Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv Activity 2 / Zeroaccess?


  • This topic is locked This topic is locked
27 replies to this topic

#1 mark082

mark082

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 11 October 2011 - 11:58 PM

A few weeks ago, I came home to find Opencloud Security plaguing my system. I had microsoft security essentials on the computer, but it had shut itself off. I'm no stranger to removing rogue antivirus and I assumed this would be no different. Malwarebytes gave me fits trying to run a scan in safe mode and some of my other tools that I usually used like rkill wouldn't work. My cpu would max out on all 4 cores as well. I tried malwarebytes, hitman pro, and anything else I could find. Finally, I was able to slow it down enough that I could run malwarebytes in regular mode and it seemed to fix the problem. However, I was trying to upload photos from picasa and noticed that it was going too slowly and my cpu was maxed again. I decided to install norton antivirus because it has been fantastic on my work computer. It installed and after a full scan with Norton and Malwarebytes, I seemed to be ok. The next day, though, Norton started constantly throwing up the "threat requiring manual removal detected: System infected: Tidserv Activity 2" message. I used their tool and tdsskiller from Kaspersky, but it didn't find anything. It also kept popping up messages about 80000032 something or other. Those messages have stopped now, but I now get messages like "globalroot\systemroot\assembly\tmp\U\80000032.@ is either not designed to run on windows or it contains an error" and says "chrome.exe" bad image or whatever program I'm trying to open. I click ok and it goes away and I don't have any other problems. My system seems to be ok, but I know that something is there lurking. Here are the logs.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Mark at 23:47:26 on 2011-10-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8191.5322 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Transcode360\Transcode360.exe
C:\Windows\RAVCpl64.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
C:\Users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\HippoVNC\WinVNC.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\CyberLink\Shared Files\brs.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\Mark\AppData\Roaming\Spotify\Spotify.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files (x86)\CyberLink\InstantBurn\Win2K\IBurn.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Users\Mark\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Google Update] "C:\Users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
uRun: [Power2GoExpress]
uRun: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
mRun: [<NO NAME>]
mRun: [Acer Product Registration] "C:\Program Files (x86)\Acer Registration\ACE1.exe" /startup
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [AT&T Communication Manager] "C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe" -a
mRun: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
mRun: [eRecoveryService]
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
mRun: [LGODDFU] "C:\Program Files (x86)\lg_fwupdate\fwupdate.exe" blrun
mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
mRun: [InstantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
mRun: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun: [fD3onG4am6W7E8T511D3A] C:\Program Files (x86)\Internet Explorer\plugins\iexplore.exe
mRun: [ifEL9gTZqYwIrOt511D3A] C:\Windows\system32\drivers\svhost.exe
mRun: [fNtxP0ucSiDoGaH511D3A] C:\Program Files (x86)\Internet Explorer\plugins\iexplore.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Mark\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Mark\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
StartupFolder: C:\Users\Mark\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\WINVNC~1.LNK - C:\Program Files (x86)\HippoVNC\WinVNC.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: &Search
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: freetoolsassociation.com\activegs
Trusted Zone: virtualapple.org\www
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{11A0CBD7-4A5F-4F6D-8984-FF52343DE8B9} : DhcpNameServer = 192.168.0.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll
mRun-x64: [(Default)]
mRun-x64: [Acer Product Registration] "C:\Program Files (x86)\Acer Registration\ACE1.exe" /startup
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [AT&T Communication Manager] "C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe" -a
mRun-x64: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
mRun-x64: [eRecoveryService]
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
mRun-x64: [LGODDFU] "C:\Program Files (x86)\lg_fwupdate\fwupdate.exe" blrun
mRun-x64: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
mRun-x64: [InstantBurn] C:\PROGRA~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
mRun-x64: [Corel File Shell Monitor] c:\Program Files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
mRun-x64: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
mRun-x64: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun-x64: [fD3onG4am6W7E8T511D3A] C:\Program Files (x86)\Internet Explorer\plugins\iexplore.exe
