mbsouthpaw1 Posted October 14, 2013 Author ID:741877 Share Posted October 14, 2013 Am now running malwarebytes quick scan. Below is the log from adwcleaner Mike # AdwCleaner v3.007 - Report created 14/10/2013 at 12:02:44# Updated 09/10/2013 by Xplode# Operating System : Windows 7 Professional Service Pack 1 (64 bits)# Username : mbelchik - JKS5RL1-FISH# Running from : C:\Users\mbelchik\Desktop\AdwCleaner.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] *****Folder Deleted : C:\ProgramData\AskFolder Deleted : C:\ProgramData\ConduitFolder Deleted : C:\Program Files (x86)\ConduitFolder Deleted : C:\Program Files (x86)\MyPC BackupFolder Deleted : C:\Users\mbelchik\AppData\Local\ConduitFolder Deleted : C:\Users\mbelchik\AppData\LocalLow\AskToolbarFolder Deleted : C:\Users\mbelchik\AppData\LocalLow\ConduitFolder Deleted : C:\Users\mbelchik\AppData\LocalLow\PriceGongFolder Deleted : C:\Users\mbelchik\AppData\Roaming\digitalsiteFolder Deleted : C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\CT3310511Folder Deleted : C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\Extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d}File Deleted : C:\ENDFile Deleted : C:\Users\mbelchik\AppData\Local\Temp\Uninstall.exeFile Deleted : C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\searchplugins\Conduit.xmlFile Deleted : C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\searchplugins\MyStart Search.xmlFile Deleted : C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\user.jsFile Deleted : C:\Windows\Tasks\digitalsite.jobFile Deleted : C:\Windows\System32\Tasks\digitalsite***** [ Shortcuts ] ********** [ Registry ] *****Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbhoKey Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCSKey Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3310511Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}Key Deleted : HKCU\Software\ConduitKey Deleted : HKCU\Software\dsiteproductsKey Deleted : HKCU\Software\IMKey Deleted : HKCU\Software\ImInstallerKey Deleted : HKCU\Software\InstallCoreKey Deleted : HKCU\Software\AppDataLow\Software\ConduitKey Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopesKey Deleted : HKCU\Software\AppDataLow\Software\CrossriderKey Deleted : HKCU\Software\AppDataLow\Software\PriceGongKey Deleted : HKCU\Software\AppDataLow\Software\smartbarKey Deleted : HKLM\Software\ConduitKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}***** [ Browsers ] *****-\\ Internet Explorer v10.0.9200.16720-\\ Mozilla Firefox v12.0 (en-US)[ File : C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\prefs.js ]Line Deleted : user_pref("CT3310511.FF19Solved", "true");Line Deleted : user_pref("CT3310511.UserID", "UN53179064928522581");Line Deleted : user_pref("CT3310511.browser.search.defaultthis.engineName", "true");Line Deleted : user_pref("CT3310511.fullUserID", "UN53179064928522581.IN.20130929092933");Line Deleted : user_pref("CT3310511.installDate", "29/09/2013 09:29:35");Line Deleted : user_pref("CT3310511.installSessionId", "{A261E3DF-77E4-43E7-9CEE-F2075706B1FD}");Line Deleted : user_pref("CT3310511.installSp", "TRUE");Line Deleted : user_pref("CT3310511.installerVersion", "1.7.1.4");Line Deleted : user_pref("CT3310511.keyword", "true");Line Deleted : user_pref("CT3310511.originalHomepage", "about:home");Line Deleted : user_pref("CT3310511.originalSearchAddressUrl", "");Line Deleted : user_pref("CT3310511.originalSearchEngine", "");Line Deleted : user_pref("CT3310511.originalSearchEngineName", "");Line Deleted : user_pref("CT3310511.searchRevert", "false");Line Deleted : user_pref("CT3310511.searchUserMode", "2");Line Deleted : user_pref("CT3310511.smartbar.homepage", "true");Line Deleted : user_pref("CT3310511.versionFromInstaller", "10.20.1.8");Line Deleted : user_pref("CT3310511.xpeMode", "0");Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");Line Deleted : user_pref("browser.search.defaultenginename", "SweetPacks Customized Web Search");Line Deleted : user_pref("browser.search.defaultthis.engineName", "SweetPacks Customized Web Search");Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3310511");Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3310511");Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3310511");Line