 _____ C:\Users\Lily\AppData\Roaming\76nCTjzgX
2013-09-06 03:44 - 2013-09-06 03:44 - 00183296 _____ C:\Users\Lily\AppData\Local\V8pCKgTWGmL
2013-09-06 03:44 - 2013-09-06 03:44 - 00183296 _____ C:\ProgramData\r6wgwT9OdGG
2013-09-06 03:42 - 2013-09-06 04:21 - 00000000 ____D C:\Windows\pss
2013-09-05 12:44 - 2013-09-05 12:44 - 00183296 _____ C:\Users\Lily\AppData\Roaming\NA3w6m8odOg
2013-09-05 12:44 - 2013-09-05 12:44 - 00183296 _____ C:\Users\Lily\AppData\Local\ZdAKxfzkSq0
2013-09-05 12:44 - 2013-09-05 12:44 - 00183296 _____ C:\ProgramData\b03asjaz
2013-09-05 11:35 - 2013-09-05 11:35 - 00183296 _____ C:\Users\Lily\AppData\Roaming\zRuchjFoqUz
2013-09-05 11:35 - 2013-09-05 11:35 - 00183296 _____ C:\Users\Lily\AppData\Local\tpRgZvnlAaZ
2013-09-05 11:35 - 2013-09-05 11:35 - 00183296 _____ C:\ProgramData\KKaU3tzDwH4
2013-09-05 11:25 - 2013-09-05 11:25 - 00183296 _____ C:\Users\Lily\AppData\Roaming\r7yFJMgN7Is
2013-09-05 11:25 - 2013-09-05 11:25 - 00183296 _____ C:\Users\Lily\AppData\Local\rUMkaOuQQb
2013-09-05 11:25 - 2013-09-05 11:25 - 00183296 _____ C:\ProgramData\UoEr4cVES5
2013-09-05 11:22 - 2013-09-18 11:09 - 00000000 ____D C:\Users\Lily\AppData\Local\APtC8QSj
2013-09-05 11:22 - 2013-09-05 11:22 - 00183296 _____ C:\Users\Lily\AppData\Roaming\DFFkfriYhv
2013-09-05 11:22 - 2013-09-05 11:22 - 00183296 _____ C:\Users\Lily\AppData\Local\rMlHOkD7UF
2013-09-05 11:22 - 2013-09-05 11:22 - 00183296 _____ C:\ProgramData\2mFE7uo7i8n
2013-09-04 17:39 - 2013-09-04 17:39 - 00000000 ____D C:\Users\Lily\AppData\Local\iLivid
2013-09-04 17:39 - 2013-09-04 17:39 - 00000000 ____D C:\ProgramData\Datamngr
2013-09-04 17:38 - 2013-09-04 17:39 - 01624064 _____ (Bandoo Media Inc) C:\Users\Lily\Downloads\iLividSetup-r559-n-bc.exe
2013-09-02 16:53 - 2013-09-02 16:53 - 13831831 _____ C:\Users\Lily\Downloads\CHM 131 Exam 1 PowerPoint Slides 4th Ed. New.pptx
2013-08-24 10:46 - 2013-08-24 10:46 - 00003584 _____ C:\Users\Lily\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-08-24 10:23 - 2013-08-24 10:48 - 04936704 _____ C:\Users\Lily\Downloads\Guess_Louie-v2.ppt
2013-08-24 10:22 - 2013-08-24 10:22 - 02497024 _____ C:\Users\Lily\Downloads\Align-the-Starsv3.ppt
2013-08-24 10:19 - 2013-08-24 10:19 - 04560896 _____ C:\Users\Lily\Downloads\sunken-Treasure-v2.ppt
2013-08-24 10:19 - 2013-08-24 10:19 - 02562560 _____ C:\Users\Lily\Downloads\BigWheel-Elementary-v2.ppt
2013-08-24 10:17 - 2013-08-24 10:17 - 00998400 _____ C:\Users\Lily\Downloads\-mnt-target02-343621-541328-www.makemegenius.com-web-content-uploads-education-Fruits_for_Kids.ppt
2013-08-23 08:23 - 2013-08-23 08:25 - 00020563 _____ C:\Users\Guest Account\Downloads\Simpson Mat 151-01 Proj 1A.xlsx
2013-08-20 17:24 - 2013-08-20 17:26 - 00020758 _____ C:\Users\Lily\Desktop\Simpson Mat 151-01 Proj 1A.xlsx
2013-08-19 18:58 - 2013-08-19 18:58 - 00000000 ____D C:\Users\Lily\AppData\Local\Adobe
 
