Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects and suspected rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 Phillip S

Phillip S

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 16 December 2011 - 12:13 PM

I'm running Windows 7 Ultimate 64-bit (so I didn't run GMER). I installed Vipre Antivirus very soon after installing the OS, so I've had it for a while

My son originally saw messages from AV 2012 & Windows Protection 2012 (which we haven't installed) telling him that the computer was infected and he needed to buy their software. Also, my son's account would pop up a message asking which program to use to open the file when we double-clicked on an executable. So, we did a full scan with Vipre.

I thought I had gotten rid of them, but I now think that I just got rid of part of it. I started getting warnings from Vipre about blocking known bad files, so I used Vipre and Malwarebytes' Anti-Malware in safe mode to try and clean things up. They both found several trojans which I had them delete.

This morning, I started getting Vipre messages about bad files again, so I downloaded HiJackThis. I saw the host entries for google and noticed a program called vyes.exe in the default user startup. It wouldn't fix either of those, though. I deleted vyes.exe.

I'm pretty sure we have the google redirect issue. I sometimes get a new tab that goes to a site I've never heard of. (and there are the host entries mentioned by HiJackThis)

Currently, C:\Windows\SysWOW64\ping.exe is running. If I kill it, it will restart after a while. I used Process Monitor to try to figure out what was launching it (svchost.exe) -- while doing that, I noticed that it was writing into an Adobe Flash directory. I uninstalled Flash. Now, whenever ping.exe starts running again, it runs the Flash installer.

I downloaded Kaspersky's TDSSkiller.exe. It didn't find anything. I ran it in safe mode without networking. I also renamed it to "iexplore.exe" as suggested, but that didn't help.

I think that's everything I know.