Deleted : user_pref("smartbar.machineId", "OHAX8XD1E5LZ1+PEA0ORHJ6ZSHPXNAHEKHLRJLL8IZKTSMSGU1QSVAQLDBZM6DE7WFGR/1WIZCCH/1EWKEYUYW");-\\ Google Chrome v30.0.1599.69[ File : C:\Users\mbelchik\AppData\Local\Google\Chrome\User Data\Default\preferences ]Deleted : icon_url*************************AdwCleaner[R0].txt - [8091 octets] - [14/10/2013 11:59:17]AdwCleaner[s0].txt - [6966 octets] - [14/10/2013 12:02:44]########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [7026 octets] ########## Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:741878 Share Posted October 14, 2013 Ok.....MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741885 Share Posted October 14, 2013 Ran malwarebytes quick scan; removed three PUP files. All were from the accidental download from the bleepingcomputer ad I accidentally clicked on last Friday. I am now preparing to run the combofix according to your directions which I have printed out next to me. Below is the malwarebytes report: Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.10.14.09Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16721mbelchik :: JKS5RL1-FISH [administrator]10/14/2013 12:11:02 PMmbam-log-2013-10-14 (12-11-02).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 246509Time elapsed: 6 minute(s), 18 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 3C:\Users\mbelchik\AppData\Local\Temp\is1590112554\62143884_stp\wajam_validate.exe (PUP.Optional.Wajam) -> Quarantined and deleted successfully.C:\Users\mbelchik\AppData\Local\Temp\is1590112554\62144074_stp\setup.exe (PUP.Optional.FastFreeConverter.A) -> Quarantined and deleted successfully.C:\Users\mbelchik\Local Settings\Temporary Internet Files\Content.IE5\1UVYHXFB\ZipExtractorSetup.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.(end) Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:741898 Share Posted October 14, 2013 OK....MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741923 Share Posted October 14, 2013 Ran combofix; seemed to go pretty good. Here's the report: ComboFix 13-10-13.02 - mbelchik 10/14/2013 13:02:47.1.4 - x64Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4020.2797 [GMT -7:00]Running from: c:\users\mbelchik\Desktop\ComboFix.exeAV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\Admin\Desktop\Setup.exec:\users\mbelchik\AppData\Local\Microsoft\Windows\Temporary Internet Files\qualitink_ielsc:\users\mbelchik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Whilokii_iels..((((((((((((((((((((((((( Files Created from 2013-09-14 to 2013-10-14 )))))))))))))))))))))))))))))))..2013-10-14 18:58 . 2013-10-14 19:02 -------- d-----w- C:\AdwCleaner2013-10-11 18:38 . 2013-10-11 18:38 -------- d--h--w- c:\programdata\Common Files2013-10-11 16:55 . 2013-10-11 16:55 -------- d-----w- C:\FRST2013-10-10 21:21 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys2013-10-10 21:21 . 2013-10-10 21:21 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2013-10-10 01:08 . 2013-09-22 22:54 19252224 ----a-w- c:\windows\system32\mshtml.dll2013-10-09 18:14 . 2013-07-04 12:50 633856 ----a-w- c:\windows\system32\comctl32.dll2013-10-09 18:14 . 2013-07-04 11:50 530432 ----a-w- c:\windows\SysWow64\comctl32.dll2013-10-09 18:14 . 2013-06-06 05:50 41472 ----a-w- c:\windows\system32\lpk.dll2013-10-09 18:14 . 2013-06-06 05:49 14336 ----a-w- c:\windows\system32\dciman32.dll2013-10-09 18:14 . 2013-06-06 04:50 10240 ----a-w- c:\windows\SysWow64\dciman32.dll2013-10-09 18:14 . 2013-06-06 03:30 368128 ----a-w- c:\windows\system32\atmfd.dll2013-10-09 18:14 . 2013-06-06 03:01 295424 ----a-w- c:\windows\SysWow64\atmfd.dll2013-10-09 18:14 . 2013-06-06 05:49 100864 ----a-w- c:\windows\system32\fontsub.dll2013-10-09 18:14 . 2013-06-06 04:57 25600 ----a-w- c:\windows\SysWow64\lpk.dll2013-10-09 18:14 . 2013-06-06 04:51 70656 ----a-w- c:\windows\SysWow64\fontsub.dll2013-10-09 18:14 . 2013-06-06 05:47 46080 ----a-w- c:\windows\system32\atmlib.dll2013-10-09 18:14 . 2013-06-06 03:01 34304 ----a-w- c:\windows\SysWow64\atmlib.dll2013-10-08 23:00 . 2013-10-08 23:00 -------- d-----w- c:\programdata\Motorola2013-10-08 22:57 . 