==================== One Month Modified Files and Folders =======
 
2013-09-18 11:47 - 2013-09-18 11:47 - 00000000 ____D C:\FRST
2013-09-18 11:09 - 2013-09-17 12:28 - 00000000 ____D C:\users\Fun
2013-09-18 11:09 - 2013-09-05 11:22 - 00000000 ____D C:\Users\Lily\AppData\Local\APtC8QSj
2013-09-18 11:09 - 2012-10-03 14:10 - 00000000 ____D C:\users\Guest Account
2013-09-18 11:09 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-09-18 11:08 - 2013-09-13 16:03 - 00000000 ____D C:\Users\Guest Account\AppData\Roaming\Skype
2013-09-18 11:08 - 2011-08-18 07:34 - 00000000 ____D C:\ProgramData\Adobe
2013-09-18 07:24 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-18 07:24 - 2009-07-13 20:51 - 00064293 _____ C:\Windows\setupact.log
2013-09-18 07:17 - 2012-12-18 16:50 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-18 07:17 - 2012-12-18 16:50 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-18 07:12 - 2013-09-18 07:12 - 00183296 _____ C:\Users\Lily\AppData\Roaming\hFLtNviPF
2013-09-18 07:12 - 2013-09-18 07:12 - 00183296 _____ C:\Users\Lily\AppData\Local\h9txidqc
2013-09-18 07:12 - 2013-09-18 07:12 - 00183296 _____ C:\ProgramData\RW7S8MJO
2013-09-18 07:12 - 2012-07-31 17:14 - 00000000 ____D C:\users\Lily
2013-09-17 12:28 - 2013-09-17 12:28 - 00000000 ____D C:\Users\Fun\AppData\Local\VirtualStore
2013-09-17 11:32 - 2013-09-17 11:32 - 00183296 _____ C:\Users\Lily\AppData\Roaming\4vX7znEub4f
2013-09-17 11:32 - 2013-09-17 11:32 - 00183296 _____ C:\Users\Lily\AppData\Local\XEHZrne4S
2013-09-17 11:32 - 2013-09-17 11:32 - 00183296 _____ C:\ProgramData\58Rd0RCT
2013-09-17 11:25 - 2012-12-18 16:45 - 00000000 ____D C:\Users\Guest Account\AppData\Roaming\Apple Computer
2013-09-17 11:17 - 2013-09-17 11:17 - 00183296 _____ C:\Users\Lily\AppData\Roaming\oHXXE2vitV
2013-09-17 11:17 - 2013-09-17 11:17 - 00183296 _____ C:\Users\Lily\AppData\Local\5QZKzNh64N
2013-09-17 11:17 - 2013-09-17 11:17 - 00183296 _____ C:\ProgramData\eiHt3SbtEil
2013-09-15 07:23 - 2013-07-25 13:26 - 00000282 _____ C:\Windows\Tasks\DSite.job
2013-09-15 07:23 - 2012-03-27 03:06 - 01147321 _____ C:\Windows\WindowsUpdate.log
2013-09-14 20:41 - 2013-03-22 12:17 - 00000404 ____H C:\Windows\Tasks\Norton Security Scan for Lily.job
2013-09-13 16:50 - 2013-09-13 16:50 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-13 16:03 - 2013-03-26 15:06 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-09-13 16:03 - 2013-03-26 15:06 - 00000000 ____D C:\ProgramData\Skype
2013-09-13 16:02 - 2013-09-13 16:02 - 01492848 _____ (Skype Technologies S.A.) C:\Users\Guest Account\Downloads\SkypeSetup.exe
2013-09-13 15:53 - 2013-05-28 09:23 - 00000000 ____D C:\Users\Guest Account\AppData\Roaming\CyberLink
2013-09-13 11:52 - 2009-07-13 20:45 - 00016976 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-13 11:52 - 2009-07-13 20:45 - 00016976 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-13 11:45 - 2013-02-18 08:59 - 00000000 ___RD C:\Users\Guest Account\Dropbox
2013-09-13 11:45 - 2013-02-18 08:56 - 00000000 ____D C:\Users\Guest Account\AppData\Roaming\Dropbox
2013-09-13 11:44 - 2009-07-13 20:45 - 00430056 _____ C:\Windows\System32\FNTCACHE.DAT
2013-09-13 11:43 - 2010-11-20 19:47 - 00538304 _____ C:\Windows\PFRO.log
2013-09-13 11:24 - 2012-08-23 14:30 - 00744030 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-09-13 11:24 - 2012-08-23 14:30 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2013-09-13 11:21 - 2013-08-16 11:29 - 00000000 ____D C:\Windows\System32\MRT
2013-09-13 11:21 - 2013-03-13 18:47 - 79143768 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-09-13 11:21 - 2012-08-25 17:14 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-12 13:29 - 2012-08-25 17:09 - 00000000 ____D C:\ProgramData\Lx_cats
2013-09-12 13:25 - 2012-10-03 14:10 - 00001248 __RSH C:\Users\Guest Account\ntuser.pol
2013-09-12 13:24 - 2013-09-12 13:24 - 00183296 _____ C:\Users\Lily\AppData\Roaming\tgrpLYMp
2013-09-12 13:24 - 2013-09-12 13:24 - 00183296 _____ C:\Users\Lily\AppData\Local\lje0cnuiz
2013-09-12 13:24 - 2013-09-12 13:24 - 00183296 _____ C:\ProgramData\28BAxRijF7
2013-09-12 13:24 - 2013-07-25 13:26 - 00000000 ____D C:\Program Files (x86)\DefaultTab
2013-09-12 13:24 - 2012-07-31 17:38 - 00000632 __RSH C:\Users\Lily\ntuser.pol
2013-09-06 05:27 - 2013-09-06 05:27 - 00183296 _____ C:\Users\Lily\AppData\Roaming\JzTaO0P22L
2013-09-06 05:27 - 2013-09-06 05:27 - 00183296 _____ C:\Users\Lily\AppData\Local\NTlPI07Y
2013-09-06 05:27 - 2013-09-06 05:27 - 00183296 _____ C:\ProgramData\raDu2xeEaov
2013-09-06 05:24 - 2013-03-26 14:30 - 00010286 _____ C:\Windows\wininit.ini
2013-09-06 05:23 - 2013-09-06 04:09 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-09-06 04:29 - 2013-09-06 04:29 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-09-06 04:28 - 2013-09-06 04:08 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-09-06 04:21 - 2013-09-06 03:42 - 00000000 ____D C:\Windows\pss