-- Phillip


.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by phil at 11:32:41 on 2011-12-16
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.2977 [GMT -5:00]
.
AV: GFI Software VIPRE *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
SP: GFI Software VIPRE *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe
C:\Windows\System32\taskmgr.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://searchbox.digsby.com/
uStart Page = hxxp://search.digsby.com
uSearch Bar = hxxp://searchbox.digsby.com/ie
mSearch Page = hxxp://searchbox.digsby.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://searchbox.digsby.com/search?q=%s
mSearchAssistant = hxxp://searchbox.digsby.com/ie
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "C:\Users\thomas\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe
uRun: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe
uRun: [Spotify] "C:\Users\phil\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\phil\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CNETTE~1.LNK - C:\Users\phil\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe
StartupFolder: C:\Users\phil\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENVP~1.LNK - C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Squeezebox\SqueezeTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOZYHO~1.LNK - C:\Program Files (x86)\MozyHome\mozystat.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.52.1
TCP: Interfaces\{47B7C769-B752-4801-BCBF-9AC414A25A0F} : DhcpNameServer = 192.168.52.1
TCP: Interfaces\{C459AE87-4146-444E-A6C1-CDAC04A3FC41} : NameServer = 192.168.92.1
TCP: Interfaces\{E197AD07-AC68-47D2-87B9-83C22C02D0EC} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{E197AD07-AC68-47D2-87B9-83C22C02D0EC} : DhcpNameServer = 192.168.52.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~3\GO36F4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO-X64: LastPass Browser Helper Object - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
AppInit_DLLs-X64: C:\PROGRA~2\Google\GOOGLE~3\GO36F4~1.DLL
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\phil\AppData\Roaming\Mozilla\Firefox\Profiles\5hy1zzkv.default\
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-10-26 101112]
R2 SBAMSvc;VIPRE Antivirus;C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2011-11-1 3287472]
R2 SBPIMSvc;SB Recovery Service;C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2011-11-1 173424]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 acedrv11;acedrv11;\??\C:\Windows\system32\drivers\acedrv11.sys --> C:\Windows\system32\drivers\acedrv11.sys [?]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-5-24 365568]
S2 AODService;AODService;C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe [2009-5-5 124256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 DynDNS Updater;DynDNS Updater;C:\Program Files (x86)\DynDNS Updater\DynUpSvc.exe [2011-4-15 93048]
S2 Galleon;Galleon;C:\Program Files (x86)\Galleon\bin\Wrapper.exe [2009-3-24 204800]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-23 136176]
S2 sbapifs;sbapifs;C:\Windows\system32\DRIVERS\sbapifs.sys --> C:\Windows\system32\DRIVERS\sbapifs.sys [?]
S2 squeezesvc;Logitech Media Server;C:\PROGRA~2\SQUEEZ~1\server\SqueezeSvr.exe [2011-11-22 14057569]
S2 sshd;CYGWIN sshd;C:\cygwin\bin\cygrunsrv.exe [2011-10-19 68096]
S2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-10-6 2358656]
S2 tvnserver;TightVNC Server;C:\Program Files (x86)\TightVNC\tvnserver.exe [2010-7-8 815704]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files (x86)\MAGIX\Common\Database\bin\fbserver.exe [2011-3-27 1527900]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-3-23 30192]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-23 136176]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\system32\DRIVERS\ManyCam_x64.sys --> C:\Windows\system32\DRIVERS\ManyCam_x64.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 sbwtis;sbwtis;C:\Windows\system32\DRIVERS\sbwtis.sys --> C:\Windows\system32\DRIVERS\sbwtis.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 UPnPService;UPnPService;C:\Program Files (x86)\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2011-3-27 544768]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-9-23 4476096]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