2013-10-14 19:21 -------- d-----w- C:\Temp2013-10-08 22:57 . 2013-10-08 22:57 -------- d-----w- c:\users\mbelchik\AppData\Roaming\Motorola Mobility2013-10-08 22:57 . 2013-10-08 22:57 -------- d-----w- c:\program files (x86)\Motorola Mobility2013-10-08 22:57 . 2013-10-08 22:57 -------- d-----w- c:\program files (x86)\Motorola2013-10-08 22:56 . 2013-10-08 22:56 -------- d-----w- c:\program files\Motorola Inc2013-10-08 22:56 . 2013-10-08 22:56 -------- d-----w- c:\program files\Common Files\Motorola Shared2013-10-08 22:54 . 2013-10-08 22:54 -------- d-----w- c:\users\mbelchik\AppData\Roaming\Motorola2013-09-30 00:27 . 2013-09-30 00:27 -------- d-----w- c:\users\mbelchik\AppData\Local\Programs2013-09-29 16:29 . 2013-09-29 16:29 -------- d-----w- c:\users\mbelchik\AppData\Local\CRE2013-09-29 16:29 . 2013-07-04 07:11 829264 ----a-w- c:\windows\system32\msvcr100.dll2013-09-29 16:29 . 2013-07-04 07:11 608080 ----a-w- c:\windows\system32\msvcp100.dll2013-09-29 16:28 . 2013-09-29 23:25 -------- d-----w- c:\program files (x86)\VipBoxSportsApp.com...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-10-10 01:00 . 2011-12-29 02:37 80541720 ----a-w- c:\windows\system32\MRT.exe2013-10-08 17:38 . 2012-04-19 17:43 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-10-08 17:38 . 2011-12-29 18:32 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-10-03 19:02 . 2011-12-29 00:13 233120 ----a-w- c:\windows\system32\drivers\wpshelper.sys2013-08-02 02:23 . 2013-09-10 18:08 5550528 ----a-w- c:\windows\system32\ntoskrnl.exe2013-08-02 02:15 . 2013-09-10 18:08 1732032 ----a-w- c:\windows\system32\ntdll.dll2013-08-02 02:15 . 2013-09-10 18:08 243712 ----a-w- c:\windows\system32\wow64.dll2013-08-02 02:15 . 2013-09-10 18:08 362496 ----a-w- c:\windows\system32\wow64win.dll2013-08-02 02:15 . 2013-09-10 18:08 13312 ----a-w- c:\windows\system32\wow64cpu.dll2013-08-02 02:14 . 2013-09-10 18:08 215040 ----a-w- c:\windows\system32\winsrv.dll2013-08-02 02:14 . 2013-09-10 18:08 16384 ----a-w- c:\windows\system32\ntvdm64.dll2013-08-02 02:13 . 2013-09-10 18:08 424448 ----a-w- c:\windows\system32\KernelBase.dll2013-08-02 02:13 . 2013-09-10 18:08 1161216 ----a-w- c:\windows\system32\kernel32.dll2013-08-02 02:12 . 2013-09-10 18:08 43520 ----a-w- c:\windows\system32\csrsrv.dll2013-08-02 02:12 . 2013-09-10 18:08 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 6656 ----a-w- c:\windows\system32\apisetschema.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll2013-08-02 02:12 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll2013-08-02 01:59 . 2013-09-10 18:08 3968960 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe2013-08-02 01:59 . 2013-09-10 18:08 3913664 ----a-w- c:\windows\SysWow64\ntoskrnl.exe2013-08-02 01:51 . 2013-09-10 18:08 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll2013-08-02 01:50 . 2013-09-10 18:08 274944 ----a-w- c:\windows\SysWow64\KernelBase.dll2013-08-02 01:50 . 2013-09-10 18:08 5120 ----a-w- c:\windows\SysWow64\wow32.dll2013-08-02 01:48 . 2013-09-10 18:08 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll2013-08-02 01:48 . 2013-09-10 18:08 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll2013-08-02 01:48 . 2013-09-10 18:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll2013-08-02 01:09 . 2013-09-10 18:08 338432 ----a-w- c:\windows\system32\conhost.exe2013-08-02 00:59 . 2013-09-10 18:08 112640 ----a-w- c:\windows\system32\smss.exe2013-08-02 00:45 . 2013-09-10 18:08 25600 ----a-w- c:\windows\SysWow64\setup16.exe2013-08-02 00:45 . 2013-09-10 18:08 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll2013-08-02 00:45 . 2013-09-10 18:08 7680 ----a-w- c:\windows\SysWow64\instnm.exe2013-08-02 00:45 . 2013-09-10 18:08 2048 ----a-w- c:\windows\SysWow64\user.exe2013-08-02 00:43 . 2013-09-10 18:08 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll2013-08-02 00:43 . 2013-09-10 18:08 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll2013-08-02 00:43 . 2013-09-10 18:08 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll2013-08-02 00:43 . 2013-09-10 18:08 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll2013-07-30 19:23 . 2013-07-30 19:23 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll2013-07-30 19:23 . 