2013-09-06 04:08 - 2013-09-06 04:08 - 00001386 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-09-06 04:08 - 2013-09-06 04:08 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-09-06 04:08 - 2013-09-06 04:08 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-09-06 04:08 - 2013-09-06 04:08 - 00000458 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-09-06 04:07 - 2013-09-06 04:07 - 37672592 _____ (Safer-Networking Ltd.                                       ) C:\Users\Guest Account\Downloads\spybotsd-2.1.21-SR2.exe
2013-09-06 04:04 - 2013-09-06 04:04 - 05709144 _____ (Systweak Inc                                                ) C:\Users\Guest Account\Downloads\rcpsetup_dcomnew_sec_728_dcomnew_sec_728.exe
2013-09-06 04:03 - 2013-09-06 04:03 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Guest Account\Downloads\mbam-setup-1.75.0.1300 (2).exe
2013-09-06 04:02 - 2013-09-06 04:02 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Guest Account\Downloads\mbam-setup-1.75.0.1300 (1).exe
2013-09-06 04:00 - 2013-09-06 04:00 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Guest Account\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-06 03:44 - 2013-09-06 03:44 - 00183296 _____ C:\Users\Lily\AppData\Roaming\76nCTjzgX
2013-09-06 03:44 - 2013-09-06 03:44 - 00183296 _____ C:\Users\Lily\AppData\Local\V8pCKgTWGmL
2013-09-06 03:44 - 2013-09-06 03:44 - 00183296 _____ C:\ProgramData\r6wgwT9OdGG
2013-09-06 03:41 - 2009-07-13 21:13 - 00727310 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-05 12:44 - 2013-09-05 12:44 - 00183296 _____ C:\Users\Lily\AppData\Roaming\NA3w6m8odOg
2013-09-05 12:44 - 2013-09-05 12:44 - 00183296 _____ C:\Users\Lily\AppData\Local\ZdAKxfzkSq0
2013-09-05 12:44 - 2013-09-05 12:44 - 00183296 _____ C:\ProgramData\b03asjaz
2013-09-05 11:35 - 2013-09-05 11:35 - 00183296 _____ C:\Users\Lily\AppData\Roaming\zRuchjFoqUz
2013-09-05 11:35 - 2013-09-05 11:35 - 00183296 _____ C:\Users\Lily\AppData\Local\tpRgZvnlAaZ
2013-09-05 11:35 - 2013-09-05 11:35 - 00183296 _____ C:\ProgramData\KKaU3tzDwH4
2013-09-05 11:25 - 2013-09-05 11:25 - 00183296 _____ C:\Users\Lily\AppData\Roaming\r7yFJMgN7Is
2013-09-05 11:25 - 2013-09-05 11:25 - 00183296 _____ C:\Users\Lily\AppData\Local\rUMkaOuQQb
2013-09-05 11:25 - 2013-09-05 11:25 - 00183296 _____ C:\ProgramData\UoEr4cVES5
2013-09-05 11:24 - 2009-07-13 21:08 - 00032600 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-05 11:22 - 2013-09-05 11:22 - 00183296 _____ C:\Users\Lily\AppData\Roaming\DFFkfriYhv
2013-09-05 11:22 - 2013-09-05 11:22 - 00183296 _____ C:\Users\Lily\AppData\Local\rMlHOkD7UF
2013-09-05 11:22 - 2013-09-05 11:22 - 00183296 _____ C:\ProgramData\2mFE7uo7i8n
2013-09-05 11:12 - 2013-03-26 15:06 - 00000000 ____D C:\Users\Lily\AppData\Roaming\Skype
2013-09-05 11:12 - 2013-01-23 14:16 - 00000000 ___RD C:\Users\Lily\Dropbox
2013-09-05 11:12 - 2013-01-23 14:14 - 00000000 ____D C:\Users\Lily\AppData\Roaming\Dropbox
2013-09-04 17:39 - 2013-09-04 17:39 - 00000000 ____D C:\Users\Lily\AppData\Local\iLivid
2013-09-04 17:39 - 2013-09-04 17:39 - 00000000 ____D C:\ProgramData\Datamngr
2013-09-04 17:39 - 2013-09-04 17:38 - 01624064 _____ (Bandoo Media Inc) C:\Users\Lily\Downloads\iLividSetup-r559-n-bc.exe
2013-09-04 11:22 - 2013-07-27 08:15 - 00000076 _____ C:\Users\Lily\AppData\Roaming\WB.CFG
2013-09-04 11:22 - 2013-07-25 14:26 - 00000005 _____ C:\Users\Lily\AppData\Roaming\WBPU-TTL.DAT
2013-09-04 06:29 - 2012-08-25 17:10 - 00000000 ____D C:\Users\Lily\AppData\Local\CrashDumps
2013-09-02 16:53 - 2013-09-02 16:53 - 13831831 _____ C:\Users\Lily\Downloads\CHM 131 Exam 1 PowerPoint Slides 4th Ed. New.pptx
2013-08-27 12:25 - 2013-03-16 17:33 - 00000000 ____D C:\Users\Guest Account\AppData\Local\CrashDumps
2013-08-26 14:18 - 2013-07-25 13:26 - 00000000 ____D C:\Windows\SysWOW64\Extensions
2013-08-24 10:48 - 2013-08-24 10:23 - 04936704 _____ C:\Users\Lily\Downloads\Guess_Louie-v2.ppt
2013-08-24 10:46 - 2013-08-24 10:46 - 00003584 _____ C:\Users\Lily\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-08-24 10:22 - 2013-08-24 10:22 - 02497024 _____ C:\Users\Lily\Downloads\Align-the-Starsv3.ppt
2013-08-24 10:19 - 2013-08-24 10:19 - 04560896 _____ C:\Users\Lily\Downloads\sunken-Treasure-v2.ppt
2013-08-24 10:19 - 2013-08-24 10:19 - 02562560 _____ C:\Users\Lily\Downloads\BigWheel-Elementary-v2.ppt
2013-08-24 10:17 - 2013-08-24 10:17 - 00998400 _____ C:\Users\Lily\Downloads\-mnt-target02-343621-541328-www.makemegenius.com-web-content-uploads-education-Fruits_for_Kids.ppt
2013-08-23 08:25 - 2013-08-23 08:23 - 00020563 _____ C:\Users\Guest Account\Downloads\Simpson Mat 151-01 Proj 1A.xlsx
2013-08-21 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-08-20 17:26 - 2013-08-20 17:24 - 00020758 _____ C:\Users\Lily\Desktop\Simpson Mat 151-01 Proj 1A.xlsx
2013-08-19 18:58 - 2013-08-19 18:58 - 00000000 ____D C:\Users\Lily\AppData\Local\Adobe
2013-08-19 18:58 - 2012-07-31 17:45 - 00000000 ____D C:\Users\Lily\AppData\Roaming\Adobe
 