S4 TivoBeacon2;TiVo Beacon Service;C:\Program Files (x86)\TiVo\Desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2011-12-16 13:48:50 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-12-16 13:48:50 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-12-16 13:32:28 388096 ----a-r- C:\Users\phil\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-16 13:32:28 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-12-16 12:30:24 36352 ----a-w- C:\Windows\SysWow64\5to5CtDpI.com
2011-12-15 16:30:28 -------- d-----w- C:\Users\phil\AppData\Roaming\Xupuf
2011-12-15 16:30:28 -------- d-----w- C:\Users\phil\AppData\Roaming\Ukxy
2011-12-15 12:09:25 -------- d-----we C:\Windows\system64
2011-12-15 07:57:30 -------- d-----w- C:\Users\phil\AppData\Roaming\MusicBrainz
2011-12-15 07:56:28 -------- d-----w- C:\Program Files (x86)\MusicBrainz Picard
2011-12-15 07:03:46 -------- d-----w- C:\Users\phil\AppData\Roaming\Songbird2
2011-12-15 07:03:46 -------- d-----w- C:\Users\phil\AppData\Local\Songbird2
2011-12-04 14:22:03 539984 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-12-02 06:16:51 -------- d-----w- C:\Users\phil\AppData\Local\Spotify
2011-12-02 06:16:19 -------- d-----w- C:\Users\phil\AppData\Roaming\Spotify
2011-12-02 06:13:22 -------- d-----w- C:\Users\phil\AppData\Roaming\Trillian
2011-11-30 17:03:58 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-11-30 17:03:08 4283672 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-11-30 16:45:58 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-11-30 16:45:34 539968 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-29 02:39:51 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-29 02:39:38 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-29 02:39:37 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-29 02:39:36 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-29 02:39:35 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-11-29 02:39:35 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-11-29 02:39:34 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-11-29 02:39:34 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-11-29 02:38:53 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-11-29 02:38:53 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-11-29 02:38:53 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-11-29 02:38:53 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-11-28 20:42:42 -------- d-----w- C:\Official server
2011-11-28 20:29:23 -------- d-----w- C:\Program Files (x86)\Spring
2011-11-27 03:24:55 -------- d-----w- C:\Users\phil\AppData\Roaming\Malwarebytes
2011-11-27 03:24:26 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-27 03:24:22 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-27 03:24:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-23 02:33:12 -------- d-----w- C:\updates
2011-11-23 02:32:35 -------- d-----w- C:\ProgramData\Squeezebox
2011-11-23 02:32:35 -------- d-----w- C:\Program Files (x86)\Squeezebox
2011-11-20 14:02:09 -------- d-----w- C:\Program Files\iTunes
2011-11-20 14:02:09 -------- d-----w- C:\Program Files\iPod
2011-11-20 14:02:09 -------- d-----w- C:\Program Files (x86)\iTunes
2011-11-19 03:04:06 -------- d-----w- C:\Program Files (x86)\Skype Player
2011-11-17 21:44:59 78680 ----a-w- C:\Windows\System32\XAPOFX1_4.dll
2011-11-17 02:49:02 -------- d-----w- C:\Users\phil\AppData\Local\DuplicateCleaner
2011-11-17 02:48:54 -------- d-----w- C:\Program Files (x86)\Duplicate Cleaner
.
==================== Find3M ====================
.
2011-11-01 05:42:12 45936 ----a-w- C:\Windows\SysWow64\sbbd.exe
2011-11-01 05:42:12 45936 ----a-w- C:\Windows\System32\sbbd.exe
2011-11-01 05:08:12 84600 ----a-w- C:\Windows\System32\drivers\sbwtis.sys
2011-10-26 20:40:02 57976 ----a-w- C:\Windows\System32\drivers\sbredrv.sys
2011-10-26 20:40:02 101112 ----a-w- C:\Windows\SysWow64\drivers\SBREDrv.sys
2011-10-24 18:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2011-10-12 23:34:48 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-10-12 23:34:48 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-10-12 23:34:48 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-10-12 23:34:48 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-10-11 17:52:58 15664 ----a-w- C:\Windows\SysWow64\drivers\GEARAspiWDM.sys
2011-10-11 17:52:58 109360 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2011-09-28 22:45:42 15453832 ----a-w- C:\Windows\SysWow64\xlive.dll
2011-09-28 22:45:42 13642888 ----a-w- C:\Windows\SysWow64\xlivefnt.dll
2011-08-09 23:41:46 13574696 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
.
============= FINISH: 11:34:56.34 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 18 December 2011 - 04:16 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Phillip S