mRun-x64: [ifEL9gTZqYwIrOt511D3A] C:\Windows\system32\drivers\svhost.exe
mRun-x64: [fNtxP0ucSiDoGaH511D3A] C:\Program Files (x86)\Internet Explorer\plugins\iexplore.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 CLBStor;CLBStor;C:\Windows\system32\DRIVERS\CLBStor.sys --> C:\Windows\system32\DRIVERS\CLBStor.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-8-11 55552]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20110929.001\BHDrvx64.sys [2011-9-29 1152632]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111011.030\IDSviA64.sys [2011-10-11 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMNETS.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMNETS.SYS [?]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;C:\Windows\system32\drivers\CLBUDF.sys --> C:\Windows\system32\drivers\CLBUDF.sys [?]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-7-6 375176]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-1-11 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-9-29 130008]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-3-25 490280]
R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2010-12-2 1251840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-9-29 136824]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HitmanPro35CrusaderBoot;Hitman Pro 3.5 Crusader (Boot);C:\Users\Mark\Downloads\HitmanPro35_x64.exe [2011-9-28 7439168]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;C:\Program Files (x86)\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S3 ATTRcAppSvc;AT&T RcAppSvc;C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe [2008-7-11 111896]
S3 CAATT;AT&T Con App Svc;C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [2008-7-11 124184]
S3 NetFlixDownloadManager;VMC NetFlix Download Manager;C:\Program Files\Luttmann\vmcNetFlix\NetFlixDownloadManager.exe [2009-4-16 26624]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;\??\C:\Windows\system32\PCTINDIS5X64.SYS --> C:\Windows\system32\PCTINDIS5X64.SYS [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe --> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
=============== Created Last 30 ================
.
2011-10-12 03:59:56 -------- d-----w- C:\Users\Mark\AppData\Local\CrashDumps
2011-10-08 02:58:25 -------- d-----w- C:\Users\Mark\AppData\Local\{00AE7979-AB45-401E-9BED-70E6AE8B63CE}
2011-10-08 02:57:08 -------- d-----w- C:\Users\Mark\AppData\Local\{B93DCBCF-13C2-4F6F-9D0D-924C7CAAA010}
2011-10-08 02:49:38 -------- d-----w- C:\Program Files\iPod
2011-10-08 02:49:37 -------- d-----w- C:\Program Files\iTunes
2011-10-08 02:45:10 -------- d-----w- C:\Program Files\Bonjour
2011-10-08 02:45:10 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-10-07 17:54:18 -------- d-----w- C:\Users\Mark\AppData\Local\{F296C3BA-867D-437A-8B08-7977D879B66A}
2011-10-07 17:53:03 -------- d-----w- C:\Users\Mark\AppData\Local\{18821820-9B58-4CE1-B7A9-F86AD71910A7}
2011-10-05 03:35:15 465264 ----a-w- C:\Program Files (x86)\Common Files\AppFramework.dll
2011-10-05 03:35:15 402800 ----a-w- C:\Program Files (x86)\Common Files\facebook.dll
2011-10-05 03:35:15 332144 ----a-w- C:\Program Files (x86)\Common Files\MediaOrganizer.dll
2011-10-05 03:35:15 33136 ----a-w- C:\Program Files (x86)\Common Files\FlickrProvider.dll
2011-10-05 03:35:15 130416 ----a-w- C:\Program Files (x86)\Common Files\PluginCommon.dll
2011-10-04 18:03:44 -------- d-----w- C:\Users\Mark\AppData\Local\{F544B17E-0350-4499-8627-30BBDD64567B}
2011-10-04 18:02:08 -------- d-----w- C:\Users\Mark\AppData\Local\{A377A2D9-8659-458F-A22A-7BA83B82EF6D}
2011-10-03 17:26:05 -------- d-----w- C:\Users\Mark\AppData\Local\{34AF0D72-61DD-4BD4-8DA6-97612875A469}
2011-10-03 17:24:27 -------- d-----w- C:\Users\Mark\AppData\Local\{F2E97B48-1A5A-4948-9DA5-9B38529F87A5}
2011-10-02 18:26:50 -------- d-----w- C:\Users\Mark\AppData\Local\{590785BC-7704-4F64-8A3A-0ADCE1BEF32B}
2011-10-02 18:26:32 -------- d-----w- C:\Users\Mark\AppData\Local\{6FDCE813-DD9A-4145-8D33-507989849120}
2011-10-02 03:26:44 -------- d-----w- C:\Users\Mark\AppData\Local\{325110EC-8717-4A76-8E36-520524FDD92D}
2011-10-01 15:51:05 -------- d-----w- C:\Users\Mark\AppData\Local\{9CEC9078-747D-4D50-8AA1-A685809654D1}
2011-10-01 15:50:54 -------- d-----w- C:\Users\Mark\AppData\Local\{985A4A70-A653-4741-B720-222D19FF94F0}
2011-09-30 22:03:51 -------- d-----w- C:\Users\Mark\AppData\Local\{A23D27E1-5C0A-4AC0-A8A4-8B45EBECBF82}
2011-09-30 22:03:39 -------- d-----w- C:\Users\Mark\AppData\Local\{1F61EE9E-937E-42C6-A977-8912BD64AC4C}
2011-09-30 04:05:28 -------- d-----w- C:\Windows\System32\SPReview
2011-09-30 03:54:02 -------- d-----w- C:\Users\Mark\AppData\Local\{CEF4E90A-ABB2-4C2D-98B4-3A74B7935D6E}
2011-09-30 03:53:51 -------- d-----w- C:\Users\Mark\AppData\Local\{27CC96A8-5C3F-4B52-A014-7769B864F3AF}
2011-09-30 01:47:36 -------- d-----w- C:\Users\Mark\AppData\Local\{34DC2BED-AC83-4DAB-AF6F-9A478D7BBBDF}
2011-09-30 01:47:22 -------- d-----w- C:\Users\Mark\AppData\Local\{D129868F-718E-41F9-8694-1A1C20B3558C}
2011-09-29 23:16:52 0 ----a-w- C:\Windows\SysWow64\0.03330696664561572.exe
2011-09-29 23:15:47 0 ----a-w- C:\Windows\SysWow64\0.01021466378633662.exe
2011-09-29 23:13:37 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-09-29 22:49:32 -------- d-----w- C:\ProgramData\Norton
2011-09-29 22:21:02 -------- d-----w- C:\Users\Mark\AppData\Roaming\Wearvy