Files to move or delete:
====================
C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe
 
 
Some content of TEMP:
====================
C:\Users\Lily\AppData\Local\Temp\AutoRun.exe
C:\Users\Lily\AppData\Local\Temp\AutoRunGUI.dll
C:\Users\Lily\AppData\Local\Temp\COMAP.EXE
C:\Users\Lily\AppData\Local\Temp\contentDATs.exe
C:\Users\Lily\AppData\Local\Temp\drm_dialogs.dll
C:\Users\Lily\AppData\Local\Temp\drm_dyndata_7360010.dll
C:\Users\Lily\AppData\Local\Temp\mssinstaller.exe
C:\Users\Lily\AppData\Local\Temp\rjfxsyuexolehqbfqxu.dll
C:\Users\Lily\AppData\Local\Temp\rjfxsyuexolehqbfqxu.exe
C:\Users\Lily\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Lily\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Lily\AppData\Local\Temp\uninst1.exe
C:\Users\Lily\AppData\Local\Temp\VP6Install.exe
C:\Users\Lily\AppData\Local\Temp\VP6VFW.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
8
Restore point made on: 2013-08-23 08:20:24
Restore point made on: 2013-08-24 12:55:14
Restore point made on: 2013-08-27 17:32:40
Restore point made on: 2013-08-31 16:12:18
Restore point made on: 2013-09-04 17:13:07
Restore point made on: 2013-09-12 16:11:59
Restore point made on: 2013-09-13 11:14:35
Restore point made on: 2013-09-15 07:23:42
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 3947.86 MB
Available physical RAM: 3298.46 MB
Total Pagefile: 3946.06 MB
Available Pagefile: 3287.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
 
==================== Drives ================================
 
Drive c: (Gateway) (Fixed) (Total:284.99 GB) (Free:218.98 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:13 GB) (Free:3.41 GB) NTFS
Drive g: () (Removable) (Total:7.45 GB) (Free:7.29 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: E2A7882E)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 6F20736B)
No partition Table on disk 1.
Disk 1 is a removable device.
 
 
LastRegBack: 2013-09-14 20:43
 
==================== End Of Log ============================
Link to post
Share on other sites

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKU\Lily\...\Run: [O1zy81jua.exe] - C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe [123256 2013-09-05] (Microsoft Corporation)HKU\Lily\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTIONHKU\Lily\...\Command Processor: "C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe" <===== ATTENTION!Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnkShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnkShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)S2 DefaultTabUpdate; C:\Users\Lily\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-07-25] ()C:\Users\Lily\AppData\Roaming\DefaultTabC:\Users\Lily\AppData\Roaming\hFLtNviPFC:\Users\Lily\AppData\Local\h9txidqcC:\ProgramData\RW7S8MJOC:\Users\Lily\AppData\Roaming\4vX7znEub4fC:\Users\Lily\AppData\Local\XEHZrne4SC:\ProgramData\58Rd0RCTC:\Users\Lily\AppData\Roaming\oHXXE2vitVC:\Users\Lily\AppData\Local\5QZKzNh64NC:\ProgramData\eiHt3SbtEilC:\Users\Lily\AppData\Roaming\tgrpLYMpC:\Users\Lily\AppData\Local\lje0cnuizC:\ProgramData\28BAxRijF7C:\Users\Lily\AppData\Roaming\JzTaO0P22LC:\Users\Lily\AppData\Local\NTlPI07YC:\ProgramData\raDu2xeEaovC:\Users\Lily\AppData\Roaming\76nCTjzgXC:\Users\Lily\AppData\Local\V8pCKgTWGmLC:\ProgramData\r6wgwT9OdGGC:\Users\Lily\AppData\Roaming\NA3w6m8odOgC:\Users\Lily\AppData\Local\ZdAKxfzkSq0C:\ProgramData\b03asjazC:\Users\Lily\AppData\Roaming\zRuchjFoqUzC:\Users\Lily\AppData\Local\tpRgZvnlAaZC:\ProgramData\KKaU3tzDwH4C:\Users\Lily\AppData\Roaming\r7yFJMgN7IsC:\Users\Lily\AppData\Local\rUMkaOuQQbC:\ProgramData\UoEr4cVES5C:\Users\Lily\AppData\Local\APtC8QSjC:\Users\Lily\AppData\Roaming\DFFkfriYhvC:\Users\Lily\AppData\Local\rMlHOkD7UFC:\ProgramData\2mFE7uo7i8nC:\Users\Lily\AppData\Local\iLividC:\ProgramData\DatamngrC:\Users\Lily\Downloads\iLividSetup-r559-n-bc.exeC:\ProgramData\Best Buy pc appC:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnkC:\Users\Lily\AppData\Local\APtC8QSjC:\Program Files (x86)\DefaultTabC:\Users\Lily\ntuser.pol


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

Now boot into windows!

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

The machine seems to be working properly now...thank-you very much!  Here are the results from FRST and Combofix...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-09-2013 03
Ran by SYSTEM at 2013-09-19 07:41:36 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
HKU\Lily\...\Run: [O1zy81jua.exe] - C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe [123256 2013-09-05] (Microsoft Corporation)
HKU\Lily\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Lily\...\Command Processor: "C:\Users\Lily\AppData\Local\APtC8QSj\O1zy81jua.exe" <===== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
 
S2 DefaultTabUpdate; C:\Users\Lily\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-07-25] ()
 