Phillip S
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 19 December 2011 - 06:22 AM

While I was waiting for a reply, I tried to find out more about what is/was on my system. I had consrv.dll in my Windows directory, with registry keys that loaded it as part of windows booting. When I changed the keys, it changed them back.

I ran combofix, rebooted, and ran Vipre and Malwarebytes Anti-Malware. Combofix fixed two of the keys with consrv in them, which allowed Vipre to delete the DLL. I changed the other key just to be sure.

I've also updated Java and applied all the Windows updates.

It seems to be running better. There's no ping.exe process any more, and the network usage isn't weird. I just got a redirect while going to this site, though. So, that's not fixed.

Thanks for your help!

Phillip


ComboFix 11-12-16.03 - phil 12/16/2011 17:24:47.1.3 - x64 NETWORK
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.3218 [GMT -5:00]
Running from: c:\users\phil\Documents\Downloads\Bleeping\ComboFix.exe
AV: GFI Software VIPRE *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
SP: GFI Software VIPRE *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\thomas\AppData\Roaming\Microsoft\Windows\Templates\126286f2l228e818f077w0jcy6l8
c:\windows\System64
c:\windows\SysWow64\server.log
E:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\thomas\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\suzy\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\stephen\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\Pop\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\karen\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\elizabeth\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\cyg_server\AppData\Local\temp
2011-12-16 22:36 . 2011-12-16 22:36 -------- d-----w- c:\users\cyg_server.ratchet\AppData\Local\temp
2011-12-16 20:09 . 2011-12-16 20:09 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-16 13:48 . 2011-12-16 15:41 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-16 13:48 . 2011-12-16 13:52 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-16 13:32 . 2011-12-16 13:32 388096 ----a-r- c:\users\phil\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-16 13:32 . 2011-12-16 13:32 -------- d-----w- c:\program files (x86)\Trend Micro
2011-12-16 12:30 . 2011-12-16 12:30 36352 ----a-w- c:\windows\SysWow64\5to5CtDpI.com
2011-12-15 16:30 . 2011-12-16 13:57 -------- d-----w- c:\users\phil\AppData\Roaming\Ukxy
2011-12-15 16:30 . 2011-12-15 17:10 -------- d-----w- c:\users\phil\AppData\Roaming\Xupuf
2011-12-15 16:30 . 2011-12-15 16:30 194560 ----a-w- c:\users\thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ihli.exe
2011-12-15 16:30 . 2011-12-15 16:30 194560 ----a-w- c:\users\suzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\houny.exe
2011-12-15 16:30 . 2011-12-15 16:30 194560 ----a-w- c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ozumby.exe
2011-12-15 16:30 . 2011-12-15 16:30 194560 ----a-w- c:\users\Pop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isush.exe
2011-12-15 16:30 . 2011-12-15 16:30 194560 ----a-w- c:\users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\visey.exe
2011-12-15 16:30 . 2011-12-15 16:30 194560 ----a-w- c:\users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yqrus.exe
2011-12-15 07:57 . 2011-12-15 07:57 -------- d-----w- c:\users\phil\AppData\Roaming\MusicBrainz
2011-12-15 07:56 . 2011-12-15 07:56 -------- d-----w- c:\program files (x86)\MusicBrainz Picard
2011-12-15 07:03 . 2011-12-15 07:31 -------- d-----w- c:\users\phil\AppData\Local\Songbird2
2011-12-15 07:03 . 2011-12-15 07:03 -------- d-----w- c:\users\phil\AppData\Roaming\Songbird2
2011-12-14 15:48 . 2011-12-14 15:49 -------- d-----w- c:\users\elizabeth\AppData\Roaming\.minecraft
2011-12-10 13:59 . 2011-12-10 13:59 -------- d-----w- c:\windows\Sun
2011-12-04 14:22 . 2011-12-04 14:22 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-12-02 06:16 . 2011-12-16 21:19 -------- d-----w- c:\users\phil\AppData\Local\Spotify
2011-12-02 06:16 . 2011-12-16 21:24 -------- d-----w- c:\users\phil\AppData\Roaming\Spotify
2011-12-02 06:13 . 2011-12-02 06:14 -------- d-----w- c:\users\phil\AppData\Roaming\Trillian
2011-12-02 06:10 . 2011-12-15 14:11 -------- d-----w- c:\program files (x86)\Trillian
2011-11-30 17:03 . 2011-11-30 17:03 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-11-30 17:03 . 2011-11-30 17:03 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-11-30 16:45 . 2011-11-30 16:45 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-11-30 16:45 . 2011-11-30 16:45 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-29 02:39 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-29 02:39 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-29 02:39 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-29 02:39 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-29 02:39 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-11-29 02:39 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-11-29 02:39 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2011-11-29 02:39 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-11-29 02:38 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-11-29 02:38 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-11-29 02:38 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-11-29 02:38 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-11-28 20:42 . 2011-11-28 20:42 -------- d-----w- C:\Official server
2011-11-28 20:42 . 2011-11-28 20:42 -------- d-----w- c:\users\thomas\AppData\Roaming\SpringLobby