2011-09-29 22:08:34 -------- d-----w- C:\Users\Mark\AppData\Local\{B537D00C-571B-41E9-ABD1-880063F4DB67}
2011-09-29 22:07:36 -------- d-----w- C:\Users\Mark\AppData\Local\{BEB317DF-CE37-4171-A9FA-366490CAE8C8}
2011-09-29 04:57:40 -------- d-----w- C:\Users\Mark\AppData\Local\{2F3EC14F-6BB5-4E12-A1A3-8E6A37FE720F}
2011-09-29 04:57:25 -------- d-----w- C:\Users\Mark\AppData\Local\{09A0DEEB-FEB7-415C-B992-9D26C7D8CED8}
2011-09-29 04:44:05 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2011-09-29 04:25:03 -------- d-----w- C:\Users\Mark\AppData\Local\{3A7FF71D-5430-490E-99B7-BE3228EB2BF0}
2011-09-29 04:24:50 -------- d-----w- C:\Users\Mark\AppData\Local\{CBEE78E1-80E3-4FEC-9A5C-76F78652EEA8}
2011-09-29 04:24:42 -------- d-----w- C:\Users\Mark\AppData\Roaming\U77ddEL8gRZ
2011-09-29 04:24:39 -------- d-----w- C:\Users\Mark\AppData\Roaming\tCCCeekIBrzOyx0
2011-09-29 04:24:39 -------- d-----w- C:\Users\Mark\AppData\Roaming\FjjUCCekIBrzNyA
2011-09-29 03:58:41 25160 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-09-29 03:57:42 -------- d-----w- C:\ProgramData\Hitman Pro
2011-09-29 02:40:37 -------- d-----w- C:\Users\Mark\AppData\Local\{DA0C2395-30C2-4B74-AE35-3882EA9BEE11}
2011-09-29 02:39:50 -------- d-----w- C:\Users\Mark\AppData\Roaming\RnF4pmH5QdKgZh
2011-09-29 02:07:46 0 ----a-w- C:\Windows\SysWow64\0.14582403798639632.exe
2011-09-29 01:50:23 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-09-29 01:48:21 -------- d-----w- C:\Users\Mark\AppData\Roaming\dwc5YNmRBoKkSWC
2011-09-29 01:48:19 -------- d-----w- C:\Users\Mark\AppData\Roaming\TPuFQ8TeN
2011-09-29 01:48:19 -------- d-----w- C:\Users\Mark\AppData\Roaming\rtv5hlAosgXlyDp
2011-09-29 01:48:19 -------- d-----w- C:\Users\Mark\AppData\Roaming\eF7qlcpEXtupETI
2011-09-29 01:48:14 -------- d-----w- C:\Users\Mark\AppData\Roaming\B7Yx3JYt3WqlcF7
2011-09-29 01:48:05 -------- d-----w- C:\Users\Mark\AppData\Roaming\aEZXezcvFGJ89we
2011-09-29 01:46:33 -------- d-----w- C:\Users\Mark\AppData\Roaming\aL99hhTXqjUCkIr
2011-09-29 01:45:59 -------- d-----w- C:\Users\Mark\AppData\Roaming\dW8R9TqUe
2011-09-29 01:44:55 -------- d-----w- C:\Users\Mark\AppData\Local\{11ACA32B-4368-4FA3-AFA1-6C2D340174D5}
2011-09-28 21:10:22 -------- d-----we C:\Windows\system64
2011-09-26 01:54:08 -------- d-----w- C:\Users\Mark\AppData\Local\{90C08324-AD66-4109-A728-90C0DA594D28}
2011-09-26 01:53:58 -------- d-----w- C:\Users\Mark\AppData\Local\{B0B1124E-46D5-44CC-9483-43EC48ECFEEC}
2011-09-23 04:26:15 -------- d-----w- C:\Users\Mark\AppData\Roaming\Easy Image Modifier
2011-09-14 18:28:44 -------- d-----w- C:\Program Files (x86)\Common Files\en-US
2011-09-14 16:23:40 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2011-09-14 16:03:58 -------- d-----w- C:\ProgramData\ALM
2011-09-14 15:58:00 -------- d-----w- C:\Users\Mark\Adobe Flash Builder 4
2011-09-14 15:31:07 -------- d-----w- C:\Users\Mark\AppData\Local\{C0F4F3F8-3436-4293-83C5-D493EB0F9B5A}
2011-09-14 15:30:42 -------- d-----w- C:\Users\Mark\AppData\Local\{6B68849D-33A0-45BE-A96A-B00CBA39C7CC}
2011-09-14 15:24:13 93240 ----a-w- C:\Windows\System32\drivers\scdemu.sys
2011-09-14 15:24:13 -------- d-----w- C:\Program Files (x86)\PowerISO
2011-09-14 15:10:08 55280 ------w- C:\Windows\System32\drivers\PxHlpa64.sys
2011-09-14 15:10:08 10224 ------w- C:\Windows\System32\drivers\cdralw2k.sys
2011-09-14 15:10:08 10224 ------w- C:\Windows\System32\drivers\cdr4_xp.sys
2011-09-14 15:10:08 -------- d-----w- C:\Program Files (x86)\My Company Name
2011-09-14 15:10:08 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2011-09-13 17:49:50 -------- d-----w- C:\Users\Mark\AppData\Local\{D3161BFE-B0B1-4CE2-824E-E92CF8B74B7A}
2011-09-13 17:49:39 -------- d-----w- C:\Users\Mark\AppData\Local\{8E11DFBA-04AD-4489-8AD3-B81E3491D691}
2011-09-12 18:24:03 -------- d-----w- C:\Users\Mark\AppData\Local\{C8E593D3-A505-4E29-AE6C-F316A127E67F}
2011-09-12 18:23:51 -------- d-----w- C:\Users\Mark\AppData\Local\{4FF594A8-ACDD-48AF-929B-B668441D97DF}
.
==================== Find3M ====================
.
2011-10-07 17:52:16 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2011-10-07 17:52:15 80768 ----a-w- C:\Windows\System32\LMIinit.dll
2011-10-07 17:52:15 34688 ----a-w- C:\Windows\System32\LMIport.dll
2011-10-06 02:36:55 2516 --sha-w- C:\ProgramData\KGyGaAvL.sys
2011-09-30 04:16:45 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-09-30 04:16:45 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-09-29 23:12:29 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-26 17:50:08 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-26 17:50:08 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-26 17:50:06 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-26 17:49:38 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-26 17:49:38 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-26 17:49:38 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-02 22:38:56 51712 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2011-08-02 22:38:56 4517664 ----a-w- C:\Windows\System32\usbaaplrc.dll
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 23:47:49.83 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 15 October 2011 - 04:16 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 18 October 2011 - 08:01 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 mark082

