Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Windows Tool Malware


  • This topic is locked This topic is locked
36 replies to this topic

#1 gilboy7

gilboy7

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 28 February 2011 - 07:51 PM

Hi, I have been trying to remove this Windows Tool malware and have followed the steps on Bleepingcomputer's automatic removal process to no avail. I am running Vista 64 bit and using Firefox 3.6.13. Please help with removal. I have followed all the directions on the http://www.bleepingcomputer.com/virus-removal/remove-windows-tool page and am now ready for help. I will post a log:

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by admin at 16:47:54.05 on Mon 02/28/2011
Internet Explorer: 7.0.6000.16575 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3199.1611 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Calendar\WinCal.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Webshots\Webshots.scr
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\admin\Desktop\rkill\Download_7.0.0.538f-sdsetup-regnow201.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\DAP\DAP.EXE
C:\Users\admin\Desktop\rkill\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z003&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
BHO: {B0D3D090-CE97-4E3E-A388-CFD55B1F5E63} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {C17590D2-ECB4-4b15-8820-F58798DCC118} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Webshots.lnk - C:\Program Files (x86)\Webshots\Launcher.exe
StartupFolder: C:\Users\admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Program Files\Windows Calendar\WinCal.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
IE: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - C:\Program Files (x86)\Bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB-X64: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\System32\DreamScene.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ddkpsuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://sn140w.snt140.mail.live.com/default.aspx?wa=wsignin1.0|http://finance.yahoo.com/|http://money.cnn.com/|https://invest.firstrade.com/cgi-bin/login?reason=6|http://seekingalpha.com/?source=refreshed|https://online.wellsfargo.com/servlet/LoadBal?screenid=SIGNON_DISPLAY&SIGNON_XCP=TIMEOUT|https://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z003&form=ZGAADF&q=
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npaxctrl.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdapop.dll
FF - plugin: C:\Users\admin\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Utopia White: {9998A493-980E-4716-81BC-F0C77001E9B7} - %profile%\extensions\{9998A493-980E-4716-81BC-F0C77001E9B7}
FF - Ext: Phoenity Next (formerly Phoenity Reborn): {069FB356-C69F-7349-D092-AB28AF836D0E} - %profile%\extensions\{069FB356-C69F-7349-D092-AB28AF836D0E}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}

============= SERVICES / DRIVERS ===============

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2008-2-14 55888]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-2-14 140664]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-1-24 583640]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-2-14 345464]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2006-11-1 83456]
S3 GSService;GSService;C:\Windows\SysWOW64\GSService.exe [2010-5-18 344064]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\System32\drivers\npf.sys [2007-11-6 40464]
S3 STSService;STSService;C:\Program Files (x86)\SoundTaxi Media Suite\STSService.exe [2010-4-27 344064]
S4 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-2-14 247160]
S4 EtiVoServer;EtiVoServer;C:\Program Files (x86)\EtiVoServer\EtiVoSrv.exe [2005-6-22 24576]

=============== Created Last 30 ================

2011-03-01 00:18:51 -------- d-----w- C:\Users\admin\AppData\Roaming\GetRightToGo
2011-02-28 22:39:01 -------- d-----w- C:\Users\admin\AppData\Roaming\Malwarebytes
2011-02-28 22:38:53 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-28 22:38:52 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-28 22:38:49 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-28 22:38:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-02-28 19:13:12 672256 ----a-w- C:\PROGRA~3\403125.exe
2011-02-28 18:27:32 1165824 ----a-w- C:\PROGRA~3\xhwxaNExnsjRHcn.dll
2011-02-18 18:24:54 -------- d-----w- C:\Users\admin\AppData\Roaming\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1
2011-02-18 18:24:22 -------- d-----w- C:\Program Files (x86)\Zinio Reader 4

==================== Find3M ====================

2006-05-03 10:06:54 163328 --sh--r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- C:\Windows\SysWOW64\nbDX.dll

============= FINISH: 16:48:17.34 ===============

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:25 PM

Posted 08 March 2011 - 08:33 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 08 March 2011 - 10:40 AM

Hi Casey_boy, thanks for the reply. I have partially resolved the Windows Tool problem I was having by taking the following steps: I found that the program either created a new user profile and was accessing my computer through that user so I deleted that profile. After doing that I did not get the black screen at startup that would only go away after I ran the fake defrangmenter. However the tool did continue to show up on the desktop and would run at every startup. I continiued to use rkill and MBAM whenever I would use my machine and every time the same 3 trojans were found. I then updated windows using the windows defender program and now the windows tool does not run at all although the trojans are still on my computer and Avast will ocassionally find them and warn that they cannot be removed as they are being used by a process.
Please help me to get rid of these trojans one and for all.
Here is the new log you requested:


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by admin at 7:28:39.91 on Tue 03/08/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3199.1898 [GMT -8:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Calendar\WinCal.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Webshots\Webshots.scr
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\admin\Desktop\rkill\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z003&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
BHO: {B0D3D090-CE97-4E3E-A388-CFD55B1F5E63} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {C17590D2-ECB4-4b15-8820-F58798DCC118} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Webshots.lnk - C:\Program Files (x86)\Webshots\Launcher.exe
StartupFolder: C:\Users\admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Program Files\Windows Calendar\WinCal.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: &Download with &DAP - C:\Program Files (x86)\DAP\dapextie.htm
IE: Download &all with DAP - C:\Program Files (x86)\DAP\dapextie2.htm
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - C:\Program Files (x86)\Bonjour\ExplorerPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - C:\PROGRA~2\DAP\dapie.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File
TB-X64: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\System32\DreamScene.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ddkpsuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://sn140w.snt140.mail.live.com/default.aspx?wa=wsignin1.0|http://finance.yahoo.com/|http://money.cnn.com/|https://invest.firstrade.com/cgi-bin/login?reason=6|http://seekingalpha.com/?source=refreshed|https://online.wellsfargo.com/servlet/LoadBal?screenid=SIGNON_DISPLAY&SIGNON_XCP=TIMEOUT|https://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z003&form=ZGAADF&q=
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npaxctrl.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdapop.dll
FF - plugin: C:\Users\admin\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Utopia White: {9998A493-980E-4716-81BC-F0C77001E9B7} - %profile%\extensions\{9998A493-980E-4716-81BC-F0C77001E9B7}
FF - Ext: Phoenity Next (formerly Phoenity Reborn): {069FB356-C69F-7349-D092-AB28AF836D0E} - %profile%\extensions\{069FB356-C69F-7349-D092-AB28AF836D0E}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}

============= SERVICES / DRIVERS ===============

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2008-2-14 55888]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-2-14 140664]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-1-24 583640]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-2-14 345464]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-3-4 93184]
S3 GSService;GSService;C:\Windows\SysWOW64\GSService.exe [2010-5-18 344064]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\System32\drivers\npf.sys [2007-11-6 40464]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2011-3-3 31800]
S3 STSService;STSService;C:\Program Files (x86)\SoundTaxi Media Suite\STSService.exe [2010-4-27 344064]
S4 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-2-14 247160]
S4 EtiVoServer;EtiVoServer;C:\Program Files (x86)\EtiVoServer\EtiVoSrv.exe [2005-6-22 24576]