2011-11-28 20:31 . 2011-11-28 20:31 -------- d-----w- c:\users\thomas\AppData\Roaming\SpringSettings
2011-11-28 20:29 . 2011-11-28 20:31 -------- d-----w- c:\program files (x86)\Spring
2011-11-28 01:45 . 2011-11-28 01:45 -------- d-----w- c:\users\thomas\AppData\Roaming\Malwarebytes
2011-11-28 01:38 . 2011-11-28 01:41 -------- d-----w- c:\users\TEMP
2011-11-27 03:24 . 2011-11-27 03:24 -------- d-----w- c:\users\phil\AppData\Roaming\Malwarebytes
2011-11-27 03:24 . 2011-11-27 03:24 -------- d-----w- c:\programdata\Malwarebytes
2011-11-27 03:24 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 03:24 . 2011-11-27 03:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-23 02:33 . 2011-11-23 02:33 -------- d-----w- C:\updates
2011-11-23 02:32 . 2011-12-15 03:14 -------- d-----w- c:\program files (x86)\Squeezebox
2011-11-23 02:32 . 2011-11-23 02:33 -------- d-----w- c:\programdata\Squeezebox
2011-11-20 14:02 . 2011-11-20 14:03 -------- d-----w- c:\program files\iTunes
2011-11-20 14:02 . 2011-11-20 14:03 -------- d-----w- c:\program files (x86)\iTunes
2011-11-20 14:02 . 2011-11-20 14:02 -------- d-----w- c:\program files\iPod
2011-11-20 12:53 . 2011-11-20 12:53 -------- d-----w- c:\windows\system32\Macromed
2011-11-20 05:46 . 2011-11-20 05:46 -------- d-----w- c:\users\thomas\AppData\Local\ElevatedDiagnostics
2011-11-19 03:04 . 2011-11-19 03:05 -------- d-----w- c:\users\thomas\AppData\Roaming\SkypePlayer
2011-11-19 03:04 . 2011-11-19 03:04 -------- d-----w- c:\program files (x86)\Skype Player
2011-11-18 00:29 . 2011-11-18 00:29 -------- d-----w- c:\users\thomas\AppData\Roaming\YoudaGames
2011-11-17 22:12 . 2011-11-17 22:12 -------- d-----w- c:\users\thomas\AppData\Roaming\ValuSoft
2011-11-17 21:44 . 2010-02-04 15:01 78680 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-11-17 02:49 . 2011-11-17 14:06 -------- d-----w- c:\users\phil\AppData\Local\DuplicateCleaner
2011-11-17 02:48 . 2011-11-17 02:48 -------- d-----w- c:\program files (x86)\Duplicate Cleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-15 02:15 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-11-15 02:14 . 2009-08-18 16:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-10 10:54 . 2011-03-24 14:22 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-11-04 12:20 . 2011-08-19 13:03 2379712 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-11-01 05:42 . 2011-11-01 05:42 45936 ----a-w- c:\windows\SysWow64\sbbd.exe
2011-11-01 05:42 . 2011-03-24 00:51 45936 ----a-w- c:\windows\system32\sbbd.exe
2011-11-01 05:08 . 2011-11-01 05:08 84600 ----a-w- c:\windows\system32\drivers\sbwtis.sys
2011-10-26 20:40 . 2011-10-26 20:40 101112 ----a-w- c:\windows\SysWow64\drivers\SBREDrv.sys
2011-10-26 20:40 . 2011-03-24 00:51 57976 ----a-w- c:\windows\system32\drivers\sbredrv.sys
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-10-12 23:34 . 2011-08-14 22:32 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-12 23:34 . 2011-08-14 22:32 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-10-12 23:34 . 2011-08-14 22:32 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-12 23:34 . 2011-08-14 22:32 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-10-11 17:52 . 2011-10-21 12:26 15664 ----a-w- c:\windows\SysWow64\drivers\GEARAspiWDM.sys
2011-10-11 17:52 . 2011-04-16 04:34 109360 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-09-28 22:45 . 2011-09-28 22:45 15453832 ----a-w- c:\windows\SysWow64\xlive.dll
2011-09-28 22:45 . 2011-09-28 22:45 13642888 ----a-w- c:\windows\SysWow64\xlivefnt.dll
2011-08-09 23:41 . 2011-08-09 23:41 13574696 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-24 39408]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-06-20 2736128]
"TivoServer"="c:\program files (x86)\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files (x86)\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files (x86)\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
"Spotify"="c:\users\phil\AppData\Roaming\Spotify\Spotify.exe" [2011-11-23 6856528]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Google Quick Search Box"="c:\program files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-08-18 126976]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SBAMTray"="c:\program files (x86)\GFI Software\VIPRE\SBAMTray.exe" [2011-11-01 3045744]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\cyg_server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-8-9 13574696]
Install LastPass IE RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-8-9 13574696]
.
c:\users\suzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
houny.exe [2011-12-15 194560]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\users\Pop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
isush.exe [2011-12-15 194560]
.
c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
ozumby.exe [2011-12-15 194560]
.
c:\users\phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CNET TechTracker.lnk - c:\users\phil\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe [2011-12-1 2624512]
OpenVPN GUI.lnk - c:\program files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe [2010-11-8 104712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Media Server Tray Tool.lnk - c:\program files (x86)\Squeezebox\SqueezeTray.exe [2011-11-22 3051619]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2011-9-29 5059352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [x]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-05-25 365568]