2012-06-26 22:21 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll2013-07-30 19:23 . 2012-01-05 05:17 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll2013-07-26 02:24 . 2013-09-10 18:07 14172672 ----a-w- c:\windows\system32\shell32.dll2013-07-26 02:24 . 2013-09-10 18:07 197120 ----a-w- c:\windows\system32\shdocvw.dll2013-07-25 09:25 . 2013-08-14 15:41 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-07-25 08:57 . 2013-08-14 15:41 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL2013-07-19 01:58 . 2013-08-14 15:41 2048 ----a-w- c:\windows\system32\tzres.dll2013-07-19 01:41 . 2013-08-14 15:41 2048 ----a-w- c:\windows\SysWow64\tzres.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 130736 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 130736 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 130736 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-01-10 39408].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-03-24 115560]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-24 206240]"BrStsWnd"="c:\program files (x86)\Brownie\BrstsW64.exe" [2008-09-18 967168]"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816].c:\users\mbelchik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk - c:\users\mbelchik\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoWelcomeScreen"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1450960922-725345543-1675\Scripts\Logon\0\0]"Script"=\\yuroktribe.nsn.us\sysvol\yuroktribe.nsn.us\scripts\login.vbs.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1450960922-725345543-2675\Scripts\Logon\0\0]"Script"=\\yuroktribe.nsn.us\sysvol\yuroktribe.nsn.us\scripts\login.bat.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1450960922-725345543-2675\Scripts\Logon\1\0]"Script"=\\yuroktribe.nsn.us\sysvol\yuroktribe.nsn.us\scripts\login.bat.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]@="Service".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]@="Service".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]@="Service".[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001.R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys;c:\windows\SYSNATIVE\drivers\WSDScan.sys [x]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [x]S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [x]S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]..[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]2013-10-04 17:42 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe.Contents of the 'Scheduled Tasks' folder.2013-10-14 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 17:38].2013-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-10 05:53].2013-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-10 05:53]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 164016 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 164016 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 164016 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]2013-05-25 00:36 164016 ----a-w- c:\users\mbelchik\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1692264].------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyOverride = *.local;192.168.*.*IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000TCP: DhcpNameServer = 192.168.0.2 192.168.168.1 192.168.164.2FF - ProfilePath - c:\users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\FF - ExtSQL: 2013-09-29 09:29; {7e8a1050-cf67-4575-92df-dcc60e7d952d}; c:\users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d}.- - - - ORPHANS REMOVED - - - -.SafeBoot-Symantec AntvirusHKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - startHKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exeAddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.11".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2013-10-14 13:10:28ComboFix-quarantined-files.txt 2013-10-14 20:10.Pre-Run: 137,588,523,008 bytes freePost-Run: 137,542,221,824 bytes free.