=============== Created Last 30 ================

2011-03-04 23:48:40 114176 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-04 23:48:39 27648 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-04 23:48:39 24576 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2011-03-04 23:48:00 54272 ----a-w- C:\Windows\System32\iyuv_32.dll
2011-03-04 23:48:00 50176 ----a-w- C:\Windows\SysWow64\iyuv_32.dll
2011-03-04 23:48:00 25600 ----a-w- C:\Windows\System32\msyuv.dll
2011-03-04 23:48:00 22528 ----a-w- C:\Windows\SysWow64\msyuv.dll
2011-03-04 23:48:00 11776 ----a-w- C:\Windows\SysWow64\tsbyuv.dll
2011-03-04 23:46:20 97280 ----a-w- C:\Windows\System32\fontsub.dll
2011-03-04 23:46:20 72704 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-03-04 23:46:20 48128 ----a-w- C:\Windows\System32\atmlib.dll
2011-03-04 23:46:20 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-03-04 23:46:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-03-04 23:46:20 33280 ----a-w- C:\Windows\System32\lpk.dll
2011-03-04 23:46:20 289792 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-03-04 23:46:20 24064 ----a-w- C:\Windows\SysWow64\lpk.dll
2011-03-04 23:46:20 14336 ----a-w- C:\Windows\System32\dciman32.dll
2011-03-04 23:46:20 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2011-03-04 23:46:19 188416 ----a-w- C:\Windows\System32\t2embed.dll
2011-03-04 23:46:19 156672 ----a-w- C:\Windows\SysWow64\t2embed.dll
2011-03-04 23:45:33 836608 ----a-w- C:\Windows\System32\localspl.dll
2011-03-04 23:45:33 696832 ----a-w- C:\Windows\SysWow64\localspl.dll
2011-03-04 23:44:50 672256 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2011-03-04 23:44:50 1260544 ----a-w- C:\Windows\System32\rpcrt4.dll
2011-03-04 23:43:56 658944 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-04 23:43:56 494592 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-04 23:43:55 343040 ----a-w- C:\Windows\System32\schannel.dll
2011-03-04 23:43:55 272384 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-03-04 23:43:04 29696 ----a-w- C:\Windows\System32\drivers\tunnel.sys
2011-03-04 23:43:04 199168 ----a-w- C:\Windows\System32\iphlpsvc.dll
2011-03-04 23:43:04 18432 ----a-w- C:\Windows\System32\drivers\TUNMP.SYS
2011-03-04 23:43:03 25600 ----a-w- C:\Windows\System32\netiougc.exe
2011-03-04 23:43:03 232960 ----a-w- C:\Windows\System32\tcpipcfg.dll
2011-03-04 23:43:03 22016 ----a-w- C:\Windows\SysWow64\netiougc.exe
2011-03-04 23:43:03 167424 ----a-w- C:\Windows\SysWow64\tcpipcfg.dll
2011-03-04 23:43:03 1200640 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-03-04 23:41:00 399872 ----a-w- C:\Windows\System32\WSDApi.dll
2011-03-04 23:41:00 321536 ----a-w- C:\Windows\SysWow64\WSDApi.dll
2011-03-04 23:37:43 817152 ----a-w- C:\Windows\System32\WMSPDMOD.DLL
2011-03-04 23:37:43 604672 ----a-w- C:\Windows\SysWow64\WMSPDMOD.DLL
2011-03-04 23:36:02 1937408 ----a-w- C:\Windows\System32\setupapi.dll
2011-03-04 23:36:01 1585664 ----a-w- C:\Windows\SysWow64\setupapi.dll
2011-03-04 23:33:44 664064 ----a-w- C:\Windows\System32\win32spl.dll
2011-03-04 23:33:44 44544 ----a-w- C:\Windows\System32\printcom.dll
2011-03-04 23:33:44 441856 ----a-w- C:\Windows\SysWow64\win32spl.dll
2011-03-04 23:33:44 37376 ----a-w- C:\Windows\SysWow64\printcom.dll
2011-03-04 23:33:12 439296 ----a-w- C:\Windows\System32\winhttp.dll
2011-03-04 23:33:12 376832 ----a-w- C:\Windows\SysWow64\winhttp.dll
2011-03-04 23:32:10 2758656 ----a-w- C:\Windows\System32\win32k.sys
2011-03-04 23:31:34 79360 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-03-04 23:31:34 272896 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-03-04 23:31:34 134144 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-03-04 23:30:59 4424072 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-03-04 23:29:43 287744 ----a-w- C:\Windows\System32\raschap.dll
2011-03-04 23:29:43 274432 ----a-w- C:\Windows\SysWow64\raschap.dll
2011-03-04 23:29:42 267264 ----a-w- C:\Windows\System32\rastls.dll
2011-03-04 23:29:42 232960 ----a-w- C:\Windows\SysWow64\rastls.dll
2011-03-04 23:29:04 25600 ----a-w- C:\Windows\SysWow64\amxread.dll
2011-03-04 23:29:04 25600 ----a-w- C:\Windows\System32\amxread.dll
2011-03-04 23:29:04 15872 ----a-w- C:\Windows\System32\apilogen.dll
2011-03-04 23:29:04 14848 ----a-w- C:\Windows\SysWow64\apilogen.dll
2011-03-04 23:28:28 379392 ----a-w- C:\Windows\System32\gdi32.dll
2011-03-04 23:28:28 303616 ----a-w- C:\Windows\SysWow64\gdi32.dll
2011-03-04 23:26:59 1963520 ----a-w- C:\Windows\SysWow64\NlsData001a.dll
2011-03-04 23:20:20 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-03-04 23:20:19 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-03-04 23:19:26 461824 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-03-04 23:19:26 118272 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-03-04 23:18:54 84480 ----a-w- C:\Windows\SysWow64\INETRES.dll
2011-03-04 23:18:53 996352 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-04 23:18:53 84480 ----a-w- C:\Windows\System32\INETRES.dll
2011-03-04 23:18:53 737792 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-04 22:48:07 361472 ----a-w- C:\Windows\System32\es.dll
2011-03-04 22:48:07 268800 ----a-w- C:\Windows\SysWow64\es.dll
2011-03-04 20:46:30 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{004D9C88-5848-487F-92A2-5BE5D88E5F14}\mpengine.dll
2011-03-04 20:17:11 -------- d-----w- C:\fa6deea3390c9ceb3f2969
2011-03-04 19:14:47 96760 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-03-04 19:14:47 112120 ----a-w- C:\Windows\System32\dfshim.dll
2011-03-04 19:14:46 41984 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-03-04 19:14:46 13824 ----a-w- C:\Windows\System32\netfxperf.dll
2011-03-04 19:14:41 406528 ----a-w- C:\Windows\System32\mscoree.dll
2011-03-04 19:14:41 282112 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-03-04 19:14:40 83968 ----a-w- C:\Windows\SysWow64\mscories.dll
2011-03-04 19:14:40 76288 ----a-w- C:\Windows\System32\mscories.dll
2011-03-04 19:14:40 158720 ----a-w- C:\Windows\SysWow64\mscorier.dll
2011-03-04 19:14:40 158208 ----a-w- C:\Windows\System32\mscorier.dll
2011-03-04 18:55:40 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2011-03-04 18:55:40 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2011-03-04 18:55:40 1902080 ----a-w- C:\Windows\System32\msxml3.dll
2011-03-04 18:55:40 1260032 ----a-w- C:\Windows\SysWow64\msxml3.dll
2011-03-04 18:55:39 2048 ----a-w- C:\Windows\SysWow64\msxml6r.dll
2011-03-04 18:55:39 1406464 ----a-w- C:\Windows\SysWow64\msxml6.dll
2011-03-04 18:55:38 2048 ----a-w- C:\Windows\System32\msxml6r.dll
2011-03-04 18:55:38 1827328 ----a-w- C:\Windows\System32\msxml6.dll
2011-03-04 18:54:11 36352 ----a-w- C:\Windows\SysWow64\tsgqec.dll
2011-03-04 18:54:11 1871872 ----a-w- C:\Windows\SysWow64\mstscax.dll
2011-03-04 18:54:11 116736 ----a-w- C:\Windows\SysWow64\aaclient.dll
2011-03-04 18:54:10 27648 ----a-w- C:\Windows\System32\tsgqec.dll
2011-03-04 18:54:10 2194432 ----a-w- C:\Windows\System32\mstscax.dll
2011-03-04 18:54:10 130048 ----a-w- C:\Windows\System32\aaclient.dll
2011-03-04 18:52:51 61440 ----a-w- C:\Windows\SysWow64\winipsec.dll
2011-03-04 18:52:51 49152 ----a-w- C:\Windows\System32\FwRemoteSvr.dll
2011-03-04 18:52:51 28672 ----a-w- C:\Windows\SysWow64\FwRemoteSvr.dll
2011-03-04 18:52:51 272896 ----a-w- C:\Windows\SysWow64\polstore.dll
2011-03-04 18:52:50 523264 ----a-w- C:\Windows\System32\IPSECSVC.DLL
2011-03-04 18:52:50 379904 ----a-w- C:\Windows\System32\polstore.dll
2011-03-04 18:52:50 100352 ----a-w- C:\Windows\System32\winipsec.dll
2011-03-04 18:49:29 604160 ----a-w- C:\Windows\System32\drivers\http.sys
2011-03-04 18:49:29 33792 ----a-w- C:\Windows\System32\httpapi.dll
2011-03-04 18:49:29 32768 ----a-w- C:\Windows\System32\nshhttp.dll
2011-03-04 18:49:29 31232 ----a-w- C:\Windows\SysWow64\httpapi.dll
2011-03-04 18:49:29 24064 ----a-w- C:\Windows\SysWow64\nshhttp.dll
2011-03-04 18:43:11 89088 ----a-w- C:\Windows\System32\admparse.dll
2011-03-04 18:38:38 2923520 ----a-w- C:\Windows\SysWow64\explorer.exe
2011-03-04 18:38:37 3087360 ----a-w- C:\Windows\explorer.exe
2011-03-04 18:34:16 9728 ----a-w- C:\Windows\System32\lsass.exe
2011-03-04 18:34:16 95232 ----a-w- C:\Windows\System32\secur32.dll
2011-03-04 18:34:16 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-03-04 18:34:16 479816 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-03-04 18:34:16 270336 ----a-w- C:\Windows\System32\msv1_0.dll
2011-03-04 18:34:16 216576 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-03-04 18:34:16 205824 ----a-w- C:\Windows\System32\wdigest.dll
2011-03-04 18:34:16 175104 ----a-w- C:\Windows\SysWow64\wdigest.dll
2011-03-04 18:34:16 1664000 ----a-w- C:\Windows\System32\lsasrv.dll
2011-03-04 18:33:35 88576 ----a-w- C:\Windows\System32\atl.dll
2011-03-04 18:33:35 71680 ----a-w- C:\Windows\SysWow64\atl.dll
2011-03-04 18:33:03 562176 ----a-w- C:\Windows\System32\wmpeffects.dll
2011-03-04 18:33:03 303616 ----a-w- C:\Windows\SysWow64\wmpeffects.dll
2011-03-04 18:30:39 162304 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-03-04 18:29:50 94720 ----a-w- C:\Windows\SysWow64\logagent.exe
2011-03-04 18:29:50 112640 ----a-w- C:\Windows\System32\logagent.exe
2011-03-04 18:29:49 996352 ----a-w- C:\Windows\SysWow64\WMNetMgr.dll
2011-03-04 18:29:49 1245184 ----a-w- C:\Windows\System32\WMNetMgr.dll
2011-03-04 18:26:14 14848 ----a-w- C:\Windows\SysWow64\wshrm.dll
2011-03-04 18:26:13 17408 ----a-w- C:\Windows\System32\wshrm.dll
2011-03-04 18:26:13 140288 ----a-w- C:\Windows\System32\drivers\rmcast.sys
2011-03-04 18:25:42 84480 ----a-w- C:\Windows\System32\msasn1.dll
2011-03-04 18:25:42 60928 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-03-04 18:24:41 199680 ----a-w- C:\Windows\System32\wkssvc.dll
2011-03-04 18:24:07 97792 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-03-04 18:24:07 104448 ----a-w- C:\Windows\System32\cabview.dll
2011-03-04 18:23:33 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-03-04 18:23:33 171520 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-03-04 18:23:06 109568 ----a-w- C:\Windows\System32\poqexec.exe
2011-03-04 18:22:41 679936 ----a-w- C:\Windows\System32\msdtcprx.dll
2011-03-04 18:22:41 500736 ----a-w- C:\Windows\SysWow64\msdtcprx.dll
2011-03-04 18:22:41 38400 ----a-w- C:\Windows\System32\xolehlp.dll
2011-03-04 18:22:41 30208 ----a-w- C:\Windows\SysWow64\xolehlp.dll
2011-03-04 18:22:09 72192 ----a-w- C:\Windows\System32\l3codeca.acm
2011-03-04 18:22:09 62464 ----a-w- C:\Windows\SysWow64\l3codeca.acm
2011-03-04 18:22:09 220672 ----a-w- C:\Windows\SysWow64\l3codecp.acm
2011-03-04 18:22:09 181760 ----a-w- C:\Windows\System32\l3codecp.acm
2011-03-04 18:21:34 30208 ----a-w- C:\Windows\System32\netcfg.exe
2011-03-04 18:21:00 8147968 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2011-03-04 18:19:16 585728 ----a-w- C:\Program Files\Common Files\System\msadc\msadce.dll
2011-03-04 18:19:16 454656 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadce.dll
2011-03-04 18:16:09 211456 ----a-w- C:\Windows\System32\WebClnt.dll
2011-03-04 18:16:09 194560 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2011-03-04 18:16:09 134144 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2011-03-04 18:14:30 150528 ----a-w- C:\Program Files\Movie Maker\MOVIEMK.exe
2011-03-04 18:14:24 336384 ----a-w- C:\Program Files\Movie Maker\WMM2AE.dll
2011-03-04 18:14:24 26624 ----a-w- C:\Program Files\Movie Maker\WMM2EXT.dll
2011-03-04 18:14:24 16354304 ----a-w- C:\Program Files\Movie Maker\MOVIEMK.dll
2011-03-04 16:41:05 2621440 ----a-w- C:\Windows\System32\wucltux.dll
2011-03-04 16:40:12 98816 ----a-w- C:\Windows\System32\wudriver.dll
2011-03-04 16:40:12 87552 ----a-w- C:\Windows\SysWow64\wudriver.dll
2011-03-04 16:38:50 36864 ----a-w- C:\Windows\System32\wuapp.exe
2011-03-04 16:38:50 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2011-03-04 16:38:50 185416 ----a-w- C:\Windows\System32\wuwebv.dll
2011-03-04 16:38:50 171608 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2011-03-04 00:13:47 -------- d-----w- C:\Users\admin\AppData\Local\VS Revo Group
2011-03-04 00:13:42 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2011-03-04 00:13:37 -------- d-----w- C:\Program Files\VS Revo Group
2011-03-03 01:08:02 37688 ----a-w- C:\Windows\System32\drivers\sbapifs.sys
2011-03-03 01:06:30 -------- d-----w- C:\Users\admin\AppData\Roaming\Sunbelt Software
2011-03-03 00:47:27 0 ----a-w- C:\Windows\SysWow64\sys_dll.dll
2011-03-02 21:06:30 6 ----a-w- C:\Windows\dcstds3.dll
2011-03-02 21:02:55 -------- d-----w- C:\Program Files (x86)\TDS3
2011-03-01 00:18:51 -------- d-----w- C:\Users\admin\AppData\Roaming\GetRightToGo
2011-02-28 22:39:01 -------- d-----w- C:\Users\admin\AppData\Roaming\Malwarebytes
2011-02-28 22:38:53 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-28 22:38:52 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-28 22:38:49 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-28 22:38:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-02-28 18:27:32 1165824 ------w- C:\PROGRA~3\xhwxaNExnsjRHcn.dll
2011-02-18 18:24:54 -------- d-----w- C:\Users\admin\AppData\Roaming\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1
2011-02-18 18:24:22 -------- d-----w- C:\Program Files (x86)\Zinio Reader 4