R2 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2009-05-05 124256]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DynDNS Updater;DynDNS Updater;c:\program files (x86)\DynDNS Updater\DynUpSvc.exe [2011-04-15 93048]
R2 Galleon;Galleon;c:\program files (x86)\Galleon\bin\Wrapper.exe [2009-03-25 204800]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 136176]
R2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2008-03-18 68096]
R2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
R2 tvnserver;TightVNC Server;c:\program files (x86)\TightVNC\tvnserver.exe [2010-07-08 815704]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 AODDriver;AODDriver;c:\program files (x86)\AMD\OverDrive\amd64\AODDriver.sys [2009-05-05 20024]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-03-24 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 136176]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UPnPService;UPnPService;c:\program files (x86)\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 544768]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-09-23 4476096]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
R4 TivoBeacon2;TiVo Beacon Service;c:\program files (x86)\TiVo\Desktop\TiVoBeacon.exe [2010-08-24 1104656]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-10-26 57976]
S2 SBAMSvc;VIPRE Antivirus;c:\program files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2011-11-01 3287472]
S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2011-11-01 173424]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-06-20 19:05 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\At1.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At11.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At13.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At15.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At17.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At19.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At21.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At23.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At25.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At27.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At29.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At3.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At31.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At33.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At35.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At37.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At39.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At41.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At43.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At45.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At47.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At5.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At7.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\At9.job
- c:\windows\system32\5to5CtDpI.com [2011-12-16 12:30]
.
2011-12-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-24 17:29]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 01:02]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 01:02]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836764253-2021145812-997551708-1003Core.job
- c:\users\thomas\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 01:08]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836764253-2021145812-997551708-1003UA.job
- c:\users\thomas\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 01:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-09-29 13:50 4525336 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-09-29 13:50 4525336 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SBRegRebootCleaner"="c:\program files (x86)\GFI Software\VIPRE\SBRC.exe" [2011-11-01 200560]
"combofix"="c:\combofix\CF32016.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="c:\combofix\CF32016.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.digsby.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://searchbox.digsby.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillforms
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.52.1
TCP: Interfaces\{C459AE87-4146-444E-A6C1-CDAC04A3FC41}: NameServer = 192.168.92.1
TCP: Interfaces\{E197AD07-AC68-47D2-87B9-83C22C02D0EC}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\phil\AppData\Roaming\Mozilla\Firefox\Profiles\5hy1zzkv.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Hello World_is1 - c:\program files (x86)\Hello World\unins000.exe
AddRemove-Numeric-py2.5 - c:\python25\RemoveNumeric.exe
AddRemove-pygame-py2.5 - c:\python25\Removepygame.exe
AddRemove-PythonCard-py2.5 - c:\python25\RemovePythonCard.exe
AddRemove-Sid Meier's Railroad Tycoon - c:\program files (x86)\2K Games\Sid Meier's Railroad Tycoon\uninst.exe
AddRemove-Stani's Python Editor_is1 - c:\program files (x86)\SPE\unins000.exe
AddRemove-wxPython2.8-unicode-py25_is1 - c:\python25\Lib\site-packages\wx-2.8-msw-unicode\unins000.exe
AddRemove-UnityWebPlayer - c:\users\phil\AppData\Local\Unity\WebPlayer\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\squeezesvc]
"ImagePath"="C:/PROGRA~2/SQUEEZ~1/server/SqueezeSvr.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\squeezesvc]
"ImagePath"="C:/PROGRA~2/SQUEEZ~1/server/SqueezeSvr.exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-16 17:46:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 22:46
.
Pre-Run: 71,409,352,704 bytes free
Post-Run: 75,215,839,232 bytes free
.
- - End Of File - - E7FC9BDE04091B36431CCB52C4C2AC41