mark082
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 October 2011 - 09:15 AM

Thanks for your help. I ran combofix last night. It took more than an hour and I haven't had time to see how the computer is doing yet. I was going to post the results, but it seems to have deleted all the programs that were giving me the message when I tried to run them. So, chrome and ie were shot. I am taking home a chrome installer so I can post it later today.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 18 October 2011 - 09:24 AM

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 mark082

mark082
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 October 2011 - 04:15 PM

Thank you. That did the trick. I had already uninstalled Chrome, but that was no biggie. Combofix seems to have fixed everything. Norton is not detecting the activity anymore. It messed up some of my icons, but other than that, everything seems to be going well. Oh, one peculiarity... The log shows that Microsoft Security Essentials was enabled/updated. I have uninstalled MSE. I can't find any processes or services running that are from MSE and it's not listed in my installed programs. Very strange. Here is the log.


ComboFix 11-10-17.02 - Mark 10/17/2011 22:08:10.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8191.5682 [GMT -5:00]
Running from: c:\users\Mark\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mark\5_n.jpg
c:\users\Mark\AppData\Local\bhl.exe
c:\users\Mark\AppData\Roaming\cPNyxA1uv23GQd8OpenCloud Security.ico
c:\users\Mark\AppData\Roaming\FaHsJfLgqYwVOpenCloud Security.ico
c:\users\Mark\AppData\Roaming\OpenCloud Security.ico
c:\users\Mark\AppData\Roaming\Wearvy
c:\users\Mark\AppData\Roaming\Wearvy\acoj.ory
c:\users\Public\Desktop\Scanner.lnk
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\80000032.@
c:\windows\assembly\tmp\U\80000064.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\SysWow64\0.01021466378633662.exe
c:\windows\SysWow64\0.03330696664561572.exe
c:\windows\SysWow64\0.14582403798639632.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-18 05:03 . 2011-10-18 05:03 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-10-12 03:59 . 2011-10-12 04:00 -------- d-----w- c:\users\Mark\AppData\Local\CrashDumps
2011-10-08 02:49 . 2011-10-08 02:49 -------- d-----w- c:\program files\iPod
2011-10-08 02:49 . 2011-10-08 02:49 -------- d-----w- c:\program files\iTunes
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files\Bonjour
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-05 03:35 . 2011-08-23 23:42 332144 ----a-w- c:\program files (x86)\Common Files\MediaOrganizer.dll
2011-10-05 03:35 . 2011-08-23 23:35 33136 ----a-w- c:\program files (x86)\Common Files\FlickrProvider.dll
2011-10-05 03:35 . 2011-08-23 23:35 402800 ----a-w- c:\program files (x86)\Common Files\facebook.dll
2011-10-05 03:35 . 2011-08-23 23:35 130416 ----a-w- c:\program files (x86)\Common Files\PluginCommon.dll
2011-10-05 03:35 . 2011-08-23 23:34 465264 ----a-w- c:\program files (x86)\Common Files\AppFramework.dll
2011-09-30 04:05 . 2011-09-30 04:05 -------- d-----w- c:\windows\system32\SPReview
2011-09-29 23:13 . 2011-09-29 23:13 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-09-29 23:12 . 2010-08-21 03:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-09-29 23:12 . 2011-09-29 23:12 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files\Symantec
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\windows\system32\drivers\N360x64
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files (x86)\Norton 360
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-09-29 22:49 . 2011-09-29 23:13 -------- d-----w- c:\programdata\Norton
2011-09-29 04:24 . 2011-09-29 04:24 -------- d-----w- c:\users\Mark\AppData\Roaming\U77ddEL8gRZ
2011-09-29 04:24 . 2011-09-29 04:24 -------- d-----w- c:\users\Mark\AppData\Roaming\tCCCeekIBrzOyx0
2011-09-29 04:24 . 2011-09-29 04:24 -------- d-----w- c:\users\Mark\AppData\Roaming\FjjUCCekIBrzNyA
2011-09-29 03:58 . 2011-10-18 05:04 25160 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-29 03:57 . 2011-09-29 04:16 -------- d-----w- c:\programdata\Hitman Pro
2011-09-29 02:39 . 2011-09-29 02:39 -------- d-----w- c:\users\Mark\AppData\Roaming\RnF4pmH5QdKgZh
2011-09-29 01:50 . 2011-09-29 01:50 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-09-29 01:48 . 2011-09-29 01:48 -------- d-----w- c:\users\Mark\AppData\Roaming\dwc5YNmRBoKkSWC
2011-09-29 01:48 . 2011-09-29 01:48 -------- d-----w- c:\users\Mark\AppData\Roaming\eF7qlcpEXtupETI
2011-09-29 01:48 . 2011-09-29 01:48 -------- d-----w- c:\users\Mark\AppData\Roaming\TPuFQ8TeN
2011-09-29 01:48 . 2011-09-29 01:48 -------- d-----w- c:\users\Mark\AppData\Roaming\rtv5hlAosgXlyDp
2011-09-29 01:48 . 2011-09-29 01:48 -------- d-----w- c:\users\Mark\AppData\Roaming\B7Yx3JYt3WqlcF7
2011-09-29 01:48 . 2011-09-29 01:48 -------- d-----w- c:\users\Mark\AppData\Roaming\aEZXezcvFGJ89we
2011-09-29 01:46 . 2011-09-29 01:46 -------- d-----w- c:\users\Mark\AppData\Roaming\aL99hhTXqjUCkIr
2011-09-29 01:45 . 2011-09-29 01:45 -------- d-----w- c:\users\Mark\AppData\Roaming\dW8R9TqUe
2011-09-28 21:24 . 2011-09-28 21:24 -------- d-----w- c:\windows\Sun
2011-09-28 21:10 . 2011-09-28 21:10 -------- d-----we c:\windows\system64
2011-09-23 04:26 . 2011-09-23 04:26 -------- d-----w- c:\users\Mark\AppData\Roaming\Easy Image Modifier