==================== Find3M ====================

2011-03-04 23:48:00 13824 ----a-w- C:\Windows\System32\tsbyuv.dll
2011-03-04 23:35:28 957624 ----a-w- C:\Windows\System32\winresume.exe
2011-03-04 23:29:04 55296 ----a-w- C:\Windows\apppatch\AppPatch64\apihex64.dll
2011-03-04 23:29:04 40960 ----a-w- C:\Windows\apppatch\apihex86.dll
2011-03-04 23:26:59 1963520 ----a-w- C:\Windows\SysWow64\NlsData001b.dll
2011-03-04 19:50:10 382846753 ----a-w- C:\Windows\DUMP73e7.tmp
2011-03-04 18:46:20 724992 ----a-w- C:\Windows\System32\rpcss.dll
2011-03-04 18:43:11 72704 ----a-w- C:\Windows\SysWow64\admparse.dll
2011-03-04 18:43:10 32768 ----a-w- C:\Windows\System32\ieUnatt.exe
2011-03-04 18:43:09 26624 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2011-03-04 18:43:07 52736 ----a-w- C:\Windows\apppatch\iebrshim.dll
2011-03-04 18:43:07 145408 ----a-w- C:\Windows\apppatch\AppPatch64\iebrshim.dll
2011-03-04 18:43:06 832512 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-03-04 18:43:06 1042432 ----a-w- C:\Windows\System32\wininet.dll
2011-03-04 18:42:58 485376 ----a-w- C:\Windows\System32\html.iec
2011-03-04 18:42:58 389120 ----a-w- C:\Windows\SysWow64\html.iec
2011-03-04 18:42:57 86528 ----a-w- C:\Windows\System32\ieencode.dll
2011-03-04 18:42:57 78336 ----a-w- C:\Windows\SysWow64\ieencode.dll
2011-03-04 18:42:57 48128 ----a-w- C:\Windows\SysWow64\mshtmler.dll
2011-03-04 18:42:57 48128 ----a-w- C:\Windows\System32\mshtmler.dll
2011-03-04 18:42:56 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
2011-03-04 18:42:55 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-03-04 18:42:51 1830912 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-03-04 18:42:50 2076672 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-03-04 18:42:46 69120 ----a-w- C:\Windows\System32\iesetup.dll
2011-03-04 18:42:46 56320 ----a-w- C:\Windows\SysWow64\iesetup.dll
2011-03-04 18:35:51 616448 ----a-w- C:\Windows\System32\vbscript.dll
2011-03-04 18:35:51 434176 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-03-04 18:35:08 60416 ----a-w- C:\Windows\System32\rrinstaller.exe
2011-03-04 18:35:08 3532800 ----a-w- C:\Windows\System32\mf.dll
2011-03-04 18:35:08 2048 ----a-w- C:\Windows\System32\mferror.dll
2011-03-04 18:35:08 194560 ----a-w- C:\Windows\System32\mfps.dll
2011-03-04 18:35:07 98816 ----a-w- C:\Windows\SysWow64\mfps.dll
2011-03-04 18:35:07 52736 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
2011-03-04 18:35:07 34304 ----a-w- C:\Windows\System32\mfpmp.exe
2011-03-04 18:35:07 2855424 ----a-w- C:\Windows\SysWow64\mf.dll
2011-03-04 18:35:07 24576 ----a-w- C:\Windows\SysWow64\mfpmp.exe
2011-03-04 18:35:07 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
2011-03-04 18:20:59 7680 ----a-w- C:\Windows\SysWow64\spwmp.dll
2011-03-04 18:20:59 4096 ----a-w- C:\Windows\SysWow64\msdxm.ocx
2011-03-04 18:20:59 4096 ----a-w- C:\Windows\SysWow64\dxmasf.dll
2011-03-04 18:20:58 8148480 ----a-w- C:\Windows\System32\wmploc.DLL
2011-03-04 18:20:57 9216 ----a-w- C:\Windows\System32\spwmp.dll
2011-03-04 18:20:57 5120 ----a-w- C:\Windows\System32\dxmasf.dll
2011-03-04 18:20:56 5120 ----a-w- C:\Windows\System32\msdxm.ocx
2011-03-04 18:20:49 43520 ----a-w- C:\Windows\SysWow64\msdxm.tlb
2011-03-04 18:20:49 43520 ----a-w- C:\Windows\System32\msdxm.tlb
2011-03-04 18:20:49 368128 ----a-w- C:\Windows\System32\wmpdxm.dll
2011-03-04 18:20:49 313344 ----a-w- C:\Windows\SysWow64\wmpdxm.dll
2011-03-04 18:20:49 18432 ----a-w- C:\Windows\SysWow64\amcompat.tlb
2011-03-04 18:20:49 18432 ----a-w- C:\Windows\System32\amcompat.tlb
2011-03-04 18:15:49 67584 ----a-w- C:\Windows\SysWow64\wlanhlp.dll
2011-03-04 18:15:49 47104 ----a-w- C:\Windows\SysWow64\wlanapi.dll
2011-03-04 18:15:49 297984 ----a-w- C:\Windows\SysWow64\wlansec.dll
2011-03-04 18:15:49 290816 ----a-w- C:\Windows\SysWow64\wlanmsm.dll
2011-03-04 18:15:49 154624 ----a-w- C:\Windows\System32\L2SecHC.dll
2011-03-04 18:15:49 123904 ----a-w- C:\Windows\SysWow64\L2SecHC.dll
2011-03-04 18:15:48 97792 ----a-w- C:\Windows\System32\wlanhlp.dll
2011-03-04 18:15:48 62976 ----a-w- C:\Windows\System32\wlanapi.dll
2011-03-04 18:15:48 603136 ----a-w- C:\Windows\System32\wlansvc.dll
2011-03-04 18:15:48 372736 ----a-w- C:\Windows\System32\wlansec.dll
2011-03-04 18:15:48 350208 ----a-w- C:\Windows\System32\wlanmsm.dll
2011-02-03 01:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2006-05-03 10:06:54 163328 --sha-r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 11:47:16 31232 --sha-r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 13:30:52 216064 --sha-r- C:\Windows\SysWOW64\nbDX.dll

============= FINISH: 7:29:40.62 ===============

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 09 March 2011 - 04:31 PM

Hello, gilboy7.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 10 March 2011 - 12:52 PM

Hi etavares, thanks for the help! I ran combofix as you told me and here is the log. I did have one thing occur during combofix's attempt to write the log file once it was finished with the scan, I had a 'no disc' error message box appear and combofix would not continue until I opened the task manager and closed the error message box. I attached a screen capture of the error message.