C:\Users\Lily\AppData\Roaming\DefaultTab
C:\Users\Lily\AppData\Roaming\hFLtNviPF
C:\Users\Lily\AppData\Local\h9txidqc
C:\ProgramData\RW7S8MJO
C:\Users\Lily\AppData\Roaming\4vX7znEub4f
C:\Users\Lily\AppData\Local\XEHZrne4S
C:\ProgramData\58Rd0RCT
C:\Users\Lily\AppData\Roaming\oHXXE2vitV
C:\Users\Lily\AppData\Local\5QZKzNh64N
C:\ProgramData\eiHt3SbtEil
C:\Users\Lily\AppData\Roaming\tgrpLYMp
C:\Users\Lily\AppData\Local\lje0cnuiz
C:\ProgramData\28BAxRijF7
C:\Users\Lily\AppData\Roaming\JzTaO0P22L
C:\Users\Lily\AppData\Local\NTlPI07Y
C:\ProgramData\raDu2xeEaov
C:\Users\Lily\AppData\Roaming\76nCTjzgX
C:\Users\Lily\AppData\Local\V8pCKgTWGmL
C:\ProgramData\r6wgwT9OdGG
C:\Users\Lily\AppData\Roaming\NA3w6m8odOg
C:\Users\Lily\AppData\Local\ZdAKxfzkSq0
C:\ProgramData\b03asjaz
C:\Users\Lily\AppData\Roaming\zRuchjFoqUz
C:\Users\Lily\AppData\Local\tpRgZvnlAaZ
C:\ProgramData\KKaU3tzDwH4
C:\Users\Lily\AppData\Roaming\r7yFJMgN7Is
C:\Users\Lily\AppData\Local\rUMkaOuQQb
C:\ProgramData\UoEr4cVES5
C:\Users\Lily\AppData\Local\APtC8QSj
C:\Users\Lily\AppData\Roaming\DFFkfriYhv
C:\Users\Lily\AppData\Local\rMlHOkD7UF
C:\ProgramData\2mFE7uo7i8n
C:\Users\Lily\AppData\Local\iLivid
C:\ProgramData\Datamngr
C:\Users\Lily\Downloads\iLividSetup-r559-n-bc.exe
C:\ProgramData\Best Buy pc app
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
C:\Users\Lily\AppData\Local\APtC8QSj
C:\Program Files (x86)\DefaultTab
C:\Users\Lily\ntuser.pol
*****************
 
HKU\Lily\Software\Microsoft\Windows\CurrentVersion\Run\\O1zy81jua.exe => Value deleted successfully.
HKU\Lily\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Lily\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk => Moved successfully.
C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe => Moved successfully.
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk not found.
C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe not found.
DefaultTabUpdate => Service deleted successfully.
C:\Users\Lily\AppData\Roaming\DefaultTab => Moved successfully.
C:\Users\Lily\AppData\Roaming\hFLtNviPF => Moved successfully.
C:\Users\Lily\AppData\Local\h9txidqc => Moved successfully.
C:\ProgramData\RW7S8MJO => Moved successfully.
C:\Users\Lily\AppData\Roaming\4vX7znEub4f => Moved successfully.
C:\Users\Lily\AppData\Local\XEHZrne4S => Moved successfully.
C:\ProgramData\58Rd0RCT => Moved successfully.
C:\Users\Lily\AppData\Roaming\oHXXE2vitV => Moved successfully.
C:\Users\Lily\AppData\Local\5QZKzNh64N => Moved successfully.
C:\ProgramData\eiHt3SbtEil => Moved successfully.
C:\Users\Lily\AppData\Roaming\tgrpLYMp => Moved successfully.
C:\Users\Lily\AppData\Local\lje0cnuiz => Moved successfully.
C:\ProgramData\28BAxRijF7 => Moved successfully.
C:\Users\Lily\AppData\Roaming\JzTaO0P22L => Moved successfully.
C:\Users\Lily\AppData\Local\NTlPI07Y => Moved successfully.
C:\ProgramData\raDu2xeEaov => Moved successfully.
C:\Users\Lily\AppData\Roaming\76nCTjzgX => Moved successfully.
C:\Users\Lily\AppData\Local\V8pCKgTWGmL => Moved successfully.
C:\ProgramData\r6wgwT9OdGG => Moved successfully.
C:\Users\Lily\AppData\Roaming\NA3w6m8odOg => Moved successfully.
C:\Users\Lily\AppData\Local\ZdAKxfzkSq0 => Moved successfully.
C:\ProgramData\b03asjaz => Moved successfully.
C:\Users\Lily\AppData\Roaming\zRuchjFoqUz => Moved successfully.
C:\Users\Lily\AppData\Local\tpRgZvnlAaZ => Moved successfully.
C:\ProgramData\KKaU3tzDwH4 => Moved successfully.
C:\Users\Lily\AppData\Roaming\r7yFJMgN7Is => Moved successfully.
C:\Users\Lily\AppData\Local\rUMkaOuQQb => Moved successfully.
C:\ProgramData\UoEr4cVES5 => Moved successfully.
C:\Users\Lily\AppData\Local\APtC8QSj => Moved successfully.
C:\Users\Lily\AppData\Roaming\DFFkfriYhv => Moved successfully.
C:\Users\Lily\AppData\Local\rMlHOkD7UF => Moved successfully.
C:\ProgramData\2mFE7uo7i8n => Moved successfully.
C:\Users\Lily\AppData\Local\iLivid => Moved successfully.
C:\ProgramData\Datamngr => Moved successfully.
C:\Users\Lily\Downloads\iLividSetup-r559-n-bc.exe => Moved successfully.
C:\ProgramData\Best Buy pc app => Moved successfully.
"C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk" => File/Directory not found.
"C:\Users\Lily\AppData\Local\APtC8QSj" => File/Directory not found.
C:\Program Files (x86)\DefaultTab => Moved successfully.
C:\Users\Lily\ntuser.pol => Moved successfully.
 