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 19 December 2011 - 08:13 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

AtJob::

File::
c:\users\thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ihli.exe
c:\users\suzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\houny.exe
c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ozumby.exe
c:\users\Pop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isush.exe
c:\users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\visey.exe
c:\users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yqrus.exe
c:\windows\system32\5to5CtDpI.com 
c:\windows\system32\5to5CtDpI.com_

Folder::
c:\users\phil\AppData\Roaming\Ukxy
c:\users\phil\AppData\Roaming\Xupuf

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Phillip S

Phillip S
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 19 December 2011 - 07:58 PM

I ran ComboFix but didn't save the log file. :-( So, I ran it again with the script and saved the log. Sorry about that.


ComboFix 11-12-19.03 - phil 12/19/2011 19:17:44.3.3 - x64 NETWORK
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.2869 [GMT -5:00]
Running from: c:\users\phil\Documents\Downloads\Bleeping\ComboFix.exe
Command switches used :: c:\users\phil\Documents\Downloads\Bleeping\CFScript.txt
AV: GFI Software VIPRE *Enabled/Updated* {445B48C3-0FA4-6B16-8F07-6506F305D800}
SP: GFI Software VIPRE *Enabled/Updated* {FF3AA927-299E-6498-B5B7-5E74888292BD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yqrus.exe"
"c:\users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\visey.exe"
"c:\users\Pop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\isush.exe"
"c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ozumby.exe"
"c:\users\suzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\houny.exe"
"c:\users\thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ihli.exe"
"c:\windows\system32\5to5CtDpI.com"
"c:\windows\system32\5to5CtDpI.com_"
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\thomas\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\suzy\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\stephen\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\Pop\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\karen\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\elizabeth\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\cyg_server\AppData\Local\temp
2011-12-20 00:29 . 2011-12-20 00:29 -------- d-----w- c:\users\cyg_server.ratchet\AppData\Local\temp
2011-12-19 18:15 . 2011-12-19 18:18 -------- d-----w- c:\users\thomas\AppData\Roaming\.minecraft
2011-12-19 18:14 . 2011-12-19 18:14 -------- d-----w- c:\users\thomas\AppData\Roaming\New folder
2011-12-18 20:46 . 2011-12-18 20:46 -------- d-----w- c:\users\thomas\jagexcache
2011-12-18 14:12 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-18 14:12 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-18 14:12 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-18 14:12 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-18 14:12 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-18 14:12 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-17 15:15 . 2011-12-18 02:19 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-16 20:09 . 2011-12-16 20:09 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-16 13:48 . 2011-12-16 15:41 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-16 13:48 . 2011-12-16 13:52 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-16 13:32 . 2011-12-16 13:32 388096 ----a-r- c:\users\phil\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-16 13:32 . 2011-12-16 13:32 -------- d-----w- c:\program files (x86)\Trend Micro
2011-12-15 16:30 . 2011-12-16 13:57 -------- d-----w- c:\users\phil\AppData\Roaming\Ukxy
2011-12-15 16:30 . 2011-12-15 17:10 -------- d-----w- c:\users\phil\AppData\Roaming\Xupuf
2011-12-15 07:57 . 2011-12-15 07:57 -------- d-----w- c:\users\phil\AppData\Roaming\MusicBrainz
2011-12-15 07:56 . 2011-12-15 07:56 -------- d-----w- c:\program files (x86)\MusicBrainz Picard
2011-12-15 07:03 . 2011-12-15 07:31 -------- d-----w- c:\users\phil\AppData\Local\Songbird2
2011-12-15 07:03 . 2011-12-15 07:03 -------- d-----w- c:\users\phil\AppData\Roaming\Songbird2
2011-12-14 15:48 . 2011-12-14 15:49 -------- d-----w- c:\users\elizabeth\AppData\Roaming\.minecraft
2011-12-10 13:59 . 2011-12-10 13:59 -------- d-----w- c:\windows\Sun
2011-12-04 14:22 . 2011-12-04 14:22 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-12-02 06:16 . 2011-12-16 21:19 -------- d-----w- c:\users\phil\AppData\Local\Spotify
2011-12-02 06:16 . 2011-12-19 22:27 -------- d-----w- c:\users\phil\AppData\Roaming\Spotify
2011-12-02 06:13 . 2011-12-02 06:14 -------- d-----w- c:\users\phil\AppData\Roaming\Trillian