ComboFix 11-03-09.05 - admin 03/10/2011 8:59.2.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3199.1924 [GMT -8:00]
Running from: c:\users\admin\Desktop\etavaresCF.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbar.dll
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\programdata\xhwxaNExnsjRHcn.dll
c:\windows\dcstds3.dll
c:\windows\SysWow64\sys_dll.dll
F:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 17:08 . 2011-03-10 17:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-10 16:03 . 2011-03-10 16:08 -------- d-----w- C:\ComboFix
2011-03-08 23:04 . 2011-03-08 23:05 -------- d-----w- c:\program files (x86)\Ask.com
2011-03-04 23:48 . 2011-03-04 23:48 114176 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-04 23:48 . 2011-03-04 23:48 27648 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-04 23:48 . 2011-03-04 23:48 24576 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
2011-03-04 23:48 . 2011-03-04 23:48 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2011-03-04 23:48 . 2011-03-04 23:48 50176 ----a-w- c:\windows\SysWow64\iyuv_32.dll
2011-03-04 23:48 . 2011-03-04 23:48 25600 ----a-w- c:\windows\system32\msyuv.dll
2011-03-04 23:48 . 2011-03-04 23:48 22528 ----a-w- c:\windows\SysWow64\msyuv.dll
2011-03-04 23:48 . 2011-03-04 23:48 11776 ----a-w- c:\windows\SysWow64\tsbyuv.dll
2011-03-04 23:46 . 2011-03-04 23:46 97280 ----a-w- c:\windows\system32\fontsub.dll
2011-03-04 23:46 . 2011-03-04 23:46 72704 ----a-w- c:\windows\SysWow64\fontsub.dll
2011-03-04 23:46 . 2011-03-04 23:46 48128 ----a-w- c:\windows\system32\atmlib.dll
2011-03-04 23:46 . 2011-03-04 23:46 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-03-04 23:46 . 2011-03-04 23:46 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-03-04 23:46 . 2011-03-04 23:46 33280 ----a-w- c:\windows\system32\lpk.dll
2011-03-04 23:46 . 2011-03-04 23:46 289792 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-03-04 23:46 . 2011-03-04 23:46 24064 ----a-w- c:\windows\SysWow64\lpk.dll
2011-03-04 23:46 . 2011-03-04 23:46 14336 ----a-w- c:\windows\system32\dciman32.dll
2011-03-04 23:46 . 2011-03-04 23:46 10240 ----a-w- c:\windows\SysWow64\dciman32.dll
2011-03-04 23:46 . 2011-03-04 23:46 188416 ----a-w- c:\windows\system32\t2embed.dll
2011-03-04 23:46 . 2011-03-04 23:46 156672 ----a-w- c:\windows\SysWow64\t2embed.dll
2011-03-04 23:45 . 2011-03-04 23:45 836608 ----a-w- c:\windows\system32\localspl.dll
2011-03-04 23:45 . 2011-03-04 23:45 696832 ----a-w- c:\windows\SysWow64\localspl.dll
2011-03-04 23:44 . 2011-03-04 23:44 672256 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2011-03-04 23:44 . 2011-03-04 23:44 1260544 ----a-w- c:\windows\system32\rpcrt4.dll
2011-03-04 23:43 . 2011-03-04 23:43 658944 ----a-w- c:\windows\system32\kerberos.dll
2011-03-04 23:43 . 2011-03-04 23:43 494592 ----a-w- c:\windows\SysWow64\kerberos.dll
2011-03-04 23:43 . 2011-03-04 23:43 343040 ----a-w- c:\windows\system32\schannel.dll
2011-03-04 23:43 . 2011-03-04 23:43 272384 ----a-w- c:\windows\SysWow64\schannel.dll
2011-03-04 23:43 . 2011-03-04 23:43 29696 ----a-w- c:\windows\system32\drivers\tunnel.sys
2011-03-04 23:43 . 2011-03-04 23:43 199168 ----a-w- c:\windows\system32\iphlpsvc.dll
2011-03-04 23:43 . 2011-03-04 23:43 18432 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2011-03-04 23:43 . 2011-03-04 23:43 25600 ----a-w- c:\windows\system32\netiougc.exe
2011-03-04 23:43 . 2011-03-04 23:43 232960 ----a-w- c:\windows\system32\tcpipcfg.dll
2011-03-04 23:43 . 2011-03-04 23:43 22016 ----a-w- c:\windows\SysWow64\netiougc.exe
2011-03-04 23:43 . 2011-03-04 23:43 167424 ----a-w- c:\windows\SysWow64\tcpipcfg.dll
2011-03-04 23:43 . 2011-03-04 23:43 1200640 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-04 23:41 . 2011-03-04 23:41 399872 ----a-w- c:\windows\system32\WSDApi.dll
2011-03-04 23:41 . 2011-03-04 23:41 321536 ----a-w- c:\windows\SysWow64\WSDApi.dll
2011-03-04 23:37 . 2011-03-04 23:37 817152 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2011-03-04 23:37 . 2011-03-04 23:37 604672 ----a-w- c:\windows\SysWow64\WMSPDMOD.DLL
2011-03-04 23:36 . 2011-03-04 23:36 1937408 ----a-w- c:\windows\system32\setupapi.dll
2011-03-04 23:36 . 2011-03-04 23:36 1585664 ----a-w- c:\windows\SysWow64\setupapi.dll
2011-03-04 23:33 . 2011-03-04 23:33 664064 ----a-w- c:\windows\system32\win32spl.dll
2011-03-04 23:33 . 2011-03-04 23:33 44544 ----a-w- c:\windows\system32\printcom.dll
2011-03-04 23:33 . 2011-03-04 23:33 441856 ----a-w- c:\windows\SysWow64\win32spl.dll
2011-03-04 23:33 . 2011-03-04 23:33 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2011-03-04 23:33 . 2011-03-04 23:33 439296 ----a-w- c:\windows\system32\winhttp.dll
2011-03-04 23:33 . 2011-03-04 23:33 376832 ----a-w- c:\windows\SysWow64\winhttp.dll
2011-03-04 23:32 . 2011-03-04 23:32 2758656 ----a-w- c:\windows\system32\win32k.sys
2011-03-04 23:31 . 2011-03-04 23:31 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-03-04 23:31 . 2011-03-04 23:31 272896 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-03-04 23:31 . 2011-03-04 23:31 134144 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-03-04 23:30 . 2011-03-04 23:30 4424072 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-03-04 23:29 . 2011-03-04 23:29 287744 ----a-w- c:\windows\system32\raschap.dll
2011-03-04 23:29 . 2011-03-04 23:29 274432 ----a-w- c:\windows\SysWow64\raschap.dll
2011-03-04 23:29 . 2011-03-04 23:29 267264 ----a-w- c:\windows\system32\rastls.dll
2011-03-04 23:29 . 2011-03-04 23:29 232960 ----a-w- c:\windows\SysWow64\rastls.dll
2011-03-04 23:29 . 2011-03-04 23:29 25600 ----a-w- c:\windows\SysWow64\amxread.dll
2011-03-04 23:29 . 2011-03-04 23:29 25600 ----a-w- c:\windows\system32\amxread.dll
2011-03-04 23:29 . 2011-03-04 23:29 15872 ----a-w- c:\windows\system32\apilogen.dll
2011-03-04 23:29 . 2011-03-04 23:29 14848 ----a-w- c:\windows\SysWow64\apilogen.dll
2011-03-04 23:28 . 2011-03-04 23:28 379392 ----a-w- c:\windows\system32\gdi32.dll
2011-03-04 23:28 . 2011-03-04 23:28 303616 ----a-w- c:\windows\SysWow64\gdi32.dll
2011-03-04 23:26 . 2011-03-04 23:26 1963520 ----a-w- c:\windows\SysWow64\NlsData001a.dll
2011-03-04 23:20 . 2011-03-04 23:20 2048 ----a-w- c:\windows\system32\tzres.dll
2011-03-04 23:20 . 2011-03-04 23:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-03-04 23:19 . 2011-03-04 23:19 461824 ----a-w- c:\windows\system32\drivers\srv.sys
2011-03-04 23:19 . 2011-03-04 23:19 118272 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-03-04 23:18 . 2011-03-04 23:18 84480 ----a-w- c:\windows\SysWow64\INETRES.dll
2011-03-04 23:18 . 2011-03-04 23:18 996352 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 23:18 . 2011-03-04 23:18 84480 ----a-w- c:\windows\system32\INETRES.dll
2011-03-04 23:18 . 2011-03-04 23:18 737792 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-03-04 22:48 . 2011-03-04 22:48 361472 ----a-w- c:\windows\system32\es.dll
2011-03-04 22:48 . 2011-03-04 22:48 268800 ----a-w- c:\windows\SysWow64\es.dll
2011-03-04 20:46 . 2011-02-23 17:34 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{004D9C88-5848-487F-92A2-5BE5D88E5F14}\mpengine.dll
2011-03-04 20:17 . 2011-03-04 20:17 -------- d-----w- C:\fa6deea3390c9ceb3f2969
2011-03-04 19:14 . 2011-03-04 19:14 96760 ----a-w- c:\windows\SysWow64\dfshim.dll
2011-03-04 19:14 . 2011-03-04 19:14 112120 ----a-w- c:\windows\system32\dfshim.dll
2011-03-04 19:14 . 2011-03-04 19:14 41984 ----a-w- c:\windows\SysWow64\netfxperf.dll
2011-03-04 19:14 . 2011-03-04 19:14 13824 ----a-w- c:\windows\system32\netfxperf.dll
2011-03-04 19:14 . 2011-03-04 19:14 406528 ----a-w- c:\windows\system32\mscoree.dll
2011-03-04 19:14 . 2011-03-04 19:14 282112 ----a-w- c:\windows\SysWow64\mscoree.dll
2011-03-04 19:14 . 2011-03-04 19:14 83968 ----a-w- c:\windows\SysWow64\mscories.dll
2011-03-04 19:14 . 2011-03-04 19:14 76288 ----a-w- c:\windows\system32\mscories.dll
2011-03-04 19:14 . 2011-03-04 19:14 158720 ----a-w- c:\windows\SysWow64\mscorier.dll
2011-03-04 19:14 . 2011-03-04 19:14 158208 ----a-w- c:\windows\system32\mscorier.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2011-03-04 18:55 . 2011-03-04 18:55 1902080 ----a-w- c:\windows\system32\msxml3.dll
2011-03-04 18:55 . 2011-03-04 18:55 1260032 ----a-w- c:\windows\SysWow64\msxml3.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\SysWow64\msxml6r.dll
2011-03-04 18:55 . 2011-03-04 18:55 1406464 ----a-w- c:\windows\SysWow64\msxml6.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\system32\msxml6r.dll
2011-03-04 18:55 . 2011-03-04 18:55 1827328 ----a-w- c:\windows\system32\msxml6.dll
2011-03-04 18:54 . 2011-03-04 18:54 36352 ----a-w- c:\windows\SysWow64\tsgqec.dll
2011-03-04 18:54 . 2011-03-04 18:54 1871872 ----a-w- c:\windows\SysWow64\mstscax.dll
2011-03-04 18:54 . 2011-03-04 18:54 116736 ----a-w- c:\windows\SysWow64\aaclient.dll
2011-03-04 18:54 . 2011-03-04 18:54 130048 ----a-w- c:\windows\system32\aaclient.dll
2011-03-04 18:54 . 2011-03-04 18:54 27648 ----a-w- c:\windows\system32\tsgqec.dll
2011-03-04 18:54 . 2011-03-04 18:54 2194432 ----a-w- c:\windows\system32\mstscax.dll
2011-03-04 18:52 . 2011-03-04 18:52 61440 ----a-w- c:\windows\SysWow64\winipsec.dll
2011-03-04 18:52 . 2011-03-04 18:52 49152 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2011-03-04 18:52 . 2011-03-04 18:52 28672 ----a-w- c:\windows\SysWow64\FwRemoteSvr.dll
2011-03-04 18:52 . 2011-03-04 18:52 272896 ----a-w- c:\windows\SysWow64\polstore.dll
2011-03-04 18:52 . 2011-03-04 18:52 523264 ----a-w- c:\windows\system32\IPSECSVC.DLL
2011-03-04 18:52 . 2011-03-04 18:52 379904 ----a-w- c:\windows\system32\polstore.dll
2011-03-04 18:52 . 2011-03-04 18:52 100352 ----a-w- c:\windows\system32\winipsec.dll
2011-03-04 18:49 . 2011-03-04 18:49 604160 ----a-w- c:\windows\system32\drivers\http.sys
2011-03-04 18:49 . 2011-03-04 18:49 33792 ----a-w- c:\windows\system32\httpapi.dll
2011-03-04 18:49 . 2011-03-04 18:49 32768 ----a-w- c:\windows\system32\nshhttp.dll
2011-03-04 18:49 . 2011-03-04 18:49 31232 ----a-w- c:\windows\SysWow64\httpapi.dll
2011-03-04 18:49 . 2011-03-04 18:49 24064 ----a-w- c:\windows\SysWow64\nshhttp.dll
2011-03-04 18:43 . 2011-03-04 18:43 89088 ----a-w- c:\windows\system32\admparse.dll
2011-03-04 18:38 . 2011-03-04 18:38 2923520 ----a-w- c:\windows\SysWow64\explorer.exe
2011-03-04 18:38 . 2011-03-04 18:38 3087360 ----a-w- c:\windows\explorer.exe
2011-03-04 18:34 . 2011-03-04 18:34 9728 ----a-w- c:\windows\system32\lsass.exe
2011-03-04 18:34 . 2011-03-04 18:34 95232 ----a-w- c:\windows\system32\secur32.dll
2011-03-04 18:34 . 2011-03-04 18:34 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2011-03-04 18:34 . 2011-03-04 18:34 479816 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-03-04 18:34 . 2011-03-04 18:34 270336 ----a-w- c:\windows\system32\msv1_0.dll
2011-03-04 18:34 . 2011-03-04 18:34 216576 ----a-w- c:\windows\SysWow64\msv1_0.dll
2011-03-04 18:34 . 2011-03-04 18:34 205824 ----a-w- c:\windows\system32\wdigest.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 23:29 . 2011-03-04 23:29 55296 ----a-w- c:\windows\apppatch\AppPatch64\apihex64.dll
2011-03-04 23:29 . 2011-03-04 23:29 40960 ----a-w- c:\windows\apppatch\apihex86.dll
2011-03-04 19:50 . 2007-03-01 01:23 382846753 ----a-w- c:\windows\DUMP73e7.tmp
2011-03-04 18:43 . 2011-03-04 18:43 52736 ----a-w- c:\windows\apppatch\iebrshim.dll
2011-03-04 18:43 . 2011-03-04 18:43 145408 ----a-w- c:\windows\apppatch\AppPatch64\iebrshim.dll
2011-02-03 01:11 . 2009-10-04 01:54 270720 ------w- c:\windows\system32\MpSigStub.exe
2006-05-03 10:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll
2008-03-16 13:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 03:17 1487240 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 139264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
.
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files (x86)\Webshots\Launcher.exe [2007-3-9 45056]
Windows Calendar.lnk - c:\program files\Windows Calendar\WinCal.exe [2007-8-29 1264128]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"TivoNotify"="e:\new folder (4)\TiVoNotify.exe" /service /registry /auto:TivoNotify
"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"TivoServer"="e:\new folder (4)\TiVoServer.exe" /service /registry /auto:TivoServer
"TivoTransfer"="c:\program files (x86)\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Adobe Photo Downloader"="c:\program files (x86)\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
.
R3 GSService;GSService;c:\windows\SysWOW64\GSService.exe [2010-04-28 344064]
R3 MLFILEM;MLFILEM;c:\windows\system32\drivers\MLFILEM.SYS [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 STSService;STSService;c:\program files (x86)\SoundTaxi Media Suite\STSService.exe [2010-04-27 344064]
R4 EtiVoServer;EtiVoServer;c:\program files (x86)\etivoserver\etivosrv.exe [2005-06-23 24576]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 55888]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2009-11-25 583640]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-10 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2010-01-24 07:01]
.
2010-04-21 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files (x86)\Spybot - Search & Destroy\SpybotSD.exe [2008-08-24 21:45]
.
2011-03-10 c:\windows\Tasks\User_Feed_Synchronization-{1F9F991A-7AD1-4E2A-B08F-B2FFF92C9AEA}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/?pc=Z003&form=ZGAPHP
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: &Download with &DAP - c:\program files (x86)\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files (x86)\DAP\dapextie2.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~2\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~2\DAP\dapie.dll
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ddkpsuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/q?s=nflx&ql=1|http://money.cnn.com/|https://invest.firstrade.com/cgi-bin/login?reason=6|http://seekingalpha.com/|https://online.wellsfargo.com/servlet/LoadBal?screenid=SIGNON_DISPLAY&SIGNON_XCP=TIMEOUT|https://mail.google.com/mail/?shva=1#inbox|http://sn140w.snt140.mail.live.com/default.aspx?wa=wsignin1.0
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z003&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Utopia White: {9998A493-980E-4716-81BC-F0C77001E9B7} - %profile%\extensions\{9998A493-980E-4716-81BC-F0C77001E9B7}
FF - Ext: Phoenity Next (formerly Phoenity Reborn): {069FB356-C69F-7349-D092-AB28AF836D0E} - %profile%\extensions\{069FB356-C69F-7349-D092-AB28AF836D0E}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-XviD MPEG4 Video Codec - c:\windows\system32\xvid-uninstall.exe
AddRemove-Trader Workstation - c:\windows\system32\javaws.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-10 09:22:11
ComboFix-quarantined-files.txt 2011-03-10 17:22
.
Pre-Run: 86,872,670,208 bytes free
Post-Run: 86,024,486,912 bytes free
.
- - End Of File - - 7E78728185D85ADE8BC8DC9CDAFEDF88