==== End of Fixlog ====
 
 
 
 
ComboFix 13-09-19.01 - Lily 09/19/2013   8:01.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3948.1844 [GMT -4:00]
Running from: c:\users\Lily\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\BrowserDefender
c:\users\Guest Account\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Guest Account\AppData\Local\Microsoft\Windows\Temporary Internet Files\{048EBD3C-8CBD-4F95-A3EB-1B9D475B7D46}.xps
c:\users\Guest Account\AppData\Local\Microsoft\Windows\Temporary Internet Files\{4BD9FA21-ECFD-4E5A-8384-B297F53E0578}.xps
c:\users\Guest Account\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8AFC1EDA-3A1D-41CA-942F-9A1694621464}.xps
c:\users\Guest Account\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D280B94A-794A-4A90-B424-8FD6A9B25B12}.xps
c:\users\Lily\AppData\Local\Google\Chrome\User Data\Default\bProtector Web Data
c:\users\Lily\AppData\Local\Google\Chrome\User Data\Default\bProtectorPreferences
c:\users\Lily\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Lily\AppData\Roaming\technic-launcher.jar
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-19 to 2013-09-19  )))))))))))))))))))))))))))))))
.
.
2013-09-19 12:34 . 2013-09-19 12:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-19 12:34 . 2013-09-19 12:34 -------- d-----w- c:\users\Guest Account\AppData\Local\temp
2013-09-19 11:58 . 2013-09-05 05:32 9694160 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3A098FB0-F572-4961-A038-D034006AEA89}\mpengine.dll
2013-09-18 19:47 . 2013-09-18 19:47 -------- d-----w- C:\FRST
2013-09-18 15:11 . 2013-08-06 08:58 9515512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-17 20:28 . 2013-09-18 19:09 -------- d-----w- c:\users\Fun
2013-09-17 19:58 . 2013-09-17 19:59 -------- d-----w- c:\users\Lily\AppData\Local\ElevatedDiagnostics
2013-09-14 00:50 . 2013-09-14 00:50 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-14 00:03 . 2013-09-18 19:08 -------- d-----w- c:\users\Guest Account\AppData\Roaming\Skype
2013-09-06 12:34 . 2013-09-06 12:33 965008 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0C7D0829-AB74-4886-BC0F-EC6EEDE2E670}\gapaengine.dll
2013-09-06 12:09 . 2013-09-19 11:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-06 12:08 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-06 12:08 . 2013-09-06 12:28 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-06 12:08 . 2013-09-06 12:08 -------- d-----w- c:\users\Lily\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-13 19:21 . 2013-03-14 02:47 79143768 ----a-w- c:\windows\system32\MRT.exe
2013-08-22 19:49 . 2012-10-06 03:02 941720 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-08-02 01:48 . 2013-09-13 00:06 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-07-25 09:25 . 2013-08-14 17:37 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-25 08:57 . 2013-08-14 17:37 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58 . 2013-08-14 17:37 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-19 01:41 . 2013-08-14 17:37 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-07-09 05:52 . 2013-08-14 17:37 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 05:51 . 2013-08-14 17:37 1217024 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 05:46 . 2013-08-14 17:37 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 05:46 . 2013-08-14 17:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 05:46 . 2013-08-14 17:37 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-09 04:52 . 2013-08-14 17:37 663552 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2013-07-09 04:52 . 2013-08-14 17:37 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-07-09 04:46 . 2013-08-14 17:37 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-07-09 04:46 . 2013-08-14 17:37 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-07-09 04:46 . 2013-08-14 17:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-07-06 06:03 . 2013-08-14 17:36 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-26 23:21 . 2013-06-26 23:21 23208 ----a-w- c:\windows\system32\drivers\Sftvollh.sys
2013-06-26 23:21 . 2013-06-26 23:21 28840 ----a-w- c:\windows\system32\drivers\Sftredirlh.sys
2013-06-26 23:21 . 2013-06-26 23:21 273576 ----a-w- c:\windows\system32\drivers\Sftplaylh.sys
2013-06-26 23:21 . 2013-06-26 23:21 1777320 ----a-w- c:\windows\system32\sftldr.dll
2013-06-26 23:21 . 2013-06-26 23:21 1130664 ----a-w- c:\windows\SysWow64\sftldr_wow64.dll
2013-06-26 23:21 . 2013-06-26 23:21 767144 ----a-w- c:\windows\system32\drivers\Sftfslh.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-07-25 20684656]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2013-05-16 3642312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-07-01 1103440]
"Lexmark 6500 Series"="c:\program files (x86)\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"BackupManagerTray"="c:\program files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe" [2011-03-09 290112]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
.
c:\users\Guest Account\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Lily\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\users\Lily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Lily\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdfserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxdfserv.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe;c:\windows\SYSNATIVE\lxdfcoms.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 01:17 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2013-09-06 14:58]
.
2013-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-19 00:50]
.
2013-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-19 00:50]
.
2013-09-15 c:\windows\Tasks\Norton Security Scan for Lily.job
- c:\progra~2\NORTON~2\Engine\400~1.46\Nss.exe [2013-03-22 09:59]
.
2013-09-06 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2013-09-06 14:57]
.
2013-09-06 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2013-09-06 14:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-10 11785832]
"Power Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2011-08-02 1831016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-21 416024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
"lxdfmon.exe"="c:\program files (x86)\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files (x86)\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-21 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-21 392472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\users\Lily\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
AddRemove-DefaultTab - c:\users\Lily\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
AddRemove-DefaultTab Chrome - c:\program files (x86)\DefaultTab\uninstaller.exe
AddRemove-e55b814e55744b76 - c:\programdata\Best Buy pc app\ClickOnceUninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-19  08:45:46
ComboFix-quarantined-files.txt  2013-09-19 12:45
.
Pre-Run: 234,674,999,296 bytes free
Post-Run: 236,487,016,448 bytes free
.
- - End Of File - - D55407ECC36F2ADE7C2FB94D4C26950C
 
Link to post
Share on other sites

We´re not finished yet!

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Here are the results of the eset scan...