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 17:52 . 2011-07-23 15:48 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 17:52 . 2011-07-23 15:48 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 17:52 . 2011-07-23 15:48 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-06 02:36 . 2011-02-09 05:58 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-09-30 04:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-09-30 04:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-08-31 22:00 . 2011-05-14 01:52 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-26 17:50 . 2011-08-26 17:50 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-26 17:50 . 2011-08-26 17:50 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-26 17:50 . 2011-08-26 17:50 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-26 17:49 . 2011-08-26 17:49 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-26 17:49 . 2011-08-26 17:49 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-26 17:49 . 2011-08-26 17:49 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-02 22:38 . 2011-08-02 22:38 51712 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2011-08-02 22:38 . 2011-08-02 22:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-14 70656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Acer Product Registration"="c:\program files (x86)\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"AT&T Communication Manager"="c:\program files (x86)\AT&T\Communication Manager\ATTCM.exe" [2008-07-17 33280]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2007-11-16 91432]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"LGODDFU"="c:\program files (x86)\lg_fwupdate\fwupdate.exe" [2010-04-19 557056]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-06-05 599600]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-12-20 1483016]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-06-06 251744]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-08-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-31 421736]
.
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Picture Motion Browser Media Check Tool.lnk - c:\program files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-8-1 385024]
WinVNC.exe - Shortcut.lnk - c:\program files\HippoVNC\WinVNC.exe [2009-10-8 1434624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2010-12-2 5828952]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-15 1207312]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-29 1156384]
QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE [2010-12-29 1178400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files (x86)\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files (x86)\AT&T\Communication Manager\RcAppSvc.exe [2008-07-11 111896]
R3 CAATT;AT&T Con App Svc;c:\program files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [2008-07-11 124184]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 NetFlixDownloadManager;VMC NetFlix Download Manager;c:\program files\Luttmann\vmcNetFlix\NetFlixDownloadManager.exe [2009-04-16 26624]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
S0 CLBStor;CLBStor;c:\windows\system32\DRIVERS\CLBStor.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx64.sys [2011-10-14 1155704]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111015.030\IDSvia64.sys [2011-09-29 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\N360x64\0501000.01D\SYMNETS.SYS [x]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem; [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-10-07 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-12 15928]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2010-12-02 1251840]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-09-29 136824]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HITMANPRO35
*NewlyCreated* - LMIINFO
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3596595245-875762038-409971948-1000Core.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 21:44]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3596595245-875762038-409971948-1000UA.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 21:44]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2007-10-31 5430272]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 798216]
"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-12 57928]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: freetoolsassociation.com\activegs
Trusted Zone: virtualapple.org\www
TCP: DhcpNameServer = 192.168.0.1
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Power2GoExpress - (no file)
Wow6432Node-HKLM-Run-eRecoveryService - (no file)
Wow6432Node-HKLM-Run-Corel File Shell Monitor - c:\program files (x86)\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
Wow6432Node-HKLM-Run-fD3onG4am6W7E8T511D3A - c:\program files (x86)\Internet Explorer\plugins\iexplore.exe
Wow6432Node-HKLM-Run-ifEL9gTZqYwIrOt511D3A - c:\windows\system32\drivers\svhost.exe
Wow6432Node-HKLM-Run-fNtxP0ucSiDoGaH511D3A - c:\program files (x86)\Internet Explorer\plugins\iexplore.exe
AddRemove-uTorrent - c:\program files (x86)\uTorrent\uTorrent.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
.
**************************************************************************
.
Completion time: 2011-10-18 08:25:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-18 13:25
.
Pre-Run: 71,548,428,288 bytes free
Post-Run: 70,594,871,296 bytes free
.
- - End Of File - - 83FA0C4A1BC788718783FBBCA30854B7