Attached Files



#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 10 March 2011 - 06:40 PM

Hello, gilboy7.
Thanks for letting me know. How is your computer running at this point?










Ask Toolbar Warning"

I see you have the Ask.Com toolbar installed. This often comes bundled with spyware and is recommended you remove.

Please see here for more information:
http://www.bleepingcomputer.com/uninstall/94/Ask-Toolbar.html

If you would like to remove it, please go to add/Remove Programs and uninstall it.





ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. We can reinstall it when we're done with CF. Please let me know if you do uninstall it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

File::
C:\PROGRA~3\403125.exe
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Swearware\backup\winsock2\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 11 March 2011 - 10:31 AM

Hi Etavares. thanks for helping! My machine is running fine now and I have not had any trojan warnings from my virus protection program since I ran combofix. I do notice that Avast is not showing an icon in the system tray, although the windows defender malware protection tab says Avast is running.
However, I do have another problem I have been dealing with for a while though that you could help me with, I have had SATA ports on my motherboard stop recognizing hard drives. I have a Conroe 945G-DVI motherboard, a core2 duo 6600 processor, 2.4GHZ, with 4GB Ram. I have been reading that updating the BIOS could possibly fix this, but I am hesitant to mess with the BIOS without help. It started over a year ago when I noticed very eratic behavior from my computer such as: slow processing of all programs and many disc error messages. So I changed the SATA cable of my C: Drive to a different SATA port on a whim and all symptoms vanished. I have now done this a couple more times until I have only 1 working port left. But, today when I booted up I decided to try SATA port #1 again and only when I entered setup did the drive show up and then boot. Do you have any idea what this could be caused by? Also, is it a good idea to enable SMART on my capable drives?

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 11 March 2011 - 06:29 PM

OK, let's deal with those questions once we finish up with the malware. Can you please post the contents of C:\combofix.txt? We have a few more things to gdo to clean it, then we can dig into the SATA issue. It could also be a failing motherboard.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 11 March 2011 - 06:35 PM

Hi Etavares, I posted the contenets of combofix text yesterday in my earlier post above. But here it is again:

ComboFix 11-03-09.05 - admin 03/10/2011 8:59.2.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3199.1924 [GMT -8:00]
Running from: c:\users\admin\Desktop\etavaresCF.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbar.dll
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\programdata\xhwxaNExnsjRHcn.dll
c:\windows\dcstds3.dll
c:\windows\SysWow64\sys_dll.dll
F:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-10 to 2011-03-10 )))))))))))))))))))))))))))))))
.
.
2011-03-10 17:08 . 2011-03-10 17:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-10 16:03 . 2011-03-10 16:08 -------- d-----w- C:\ComboFix
2011-03-08 23:04 . 2011-03-08 23:05 -------- d-----w- c:\program files (x86)\Ask.com
2011-03-04 23:48 . 2011-03-04 23:48 114176 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-04 23:48 . 2011-03-04 23:48 27648 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-04 23:48 . 2011-03-04 23:48 24576 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
2011-03-04 23:48 . 2011-03-04 23:48 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2011-03-04 23:48 . 2011-03-04 23:48 50176 ----a-w- c:\windows\SysWow64\iyuv_32.dll
2011-03-04 23:48 . 2011-03-04 23:48 25600 ----a-w- c:\windows\system32\msyuv.dll
2011-03-04 23:48 . 2011-03-04 23:48 22528 ----a-w- c:\windows\SysWow64\msyuv.dll
2011-03-04 23:48 . 2011-03-04 23:48 11776 ----a-w- c:\windows\SysWow64\tsbyuv.dll
2011-03-04 23:46 . 2011-03-04 23:46 97280 ----a-w- c:\windows\system32\fontsub.dll
2011-03-04 23:46 . 2011-03-04 23:46 72704 ----a-w- c:\windows\SysWow64\fontsub.dll
2011-03-04 23:46 . 2011-03-04 23:46 48128 ----a-w- c:\windows\system32\atmlib.dll
2011-03-04 23:46 . 2011-03-04 23:46 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-03-04 23:46 . 2011-03-04 23:46 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-03-04 23:46 . 2011-03-04 23:46 33280 ----a-w- c:\windows\system32\lpk.dll
2011-03-04 23:46 . 2011-03-04 23:46 289792 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-03-04 23:46 . 2011-03-04 23:46 24064 ----a-w- c:\windows\SysWow64\lpk.dll
2011-03-04 23:46 . 2011-03-04 23:46 14336 ----a-w- c:\windows\system32\dciman32.dll
2011-03-04 23:46 . 2011-03-04 23:46 10240 ----a-w- c:\windows\SysWow64\dciman32.dll
2011-03-04 23:46 . 2011-03-04 23:46 188416 ----a-w- c:\windows\system32\t2embed.dll
2011-03-04 23:46 . 2011-03-04 23:46 156672 ----a-w- c:\windows\SysWow64\t2embed.dll
2011-03-04 23:45 . 2011-03-04 23:45 836608 ----a-w- c:\windows\system32\localspl.dll
2011-03-04 23:45 . 2011-03-04 23:45 696832 ----a-w- c:\windows\SysWow64\localspl.dll
2011-03-04 23:44 . 2011-03-04 23:44 672256 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2011-03-04 23:44 . 2011-03-04 23:44 1260544 ----a-w- c:\windows\system32\rpcrt4.dll
2011-03-04 23:43 . 2011-03-04 23:43 658944 ----a-w- c:\windows\system32\kerberos.dll
2011-03-04 23:43 . 2011-03-04 23:43 494592 ----a-w- c:\windows\SysWow64\kerberos.dll
2011-03-04 23:43 . 2011-03-04 23:43 343040 ----a-w- c:\windows\system32\schannel.dll
2011-03-04 23:43 . 2011-03-04 23:43 272384 ----a-w- c:\windows\SysWow64\schannel.dll
2011-03-04 23:43 . 2011-03-04 23:43 29696 ----a-w- c:\windows\system32\drivers\tunnel.sys
2011-03-04 23:43 . 2011-03-04 23:43 199168 ----a-w- c:\windows\system32\iphlpsvc.dll
2011-03-04 23:43 . 2011-03-04 23:43 18432 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2011-03-04 23:43 . 2011-03-04 23:43 25600 ----a-w- c:\windows\system32\netiougc.exe
2011-03-04 23:43 . 2011-03-04 23:43 232960 ----a-w- c:\windows\system32\tcpipcfg.dll
2011-03-04 23:43 . 2011-03-04 23:43 22016 ----a-w- c:\windows\SysWow64\netiougc.exe
2011-03-04 23:43 . 2011-03-04 23:43 167424 ----a-w- c:\windows\SysWow64\tcpipcfg.dll
2011-03-04 23:43 . 2011-03-04 23:43 1200640 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-04 23:41 . 2011-03-04 23:41 399872 ----a-w- c:\windows\system32\WSDApi.dll
2011-03-04 23:41 . 2011-03-04 23:41 321536 ----a-w- c:\windows\SysWow64\WSDApi.dll
2011-03-04 23:37 . 2011-03-04 23:37 817152 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2011-03-04 23:37 . 2011-03-04 23:37 604672 ----a-w- c:\windows\SysWow64\WMSPDMOD.DLL
2011-03-04 23:36 . 2011-03-04 23:36 1937408 ----a-w- c:\windows\system32\setupapi.dll
2011-03-04 23:36 . 2011-03-04 23:36 1585664 ----a-w- c:\windows\SysWow64\setupapi.dll
2011-03-04 23:33 . 2011-03-04 23:33 664064 ----a-w- c:\windows\system32\win32spl.dll
2011-03-04 23:33 . 2011-03-04 23:33 44544 ----a-w- c:\windows\system32\printcom.dll
2011-03-04 23:33 . 2011-03-04 23:33 441856 ----a-w- c:\windows\SysWow64\win32spl.dll
2011-03-04 23:33 . 2011-03-04 23:33 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2011-03-04 23:33 . 2011-03-04 23:33 439296 ----a-w- c:\windows\system32\winhttp.dll
2011-03-04 23:33 . 2011-03-04 23:33 376832 ----a-w- c:\windows\SysWow64\winhttp.dll
2011-03-04 23:32 . 2011-03-04 23:32 2758656 ----a-w- c:\windows\system32\win32k.sys
2011-03-04 23:31 . 2011-03-04 23:31 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-03-04 23:31 . 2011-03-04 23:31 272896 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-03-04 23:31 . 2011-03-04 23:31 134144 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-03-04 23:30 . 2011-03-04 23:30 4424072 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-03-04 23:29 . 2011-03-04 23:29 287744 ----a-w- c:\windows\system32\raschap.dll
2011-03-04 23:29 . 2011-03-04 23:29 274432 ----a-w- c:\windows\SysWow64\raschap.dll
2011-03-04 23:29 . 2011-03-04 23:29 267264 ----a-w- c:\windows\system32\rastls.dll
2011-03-04 23:29 . 2011-03-04 23:29 232960 ----a-w- c:\windows\SysWow64\rastls.dll
2011-03-04 23:29 . 2011-03-04 23:29 25600 ----a-w- c:\windows\SysWow64\amxread.dll
2011-03-04 23:29 . 2011-03-04 23:29 25600 ----a-w- c:\windows\system32\amxread.dll
2011-03-04 23:29 . 2011-03-04 23:29 15872 ----a-w- c:\windows\system32\apilogen.dll
2011-03-04 23:29 . 2011-03-04 23:29 14848 ----a-w- c:\windows\SysWow64\apilogen.dll
2011-03-04 23:28 . 2011-03-04 23:28 379392 ----a-w- c:\windows\system32\gdi32.dll
2011-03-04 23:28 . 2011-03-04 23:28 303616 ----a-w- c:\windows\SysWow64\gdi32.dll
2011-03-04 23:26 . 2011-03-04 23:26 1963520 ----a-w- c:\windows\SysWow64\NlsData001a.dll
2011-03-04 23:20 . 2011-03-04 23:20 2048 ----a-w- c:\windows\system32\tzres.dll
2011-03-04 23:20 . 2011-03-04 23:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-03-04 23:19 . 2011-03-04 23:19 461824 ----a-w- c:\windows\system32\drivers\srv.sys
2011-03-04 23:19 . 2011-03-04 23:19 118272 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-03-04 23:18 . 2011-03-04 23:18 84480 ----a-w- c:\windows\SysWow64\INETRES.dll
2011-03-04 23:18 . 2011-03-04 23:18 996352 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 23:18 . 2011-03-04 23:18 84480 ----a-w- c:\windows\system32\INETRES.dll
2011-03-04 23:18 . 2011-03-04 23:18 737792 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-03-04 22:48 . 2011-03-04 22:48 361472 ----a-w- c:\windows\system32\es.dll
2011-03-04 22:48 . 2011-03-04 22:48 268800 ----a-w- c:\windows\SysWow64\es.dll
2011-03-04 20:46 . 2011-02-23 17:34 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{004D9C88-5848-487F-92A2-5BE5D88E5F14}\mpengine.dll
2011-03-04 20:17 . 2011-03-04 20:17 -------- d-----w- C:\fa6deea3390c9ceb3f2969
2011-03-04 19:14 . 2011-03-04 19:14 96760 ----a-w- c:\windows\SysWow64\dfshim.dll
2011-03-04 19:14 . 2011-03-04 19:14 112120 ----a-w- c:\windows\system32\dfshim.dll
2011-03-04 19:14 . 2011-03-04 19:14 41984 ----a-w- c:\windows\SysWow64\netfxperf.dll