 

 

C:\FRST\Quarantine\APtC8QSj\O1zy81jua.dll a variant of Win32/Kryptik.BJTJ trojan
C:\FRST\Quarantine\APtC8QSj\O1zy81jua.exe a variant of Win32/Kryptik.BJTJ trojan
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabBHO.dll a variant of Win32/Toolbar.DefaultTab.B application
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabSearch.exe a variant of Win32/Toolbar.DefaultTab.B application
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabStart.exe a variant of Win32/Toolbar.DefaultTab.B application
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabWrap.dll a variant of Win32/Toolbar.DefaultTab.B application
C:\FRST\Quarantine\DefaultTab\DefaultTab\DTUpdate.exe Win32/Toolbar.DefaultTab.A application
C:\FRST\Quarantine\DefaultTab\DefaultTab\update.exe multiple threats
C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe a variant of Win32/Bundled.Toolbar.Ask.A application
C:\Users\Lily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60LVBKXV\web-play-product_setup[1].exe Win32/DownWare.G application
C:\Users\Lily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\65d16ad3-5e5ab6dd a variant of Win32/Kryptik.BJTJ trojan
C:\Users\Lily\AppData\Roaming\DSite\UpdateProc\UpdateTask.exe Win32/DownWare.E application
C:\Users\Lily\AppData\Roaming\Zip Opener Packages\uninstaller.exe a variant of Win32/InstallCore.AZ application
C:\Users\Lily\Downloads\Setup.exe a variant of Win32/Adware.iBryte.D application
C:\Users\Lily\Downloads\Update (1).exe a variant of Win32/AirAdInstaller.A application
C:\Users\Lily\Downloads\Update (2).exe a variant of Win32/AirAdInstaller.A application
C:\Users\Lily\Downloads\Update.exe a variant of Win32/AirAdInstaller.A application
C:\Users\Lily\Downloads\ZipOpenerSetup.exe Win32/InstallCore.BN application
Link to post
Share on other sites

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.



If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

CFScript.txt

Link to post
Share on other sites

Here are the results of the latest Combofix and Malwarebytes scans...

 

ComboFix 13-09-19.01 - Lily 09/20/2013   7:46.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3948.1963 [GMT -4:00]
Running from: c:\users\Lily\Desktop\ComboFix.exe
Command switches used :: c:\users\Lily\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\oem\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe"
"c:\users\Lily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60LVBKXV\web-play-product_setup[1].exe"
"c:\users\Lily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\65d16ad3-5e5ab6dd"
"c:\users\Lily\AppData\Roaming\DSite\UpdateProc\UpdateTask.exe"
"c:\users\Lily\AppData\Roaming\Zip Opener Packages\uninstaller.exe"
"c:\users\Lily\Downloads\Setup.exe"
"c:\users\Lily\Downloads\Update (1).exe"
"c:\users\Lily\Downloads\Update (2).exe"
"c:\users\Lily\Downloads\Update.exe"
"c:\users\Lily\Downloads\ZipOpenerSetup.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\oem\Preload\Autorun\APP\Nero 10 Essentials Gateway Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe
c:\users\Lily\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Lily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60LVBKXV\web-play-product_setup[1].exe
c:\users\Lily\AppData\Roaming\DSite\UpdateProc\UpdateTask.exe
c:\users\Lily\AppData\Roaming\Zip Opener Packages\uninstaller.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-20 to 2013-09-20  )))))))))))))))))))))))))))))))
.
.
2013-09-20 11:55 . 2013-09-20 11:55 -------- d-----w- c:\users\Guest Account\AppData\Local\temp
2013-09-20 11:55 . 2013-09-20 11:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-20 11:55 . 2013-09-20 11:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-09-19 19:56 . 2013-09-19 19:56 -------- d-----w- c:\program files (x86)\ESET
2013-09-19 14:19 . 2013-09-05 05:32 9694160 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8179790-254E-4AD1-84D0-E1D63D3A74BA}\mpengine.dll
2013-09-18 19:47 . 2013-09-18 19:47 -------- d-----w- C:\FRST
2013-09-18 15:11 . 2013-08-06 08:58 9515512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-17 20:28 . 2013-09-18 19:09 -------- d-----w- c:\users\Fun
2013-09-17 19:58 . 2013-09-17 19:59 -------- d-----w- c:\users\Lily\AppData\Local\ElevatedDiagnostics
2013-09-14 00:50 . 2013-09-14 00:50 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-14 00:03 . 2013-09-18 19:08 -------- d-----w- c:\users\Guest Account\AppData\Roaming\Skype
2013-09-06 12:34 . 2013-09-06 12:33 965008 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0C7D0829-AB74-4886-BC0F-EC6EEDE2E670}\gapaengine.dll
2013-09-06 12:09 . 2013-09-19 11:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-06 12:08 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-06 12:08 . 2013-09-06 12:28 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-06 12:08 . 2013-09-06 12:08 -------- d-----w- c:\users\Lily\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-13 19:21 . 2013-03-14 02:47 79143768 ----a-w- c:\windows\system32\MRT.exe
2013-08-22 19:49 . 2012-10-06 03:02 941720 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-08-02 01:48 . 2013-09-13 00:06 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-07-25 09:25 . 2013-08-14 17:37 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-25 08:57 . 2013-08-14 17:37 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58 . 2013-08-14 17:37 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-19 01:41 . 2013-08-14 17:37 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-07-09 05:52 . 2013-08-14 17:37 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 05:51 . 2013-08-14 17:37 1217024 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 05:46 . 2013-08-14 17:37 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 05:46 . 2013-08-14 17:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 05:46 . 2013-08-14 17:37 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-09 04:52 . 2013-08-14 17:37 663552 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2013-07-09 04:52 . 2013-08-14 17:37 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-07-09 04:46 . 2013-08-14 17:37 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-07-09 04:46 . 2013-08-14 17:37 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-07-09 04:46 . 2013-08-14 17:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-07-06 06:03 . 2013-08-14 17:36 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-26 23:21 . 2013-06-26 23:21 23208 ----a-w- c:\windows\system32\drivers\Sftvollh.sys
2013-06-26 23:21 . 2013-06-26 23:21 28840 ----a-w- c:\windows\system32\drivers\Sftredirlh.sys
2013-06-26 23:21 . 2013-06-26 23:21 273576 ----a-w- c:\windows\system32\drivers\Sftplaylh.sys
2013-06-26 23:21 . 2013-06-26 23:21 1777320 ----a-w- c:\windows\system32\sftldr.dll
2013-06-26 23:21 . 2013-06-26 23:21 1130664 ----a-w- c:\windows\SysWow64\sftldr_wow64.dll
2013-06-26 23:21 . 2013-06-26 23:21 767144 ----a-w- c:\windows\system32\drivers\Sftfslh.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}]
c:\users\Lily\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll [bU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-07-25 20684656]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2013-05-16 3642312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-07-01 1103440]
"Lexmark 6500 Series"="c:\program files (x86)\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"BackupManagerTray"="c:\program files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe" [2011-03-09 290112]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
.
c:\users\Guest Account\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Lily\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\users\Lily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Lily\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdfserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxdfserv.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe;c:\windows\SYSNATIVE\lxdfcoms.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 01:17 1177552 ----a-w- c:\program files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2013-09-06 14:58]
.
2013-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-19 00:50]
.
2013-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-19 00:50]
.
2013-09-19 c:\windows\Tasks\Norton Security Scan for Lily.job
- c:\progra~2\NORTON~2\Engine\400~1.46\Nss.exe [2013-03-22 09:59]
.
2013-09-06 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2013-09-06 14:57]
.
2013-09-06 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2013-09-06 14:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\Lily\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-10 11785832]
"Power Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2011-08-02 1831016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-21 416024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
"lxdfmon.exe"="c:\program files (x86)\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files (x86)\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-21 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-21 392472]
"ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [bU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
AddRemove-DefaultTab - c:\users\Lily\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
AddRemove-DefaultTab Chrome - c:\program files (x86)\DefaultTab\uninstaller.exe
AddRemove-DSite - c:\users\Lily\AppData\Roaming\DSite\UpdateProc\UpdateTask.exe
AddRemove-Zip Opener Packages - c:\users\Lily\AppData\Roaming\Zip Opener Packages\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-20  08:05:22
ComboFix-quarantined-files.txt  2013-09-20 12:05
ComboFix2.txt  2013-09-19 12:45
.
Pre-Run: 239,171,973,120 bytes free
Post-Run: 240,030,109,696 bytes free
.
- - End Of File - - 29AE8BE3DDB9C7113C793462933A9AE3
 