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 18 October 2011 - 07:30 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\users\Mark\AppData\Roaming\U77ddEL8gRZ
c:\users\Mark\AppData\Roaming\tCCCeekIBrzOyx0
c:\users\Mark\AppData\Roaming\FjjUCCekIBrzNyA
c:\users\Mark\AppData\Roaming\RnF4pmH5QdKgZh
c:\users\Mark\AppData\Roaming\dwc5YNmRBoKkSWC
c:\users\Mark\AppData\Roaming\eF7qlcpEXtupETI
c:\users\Mark\AppData\Roaming\TPuFQ8TeN
c:\users\Mark\AppData\Roaming\rtv5hlAosgXlyDp
c:\users\Mark\AppData\Roaming\B7Yx3JYt3WqlcF7
c:\users\Mark\AppData\Roaming\aEZXezcvFGJ89we
c:\users\Mark\AppData\Roaming\aL99hhTXqjUCkIr
c:\users\Mark\AppData\Roaming\dW8R9TqUe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 mark082

mark082
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 October 2011 - 07:47 PM

I did as you asked. It is asking me if I want to update combofix. I would ordinarily click yes, but I wanted to make sure that wouldn't void the script that I dragged onto combofix. I will wait until I get a reply.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 18 October 2011 - 07:59 PM

yes let it update


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 mark082

mark082
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 October 2011 - 09:13 PM

Ok. Everything seems normal still. Should I be concerned that it thinks that MSE is installed and active?

Here is the log.