2011-03-04 19:14 . 2011-03-04 19:14 13824 ----a-w- c:\windows\system32\netfxperf.dll
2011-03-04 19:14 . 2011-03-04 19:14 406528 ----a-w- c:\windows\system32\mscoree.dll
2011-03-04 19:14 . 2011-03-04 19:14 282112 ----a-w- c:\windows\SysWow64\mscoree.dll
2011-03-04 19:14 . 2011-03-04 19:14 83968 ----a-w- c:\windows\SysWow64\mscories.dll
2011-03-04 19:14 . 2011-03-04 19:14 76288 ----a-w- c:\windows\system32\mscories.dll
2011-03-04 19:14 . 2011-03-04 19:14 158720 ----a-w- c:\windows\SysWow64\mscorier.dll
2011-03-04 19:14 . 2011-03-04 19:14 158208 ----a-w- c:\windows\system32\mscorier.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2011-03-04 18:55 . 2011-03-04 18:55 1902080 ----a-w- c:\windows\system32\msxml3.dll
2011-03-04 18:55 . 2011-03-04 18:55 1260032 ----a-w- c:\windows\SysWow64\msxml3.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\SysWow64\msxml6r.dll
2011-03-04 18:55 . 2011-03-04 18:55 1406464 ----a-w- c:\windows\SysWow64\msxml6.dll
2011-03-04 18:55 . 2011-03-04 18:55 2048 ----a-w- c:\windows\system32\msxml6r.dll
2011-03-04 18:55 . 2011-03-04 18:55 1827328 ----a-w- c:\windows\system32\msxml6.dll
2011-03-04 18:54 . 2011-03-04 18:54 36352 ----a-w- c:\windows\SysWow64\tsgqec.dll
2011-03-04 18:54 . 2011-03-04 18:54 1871872 ----a-w- c:\windows\SysWow64\mstscax.dll
2011-03-04 18:54 . 2011-03-04 18:54 116736 ----a-w- c:\windows\SysWow64\aaclient.dll
2011-03-04 18:54 . 2011-03-04 18:54 130048 ----a-w- c:\windows\system32\aaclient.dll
2011-03-04 18:54 . 2011-03-04 18:54 27648 ----a-w- c:\windows\system32\tsgqec.dll
2011-03-04 18:54 . 2011-03-04 18:54 2194432 ----a-w- c:\windows\system32\mstscax.dll
2011-03-04 18:52 . 2011-03-04 18:52 61440 ----a-w- c:\windows\SysWow64\winipsec.dll
2011-03-04 18:52 . 2011-03-04 18:52 49152 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2011-03-04 18:52 . 2011-03-04 18:52 28672 ----a-w- c:\windows\SysWow64\FwRemoteSvr.dll
2011-03-04 18:52 . 2011-03-04 18:52 272896 ----a-w- c:\windows\SysWow64\polstore.dll
2011-03-04 18:52 . 2011-03-04 18:52 523264 ----a-w- c:\windows\system32\IPSECSVC.DLL
2011-03-04 18:52 . 2011-03-04 18:52 379904 ----a-w- c:\windows\system32\polstore.dll
2011-03-04 18:52 . 2011-03-04 18:52 100352 ----a-w- c:\windows\system32\winipsec.dll
2011-03-04 18:49 . 2011-03-04 18:49 604160 ----a-w- c:\windows\system32\drivers\http.sys
2011-03-04 18:49 . 2011-03-04 18:49 33792 ----a-w- c:\windows\system32\httpapi.dll
2011-03-04 18:49 . 2011-03-04 18:49 32768 ----a-w- c:\windows\system32\nshhttp.dll
2011-03-04 18:49 . 2011-03-04 18:49 31232 ----a-w- c:\windows\SysWow64\httpapi.dll
2011-03-04 18:49 . 2011-03-04 18:49 24064 ----a-w- c:\windows\SysWow64\nshhttp.dll
2011-03-04 18:43 . 2011-03-04 18:43 89088 ----a-w- c:\windows\system32\admparse.dll
2011-03-04 18:38 . 2011-03-04 18:38 2923520 ----a-w- c:\windows\SysWow64\explorer.exe
2011-03-04 18:38 . 2011-03-04 18:38 3087360 ----a-w- c:\windows\explorer.exe
2011-03-04 18:34 . 2011-03-04 18:34 9728 ----a-w- c:\windows\system32\lsass.exe
2011-03-04 18:34 . 2011-03-04 18:34 95232 ----a-w- c:\windows\system32\secur32.dll
2011-03-04 18:34 . 2011-03-04 18:34 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2011-03-04 18:34 . 2011-03-04 18:34 479816 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-03-04 18:34 . 2011-03-04 18:34 270336 ----a-w- c:\windows\system32\msv1_0.dll
2011-03-04 18:34 . 2011-03-04 18:34 216576 ----a-w- c:\windows\SysWow64\msv1_0.dll
2011-03-04 18:34 . 2011-03-04 18:34 205824 ----a-w- c:\windows\system32\wdigest.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 23:29 . 2011-03-04 23:29 55296 ----a-w- c:\windows\apppatch\AppPatch64\apihex64.dll
2011-03-04 23:29 . 2011-03-04 23:29 40960 ----a-w- c:\windows\apppatch\apihex86.dll
2011-03-04 19:50 . 2007-03-01 01:23 382846753 ----a-w- c:\windows\DUMP73e7.tmp
2011-03-04 18:43 . 2011-03-04 18:43 52736 ----a-w- c:\windows\apppatch\iebrshim.dll
2011-03-04 18:43 . 2011-03-04 18:43 145408 ----a-w- c:\windows\apppatch\AppPatch64\iebrshim.dll
2011-02-03 01:11 . 2009-10-04 01:54 270720 ------w- c:\windows\system32\MpSigStub.exe
2006-05-03 10:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll
2008-03-16 13:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-02 03:17 1487240 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 139264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
.
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files (x86)\Webshots\Launcher.exe [2007-3-9 45056]
Windows Calendar.lnk - c:\program files\Windows Calendar\WinCal.exe [2007-8-29 1264128]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"TivoNotify"="e:\new folder (4)\TiVoNotify.exe" /service /registry /auto:TivoNotify
"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"TivoServer"="e:\new folder (4)\TiVoServer.exe" /service /registry /auto:TivoServer
"TivoTransfer"="c:\program files (x86)\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Adobe Photo Downloader"="c:\program files (x86)\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
.
R3 GSService;GSService;c:\windows\SysWOW64\GSService.exe [2010-04-28 344064]
R3 MLFILEM;MLFILEM;c:\windows\system32\drivers\MLFILEM.SYS [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 STSService;STSService;c:\program files (x86)\SoundTaxi Media Suite\STSService.exe [2010-04-27 344064]
R4 EtiVoServer;EtiVoServer;c:\program files (x86)\etivoserver\etivosrv.exe [2005-06-23 24576]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2007-12-04 55888]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2009-11-25 583640]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-10 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2010-01-24 07:01]
.
2010-04-21 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files (x86)\Spybot - Search & Destroy\SpybotSD.exe [2008-08-24 21:45]
.
2011-03-10 c:\windows\Tasks\User_Feed_Synchronization-{1F9F991A-7AD1-4E2A-B08F-B2FFF92C9AEA}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/?pc=Z003&form=ZGAPHP
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: &Download with &DAP - c:\program files (x86)\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files (x86)\DAP\dapextie2.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~2\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~2\DAP\dapie.dll
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ddkpsuh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/q?s=nflx&ql=1|http://money.cnn.com/|https://invest.firstrade.com/cgi-bin/login?reason=6|http://seekingalpha.com/|https://online.wellsfargo.com/servlet/LoadBal?screenid=SIGNON_DISPLAY&SIGNON_XCP=TIMEOUT|https://mail.google.com/mail/?shva=1#inbox|http://sn140w.snt140.mail.live.com/default.aspx?wa=wsignin1.0
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z003&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: Utopia White: {9998A493-980E-4716-81BC-F0C77001E9B7} - %profile%\extensions\{9998A493-980E-4716-81BC-F0C77001E9B7}
FF - Ext: Phoenity Next (formerly Phoenity Reborn): {069FB356-C69F-7349-D092-AB28AF836D0E} - %profile%\extensions\{069FB356-C69F-7349-D092-AB28AF836D0E}
FF - Ext: Gradient iCool: {de5809e0-2b07-11dd-bd0b-0800200c9a66} - %profile%\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-XviD MPEG4 Video Codec - c:\windows\system32\xvid-uninstall.exe
AddRemove-Trader Workstation - c:\windows\system32\javaws.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-10 09:22:11
ComboFix-quarantined-files.txt 2011-03-10 17:22
.
Pre-Run: 86,872,670,208 bytes free
Post-Run: 86,024,486,912 bytes free
.
- - End Of File - - 7E78728185D85ADE8BC8DC9CDAFEDF88