 
 
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.20.04
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Lily :: LILY-PC [administrator]
 
9/20/2013 8:11:11 AM
mbam-log-2013-09-20 (08-11-11).txt
 
Scan type: Full scan (C:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 407816
Time elapsed: 38 minute(s), 2 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 19
HKCR\AppID\{38495740-0035-4471-851E-F5BBB86AB085} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKCR\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\DefaultTabBHO.DefaultTabBrowserActiveX.1 (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\DefaultTabBHO.DefaultTabBrowserActiveX (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\AppID\DefaultTabBHO.DLL (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\DataMngr_Toolbar (PUP.Optional.DataMngr.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\DEFAULT TAB (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\DefaultTab (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\DEFAULT TAB (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
 
Registry Values Detected: 3
HKCU\SOFTWARE\Default Tab|Version (PUP.Optional.DefaultTab.A) -> Data: 2.2.8.0 -> Quarantined and deleted successfully.
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0L1N1H2O1S -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Default Tab|Version (PUP.Optional.DefaultTab.A) -> Data: 2.2.8.0 -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.StartPage) -> Bad: (http://www1.delta-search.com/?babsrc=HP_ss&mntrId=22459CB70D995A33&affID=119351&tsp=4954) Good: (http://www.google.com) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 12
C:\FRST\Quarantine\iLividSetup-r559-n-bc.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\APtC8QSj\O1zy81jua.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\APtC8QSj\O1zy81jua.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabBHO.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabStart.exe (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabStart64.exe (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabWrap.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DefaultTabWrap64.dll (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\DTUpdate.exe (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\DefaultTab\DefaultTab\update.exe (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Lily\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60LVBKXV\web-play-product_setup[1].exe.vir (PUP.Downware) -> Quarantined and deleted successfully.
C:\Users\Guest Account\Downloads\rcpsetup_dcomnew_sec_728_dcomnew_sec_728.exe (PUP.Optional.RegCleanerPro) -> Quarantined and deleted successfully.
 
(end)
 
Link to post
Share on other sites

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[s1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

Here are the AdwCleaner and SecuirtyCheck results...

 

# AdwCleaner v3.005 - Report created 23/09/2013 at 15:03:19
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Lily - LILY-PC
# Running from : C:\Users\Lily\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files (x86)\openit
Folder Deleted : C:\Users\Lily\AppData\Roaming\DSite
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{4d8c0bcf-07da-4d5b-aebd-c0cbbc8fc0f4}]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKCU\Software\594dadcb439b942
Key Deleted : HKLM\SOFTWARE\594dadcb439b942
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\Delta
Key Deleted : HKCU\Software\dsiteproducts
Key Deleted : HKCU\Software\AppDataLow\Software\lyrixeeker
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab Chrome
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenIt Open It!
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16686
 
 
-\\ Google Chrome v29.0.1547.76
 
[ File : C:\Users\Lily\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted : search_url
Deleted : keyword
 
*************************
 
AdwCleaner[R0].txt - [2644 octets] - [23/09/2013 15:01:51]
AdwCleaner[s0].txt - [2479 octets] - [23/09/2013 15:03:19]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2539 octets] ##########
 
 
 
 Results of screen317's Security Check version 0.99.73  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
  (On Access scanning disabled!) 
 Error obtaining update status for antivirus!  
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 JavaFX 2.1.1    
 Java 7 Update 5  
 Java version out of Date! 
 Adobe Flash Player 10 Flash Player out of Date! 
 Google Chrome 29.0.1547.66  
 Google Chrome 29.0.1547.76  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Spybot Teatimer.exe is disabled! 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 
 
Link to post
Share on other sites

Then your system is clean! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.


After the reboot

  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:

    [*] Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.