- - End Of File - - 84034A6F8F0F311A5531C56A30127562A36C5E4F47E84449FF07ED3517B43A31 Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:741930 Share Posted October 14, 2013 OK...How is it??? MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741938 Share Posted October 14, 2013 Getting an error message from Symantec Norton antivirus when I tried to turn it back on. First, it simply wouldn't open, so I went to restart the machine to see if that would help. Instead of restarting, there was a windows update that installed automatically (this setting is under IT's control; I can't change it). So, it updated, then upon restart; 2 parts of the endpoint protection were OK, (antivirus and network threat), but proactive threat protection says it won't start up because the definitions are out of date. It also says "TruScan has generated an error: code 9: description: Heuristic Scan or Load Failure". It is saying "Symantec endpoint protection has requested new definitions from the management server. This problem will disappear after the server responds and the update is complete"; however, there does not appear to be any action... Mr B Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:741940 Share Posted October 14, 2013 Can't you contact Symantec or your it guys? MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741948 Share Posted October 14, 2013 Working on the Symantec problem... Is it possible that combofix removed an updater command sequence (not sure of the vocabulary to use, but you get the point, I hope). ? Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:741954 Share Posted October 14, 2013 If you think ComboFix caused a problem, it creates a system restore point just before it runs...please use it. MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741972 Share Posted October 14, 2013 If I do that will it restore the virus too? Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:741973 Share Posted October 14, 2013 No....MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741980 Share Posted October 14, 2013 did system restore, and now Symantec works fine. Are there more steps? Or how do I know if it's truly clean from that nasty zeroaccess bug? You totally rock, man. Thanks!! MrB Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:741987 Share Posted October 14, 2013 BOOOO!!!! Symantec back to finding Trojan gen2 type viruses. Should we re-run any of these programs? Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2013 ID:742002 Share Posted October 14, 2013 Let Symantec fix it. MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 14, 2013 Author ID:742003 Share Posted October 14, 2013 Not sure what you mean, because although Symantec is finding stuff, it never did locate the original zero access Trojan like you did with those other programs. Are you saying the next step is to run a Symantec scan and use one of their removal tools, and abandon roguekiller, combofix, etc. ?Help!! thx, MrB Link to post Share on other sites More sharing options...
MrCharlie Posted October 15, 2013 ID:742013 Share Posted October 15, 2013 Run another scan with RogueKiller. MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 15, 2013 Author ID:742017 Share Posted October 15, 2013 Done, thanks for responding. RogueKiller V8.7.2 [Oct 3 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : mbelchik [Admin rights]Mode : Scan -- Date : 10/14/2013 17:14:23| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 4 ¤¤¤[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts127.0.0.1 localhost192.168.164.23 domsat192.168.164.23 domsat.yuroktribe.nsn.us192.168.164.126 ytep-sql192.168.164.126 ytep-sql.yuroktribe.nsn.us192.168.168.12 fiscalsql192.168.168.1 ytmain192.168.168.1 ytmain.yuroktribe.nsn.us192.168.168.12 fiscalsql.yuroktribe.nsn.us192.168.168.4 www.myspace.com192.168.168.4 myspace.com127.0.0.1 ad.a8.net127.0.0.1 asy.a8ww.net127.0.0.1 www.abcsearcher.com #[spamdexing][Microsoft.Strider]127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]127.0.0.1 adserver.adbunker.com127.0.0.1 phpadsnew.abac.com127.0.0.1 a.abnad.net127.0.0.1 b.abnad.net127.0.0.1 c.abnad.net #[iE-SpyAd][...]¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++--- User ---[MBR] f151f49702d3728140a62fbf3881ba92[bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - Staples Relay USB Device +++++--- User ---[MBR] 2b4d681ebbcb82be2958055edccbd202[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR CodePartition table:0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 56 | Size: 7788 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[0]_S_10142013_171423.txt >>RKreport[0]_D_10102013_172655.txt;RKreport[0]_H_10102013_172734.txt;RKreport[0]_S_10102013_170002.txtRKreport[0]_S_10102013_172231.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 15, 2013 ID:742020 Share Posted October 15, 2013 It's clean...MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 15, 2013 Author ID:742022 Share Posted October 15, 2013 I cannot thank you enough, MrC. I don't have a paypal, but I'll try to get one up and running and send you something; I've been meaning to do that anyway. One final question: given the warning you sent me about the zeroaccess, should I still be nervous? Is my only absolute guarantee to wipe the system? I don't handle confidential customer data, but I do personal banking on the machine. MrB (yes, those are really my initials) Link to post Share on other sites More sharing options...
MrCharlie Posted October 15, 2013 ID:742029 Share Posted October 15, 2013 You're as clean as I can get you. Lets check your computers security before you go and we have a little cleanup to do also: Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.If you get Unsupported operating system. Aborting now, just reboot and try again.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 15, 2013 Author ID:742260 Share Posted October 15, 2013 Thank you for getting back to me. I will have to pick this up this afternoon; I have a work meeting today. Mike Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 15, 2013 Author ID:742286 Share Posted October 15, 2013 OK, meeting was canceled; I will run the software mentioned above and paste log in. Link to post Share on other sites More sharing options...
mbsouthpaw1 Posted October 15, 2013 Author ID:742289 Share Posted October 15, 2013 Ran the security check... Results of screen317's Security Check version 0.99.74 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:````````` MVPS Hosts File Malwarebytes Anti-Malware version 1.75.0.1300 JavaFX 2.1.1 Java 6 Update 31 Java 7 Update 25 Java version out of Date! Adobe Reader 10.1.8 Adobe Reader out of Date! Mozilla Firefox 12.0 Firefox out of Date! Google Chrome 29.0.1547.76 Google Chrome 30.0.1599.69 ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe`````````````````System Health check````````````````` Total Fragmentation on Drive C: 3%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted October 15, 2013 ID:742292 Share Posted October 15, 2013 Out dated programs on the system are vulnerable to malware.Please update or uninstall them:--------------------------------------------Please uninstall these from your add/remove programs:JavaFX 2.1.1Java™ 6 Update 31Java 7 Update 25 <----please update, should be Update 40Java version out of Date! <--------Go to control panel > Java > Update Tab > Update NowUncheck the box to install the Ask toolbar!!! and any other free "stuff".If there's no update tab in Java, uninstall it and Download and install the latest version from HereUncheck the box to install the Ask toolbar!!! and any other free "stuff".-----------------------------------------Adobe Reader 10.1.8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).-------------------------------------Mozilla Firefox 12.0 Firefox out of Date! <----please check for an update if available~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)---------------------------------If you used FRST:Download the fixlist.txt to the same folder as FRST.Run FRST and click Fix only once and waitThat will delete the quarantine folder created by FRST.The rest you can manually delete.-----------------------------Please download OTC to your desktop.http://oldtimer.geekstogo.com/OTC.exeDouble-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")Click on the CleanUp! button and follow the prompts.(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)You will be asked to reboot the machine to finish the Cleanup process, choose Yes.After the reboot all the tools we used should be gone.Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Recommended Posts