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 11 March 2011 - 06:37 PM

Did you follow my instructions in Post 6 above to run a Combofix script for a few remaining items? It doesn't appear you have done that yet.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 11 March 2011 - 07:46 PM

Sorry, I posted the last comment bfore I realized you wanted me to uninstall ask tool bar and I have been trying to get that to uninstall for awhile. I fanally use revo uninstaller to force it to uninstall. I will noe re-run combofix per your instructions. Thanks again.

#12 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 11 March 2011 - 09:35 PM

Ok etavares, I ran combofix using the script you supplied and now after the scan finished and the text log appeared I have no access to any programs. I restarted and an error message appeared stating that run32.dll is an unknown program. All programs icons appear blank and clicking them has no effect. I would restore my system to the restore point before the scan, but nothing works. I am writing this from my laptop which does not have any of business content. Please help with fixing this asap. I do not know if this problem occurred because I have a 64bit system or not but I don't think I mentioned that earlier.

#13 gilboy7

gilboy7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 11 March 2011 - 09:36 PM

I just started my pc in safemode with networking and I seem to be able to access programs again.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 12 March 2011 - 07:16 AM

OK, please post C:\combofix.txt from safe mode. 64bit doesn't matter, but your logs showed that anyways. It's possible it was patched and Combofix removed it, that log will help us determine it. We have other ways to roll back as well.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 12 March 2011 - 07:16 AM

PS> Try booting in normal mode again...sometimes a reboot is all that's needed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users