ComboFix 11-10-18.04 - Mark 10/18/2011 20:09:18.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8191.6160 [GMT -5:00]
Running from: c:\users\Mark\Desktop\ComboFix.exe
Command switches used :: c:\users\Mark\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mark\AppData\Roaming\aEZXezcvFGJ89we
c:\users\Mark\AppData\Roaming\aL99hhTXqjUCkIr
c:\users\Mark\AppData\Roaming\B7Yx3JYt3WqlcF7
c:\users\Mark\AppData\Roaming\dW8R9TqUe
c:\users\Mark\AppData\Roaming\dwc5YNmRBoKkSWC
c:\users\Mark\AppData\Roaming\eF7qlcpEXtupETI
c:\users\Mark\AppData\Roaming\eF7qlcpEXtupETI\u36hrup6Rqzc.exe
c:\users\Mark\AppData\Roaming\FjjUCCekIBrzNyA
c:\users\Mark\AppData\Roaming\RnF4pmH5QdKgZh
c:\users\Mark\AppData\Roaming\rtv5hlAosgXlyDp
c:\users\Mark\AppData\Roaming\tCCCeekIBrzOyx0
c:\users\Mark\AppData\Roaming\TPuFQ8TeN
c:\users\Mark\AppData\Roaming\U77ddEL8gRZ
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-19 01:21 . 2011-10-19 01:21 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-10-19 01:21 . 2011-10-19 01:21 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2011-10-19 01:21 . 2011-10-19 01:21 -------- d-----w- c:\users\iPhone\AppData\Local\temp
2011-10-19 01:21 . 2011-10-19 01:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-12 03:59 . 2011-10-12 04:00 -------- d-----w- c:\users\Mark\AppData\Local\CrashDumps
2011-10-08 02:49 . 2011-10-08 02:49 -------- d-----w- c:\program files\iPod
2011-10-08 02:49 . 2011-10-08 02:49 -------- d-----w- c:\program files\iTunes
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files\Bonjour
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-05 03:35 . 2011-08-23 23:42 332144 ----a-w- c:\program files (x86)\Common Files\MediaOrganizer.dll
2011-10-05 03:35 . 2011-08-23 23:35 33136 ----a-w- c:\program files (x86)\Common Files\FlickrProvider.dll
2011-10-05 03:35 . 2011-08-23 23:35 402800 ----a-w- c:\program files (x86)\Common Files\facebook.dll
2011-10-05 03:35 . 2011-08-23 23:35 130416 ----a-w- c:\program files (x86)\Common Files\PluginCommon.dll
2011-10-05 03:35 . 2011-08-23 23:34 465264 ----a-w- c:\program files (x86)\Common Files\AppFramework.dll
2011-09-30 04:05 . 2011-09-30 04:05 -------- d-----w- c:\windows\system32\SPReview
2011-09-29 23:13 . 2011-09-29 23:13 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-09-29 23:12 . 2010-08-21 03:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-09-29 23:12 . 2011-09-29 23:12 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files\Symantec
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\windows\system32\drivers\N360x64
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files (x86)\Norton 360
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-09-29 22:49 . 2011-09-29 23:13 -------- d-----w- c:\programdata\Norton
2011-09-29 03:58 . 2011-10-18 05:04 25160 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-29 03:57 . 2011-09-29 04:16 -------- d-----w- c:\programdata\Hitman Pro
2011-09-29 02:39 . 2011-09-29 02:39 -------- d-----w- c:\users\Mark\AppData\Roaming\RnF4mH5QJd8ZhX
2011-09-29 01:50 . 2011-09-29 01:50 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-09-29 01:46 . 2011-09-29 01:46 -------- d-----w- c:\users\Mark\AppData\Roaming\juuuvDD2obF4mGs
2011-09-29 01:45 . 2011-09-29 01:45 -------- d-----w- c:\users\Mark\AppData\Roaming\dfhjIOA23
2011-09-28 21:24 . 2011-09-28 21:24 -------- d-----w- c:\windows\Sun
2011-09-28 21:10 . 2011-09-28 21:10 -------- d-----we c:\windows\system64
2011-09-23 04:26 . 2011-09-23 04:26 -------- d-----w- c:\users\Mark\AppData\Roaming\Easy Image Modifier
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 17:52 . 2011-07-23 15:48 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 17:52 . 2011-07-23 15:48 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 17:52 . 2011-07-23 15:48 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-06 02:36 . 2011-02-09 05:58 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-09-30 04:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-09-30 04:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-08-31 22:00 . 2011-05-14 01:52 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-26 17:50 . 2011-08-26 17:50 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-26 17:50 . 2011-08-26 17:50 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-26 17:50 . 2011-08-26 17:50 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-26 17:49 . 2011-08-26 17:49 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-26 17:49 . 2011-08-26 17:49 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-26 17:49 . 2011-08-26 17:49 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-02 22:38 . 2011-08-02 22:38 51712 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2011-08-02 22:38 . 2011-08-02 22:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-18_13.22.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2011-10-18 20:44 39470 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-05 03:05 . 2011-10-18 20:44 12882 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3596595245-875762038-409971948-1000_UserData.bin
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-18 05:04 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-18 20:41 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2011-10-18 20:44 39470 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-05 03:05 . 2011-10-18 20:44 12882 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3596595245-875762038-409971948-1000_UserData.bin
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-18 05:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-18 20:41 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-10-18 20:52 . 2011-10-18 20:52 25088 c:\windows\Installer\60481.msi
+ 2011-10-04 18:00 . 2011-10-18 20:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-04 18:00 . 2011-10-18 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-04 18:00 . 2011-10-18 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-04 18:00 . 2011-10-18 20:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 660068 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 660068 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 120996 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 120996 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 660068 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 660068 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 120996 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 120996 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-14 70656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Acer Product Registration"="c:\program files (x86)\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"AT&T Communication Manager"="c:\program files (x86)\AT&T\Communication Manager\ATTCM.exe" [2008-07-17 33280]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2007-11-16 91432]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"LGODDFU"="c:\program files (x86)\lg_fwupdate\fwupdate.exe" [2010-04-19 557056]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-06-05 599600]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-12-20 1483016]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-06-06 251744]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-08-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-31 421736]
.
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Picture Motion Browser Media Check Tool.lnk - c:\program files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-8-1 385024]
WinVNC.exe - Shortcut.lnk - c:\program files\HippoVNC\WinVNC.exe [2009-10-8 1434624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2010-12-2 5828952]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-15 1207312]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-29 1156384]
QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE [2010-12-29 1178400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files (x86)\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files (x86)\AT&T\Communication Manager\RcAppSvc.exe [2008-07-11 111896]
R3 CAATT;AT&T Con App Svc;c:\program files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [2008-07-11 124184]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [x]
R3 NetFlixDownloadManager;VMC NetFlix Download Manager;c:\program files\Luttmann\vmcNetFlix\NetFlixDownloadManager.exe [2009-04-16 26624]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
S0 CLBStor;CLBStor;c:\windows\system32\DRIVERS\CLBStor.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx64.sys [2011-10-14 1155704]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111015.030\IDSvia64.sys [2011-09-29 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\N360x64\0501000.01D\SYMNETS.SYS [x]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem; [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-10-07 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-12 15928]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2010-12-02 1251840]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-09-29 136824]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 20:47]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 20:47]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3596595245-875762038-409971948-1000Core.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 21:44]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3596595245-875762038-409971948-1000UA.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 21:44]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2007-10-31 5430272]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 798216]
"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-12 57928]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: freetoolsassociation.com\activegs
Trusted Zone: virtualapple.org\www
TCP: DhcpNameServer = 192.168.0.1
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-18 20:47:22
ComboFix-quarantined-files.txt 2011-10-19 01:47
ComboFix2.txt 2011-10-18 13:25
.
Pre-Run: 65,352,478,720 bytes free
Post-Run: 65,353,908,224 bytes free
.
- - End Of File - - 696597453DFAA3F52E6556DDB199180D

#11 mark082

mark082
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 October 2011 - 09:14 PM

From my casual glance at the log, it looks like there were some more rogue folders created doesn't it?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 18 October 2011 - 09:37 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\users\Mark\AppData\Roaming\RnF4mH5QJd8ZhX
c:\users\Mark\AppData\Roaming\juuuvDD2obF4mGs
c:\users\Mark\AppData\Roaming\dfhjIOA23
c:\windows\SysWow64\%APPDATA%

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mark082

mark082
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 18 October 2011 - 11:24 PM

Same story as last time. Everything seems ok. Although it looks like there are probably still some rogue files from the log.




ComboFix 11-10-18.04 - Mark 10/18/2011 22:39:52.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8191.5571 [GMT -5:00]
Running from: c:\users\Mark\Desktop\ComboFix.exe
Command switches used :: c:\users\Mark\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mark\AppData\Roaming\dfhjIOA23
c:\users\Mark\AppData\Roaming\juuuvDD2obF4mGs
c:\users\Mark\AppData\Roaming\RnF4mH5QJd8ZhX
c:\windows\SysWow64\%APPDATA%
c:\windows\SysWow64\%APPDATA%\Microsoft\Internet Explorer\UserData\210MCOEI\mgmhppd[1].xml
c:\windows\SysWow64\%APPDATA%\Microsoft\Internet Explorer\UserData\index.dat
c:\windows\SysWow64\%APPDATA%\Microsoft\Internet Explorer\UserData\VJ6RS3J2\pmocntr2[1].xml
c:\windows\SysWow64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-19 03:51 . 2011-10-19 03:51 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-10-19 03:51 . 2011-10-19 03:51 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2011-10-19 03:51 . 2011-10-19 03:51 -------- d-----w- c:\users\iPhone\AppData\Local\temp
2011-10-19 03:51 . 2011-10-19 03:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-12 03:59 . 2011-10-12 04:00 -------- d-----w- c:\users\Mark\AppData\Local\CrashDumps
2011-10-08 02:49 . 2011-10-08 02:49 -------- d-----w- c:\program files\iPod
2011-10-08 02:49 . 2011-10-08 02:49 -------- d-----w- c:\program files\iTunes
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files\Bonjour
2011-10-08 02:45 . 2011-10-08 02:45 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-05 03:35 . 2011-08-23 23:42 332144 ----a-w- c:\program files (x86)\Common Files\MediaOrganizer.dll
2011-10-05 03:35 . 2011-08-23 23:35 33136 ----a-w- c:\program files (x86)\Common Files\FlickrProvider.dll
2011-10-05 03:35 . 2011-08-23 23:35 402800 ----a-w- c:\program files (x86)\Common Files\facebook.dll
2011-10-05 03:35 . 2011-08-23 23:35 130416 ----a-w- c:\program files (x86)\Common Files\PluginCommon.dll
2011-10-05 03:35 . 2011-08-23 23:34 465264 ----a-w- c:\program files (x86)\Common Files\AppFramework.dll
2011-09-30 04:05 . 2011-09-30 04:05 -------- d-----w- c:\windows\system32\SPReview
2011-09-29 23:13 . 2011-09-29 23:13 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-09-29 23:12 . 2010-08-21 03:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-09-29 23:12 . 2011-09-29 23:12 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files\Symantec
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\windows\system32\drivers\N360x64
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files (x86)\Norton 360
2011-09-29 23:12 . 2011-09-29 23:12 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-09-29 22:49 . 2011-09-29 23:13 -------- d-----w- c:\programdata\Norton
2011-09-29 03:58 . 2011-10-18 05:04 25160 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-29 03:57 . 2011-09-29 04:16 -------- d-----w- c:\programdata\Hitman Pro
2011-09-29 02:39 . 2011-09-29 02:39 -------- d-----w- c:\users\Mark\AppData\Roaming\LF4pmH5sQ78ZhX
2011-09-29 01:47 . 2011-09-29 01:47 -------- d-----w- c:\users\Mark\AppData\Roaming\xGQ6KfLTqUkBzyA
2011-09-29 01:46 . 2011-09-29 01:46 -------- d-----w- c:\users\Mark\AppData\Roaming\IONNtx0uc2GHsKT
2011-09-29 01:45 . 2011-09-29 01:45 -------- d-----w- c:\users\Mark\AppData\Roaming\gmdheNDmdZXez1o
2011-09-28 21:24 . 2011-09-28 21:24 -------- d-----w- c:\windows\Sun
2011-09-28 21:10 . 2011-09-28 21:10 -------- d-----we c:\windows\system64
2011-09-23 04:26 . 2011-09-23 04:26 -------- d-----w- c:\users\Mark\AppData\Roaming\Easy Image Modifier
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 17:52 . 2011-07-23 15:48 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 17:52 . 2011-07-23 15:48 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 17:52 . 2011-07-23 15:48 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-06 02:36 . 2011-02-09 05:58 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2011-09-30 04:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-09-30 04:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-08-31 22:00 . 2011-05-14 01:52 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-26 17:50 . 2011-08-26 17:50 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-26 17:50 . 2011-08-26 17:50 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-26 17:50 . 2011-08-26 17:50 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-26 17:49 . 2011-08-26 17:49 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-26 17:49 . 2011-08-26 17:49 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-26 17:49 . 2011-08-26 17:49 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-02 22:38 . 2011-08-02 22:38 51712 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2011-08-02 22:38 . 2011-08-02 22:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-18_13.22.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2011-10-18 20:44 39470 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-05 03:05 . 2011-10-18 20:44 12882 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3596595245-875762038-409971948-1000_UserData.bin
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-18 05:04 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-18 20:41 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2011-10-18 20:44 39470 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-05 03:05 . 2011-10-18 20:44 12882 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3596595245-875762038-409971948-1000_UserData.bin
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-05 01:22 . 2011-10-18 05:04 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-02-05 01:22 . 2011-10-18 20:41 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-18 05:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-18 20:41 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-10-18 20:52 . 2011-10-18 20:52 25088 c:\windows\Installer\60481.msi
+ 2011-10-04 18:00 . 2011-10-18 20:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-04 18:00 . 2011-10-18 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-04 18:00 . 2011-10-18 05:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-04 18:00 . 2011-10-18 20:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 660068 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 660068 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 120996 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 120996 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 660068 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 660068 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-10-09 03:34 120996 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-10-18 20:44 120996 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 01:52 762000 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 163328]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-14 70656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Acer Product Registration"="c:\program files (x86)\Acer Registration\ACE1.exe" [2007-10-15 3387392]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"AT&T Communication Manager"="c:\program files (x86)\AT&T\Communication Manager\ATTCM.exe" [2008-07-17 33280]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2007-11-16 91432]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"LGODDFU"="c:\program files (x86)\lg_fwupdate\fwupdate.exe" [2010-04-19 557056]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"InstantBurn"="c:\progra~2\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-06-05 599600]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-12-20 1483016]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-06-06 251744]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-08-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-31 421736]
.
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
Picture Motion Browser Media Check Tool.lnk - c:\program files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-8-1 385024]
WinVNC.exe - Shortcut.lnk - c:\program files\HippoVNC\WinVNC.exe [2009-10-8 1434624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2010-12-2 5828952]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-15 1207312]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-12-29 1156384]
QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE [2010-12-29 1178400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files (x86)\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files (x86)\AT&T\Communication Manager\RcAppSvc.exe [2008-07-11 111896]
R3 CAATT;AT&T Con App Svc;c:\program files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [2008-07-11 124184]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [x]
R3 NetFlixDownloadManager;VMC NetFlix Download Manager;c:\program files\Luttmann\vmcNetFlix\NetFlixDownloadManager.exe [2009-04-16 26624]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]
S0 CLBStor;CLBStor;c:\windows\system32\DRIVERS\CLBStor.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111014.001\BHDrvx64.sys [2011-10-14 1155704]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111018.030\IDSvia64.sys [2011-09-29 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\N360x64\0501000.01D\SYMNETS.SYS [x]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem; [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-10-07 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-01-12 15928]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-03-25 490280]
S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2010-12-02 1251840]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-09-29 136824]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 20:47]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 20:47]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3596595245-875762038-409971948-1000Core.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 21:44]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3596595245-875762038-409971948-1000UA.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 21:44]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 01:36 1174672 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2007-10-31 5430272]
"Skytel"="Skytel.exe" [2007-10-11 1826816]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 798216]
"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-12 57928]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: freetoolsassociation.com\activegs
Trusted Zone: virtualapple.org\www
TCP: DhcpNameServer = 192.168.0.1
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-18 23:19:48
ComboFix-quarantined-files.txt 2011-10-19 04:19
ComboFix2.txt 2011-10-19 01:47
ComboFix3.txt 2011-10-18 13:25
.
Pre-Run: 65,380,442,112 bytes free
Post-Run: 65,101,897,728 bytes free
.
- - End Of File - - 88C3C7BD1BAFF5FFC0CEF1797FCEA8EC

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 19 October 2011 - 07:54 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:42 PM

Posted 23 October 2011 - 01:54 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users