2011-12-02 06:10 . 2011-12-15 14:11 -------- d-----w- c:\program files (x86)\Trillian
2011-11-30 17:03 . 2011-11-30 17:03 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-11-30 17:03 . 2011-11-30 17:03 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-11-30 16:45 . 2011-11-30 16:45 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-11-30 16:45 . 2011-11-30 16:45 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-29 02:39 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-29 02:39 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-29 02:39 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-29 02:39 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-11-29 02:39 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2011-11-29 02:39 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2011-11-29 02:39 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2011-11-29 02:38 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-11-29 02:38 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-11-29 02:38 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-11-29 02:38 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-11-28 20:42 . 2011-11-28 20:42 -------- d-----w- C:\Official server
2011-11-28 20:42 . 2011-11-28 20:42 -------- d-----w- c:\users\thomas\AppData\Roaming\SpringLobby
2011-11-28 20:31 . 2011-11-28 20:31 -------- d-----w- c:\users\thomas\AppData\Roaming\SpringSettings
2011-11-28 20:29 . 2011-11-28 20:31 -------- d-----w- c:\program files (x86)\Spring
2011-11-28 01:45 . 2011-11-28 01:45 -------- d-----w- c:\users\thomas\AppData\Roaming\Malwarebytes
2011-11-28 01:38 . 2011-11-28 01:41 -------- d-----w- c:\users\TEMP
2011-11-27 03:24 . 2011-11-27 03:24 -------- d-----w- c:\users\phil\AppData\Roaming\Malwarebytes
2011-11-27 03:24 . 2011-11-27 03:24 -------- d-----w- c:\programdata\Malwarebytes
2011-11-27 03:24 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 03:24 . 2011-11-27 03:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-23 02:33 . 2011-11-23 02:33 -------- d-----w- C:\updates
2011-11-23 02:32 . 2011-12-15 03:14 -------- d-----w- c:\program files (x86)\Squeezebox
2011-11-23 02:32 . 2011-11-23 02:33 -------- d-----w- c:\programdata\Squeezebox
2011-11-20 14:02 . 2011-11-20 14:03 -------- d-----w- c:\program files\iTunes
2011-11-20 14:02 . 2011-11-20 14:03 -------- d-----w- c:\program files (x86)\iTunes
2011-11-20 14:02 . 2011-11-20 14:02 -------- d-----w- c:\program files\iPod
2011-11-20 12:53 . 2011-11-20 12:53 -------- d-----w- c:\windows\system32\Macromed
2011-11-20 05:46 . 2011-11-20 05:46 -------- d-----w- c:\users\thomas\AppData\Local\ElevatedDiagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-15 02:15 . 2009-08-18 17:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-11-15 02:14 . 2009-08-18 16:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-10 10:54 . 2011-03-24 14:22 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-11-04 12:20 . 2011-08-19 13:03 2379712 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-11-01 05:42 . 2011-11-01 05:42 45936 ----a-w- c:\windows\SysWow64\sbbd.exe
2011-11-01 05:42 . 2011-03-24 00:51 45936 ----a-w- c:\windows\system32\sbbd.exe
2011-11-01 05:08 . 2011-11-01 05:08 84600 ----a-w- c:\windows\system32\drivers\sbwtis.sys
2011-10-26 20:40 . 2011-10-26 20:40 101112 ----a-w- c:\windows\SysWow64\drivers\SBREDrv.sys
2011-10-26 20:40 . 2011-03-24 00:51 57976 ----a-w- c:\windows\system32\drivers\sbredrv.sys
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-10-12 23:34 . 2011-08-14 22:32 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-12 23:34 . 2011-08-14 22:32 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-10-12 23:34 . 2011-08-14 22:32 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-12 23:34 . 2011-08-14 22:32 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-10-11 17:52 . 2011-10-21 12:26 15664 ----a-w- c:\windows\SysWow64\drivers\GEARAspiWDM.sys
2011-10-11 17:52 . 2011-04-16 04:34 109360 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-09-28 22:45 . 2011-09-28 22:45 15453832 ----a-w- c:\windows\SysWow64\xlive.dll
2011-09-28 22:45 . 2011-09-28 22:45 13642888 ----a-w- c:\windows\SysWow64\xlivefnt.dll
2011-08-09 23:41 . 2011-08-09 23:41 13574696 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-20_00.01.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-24 00:34 . 2011-12-20 00:33 38940 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-20 00:33 39948 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-03-23 23:35 . 2011-12-20 00:33 12674 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3836764253-2021145812-997551708-1000_UserData.bin
- 2011-12-19 23:55 . 2011-12-19 23:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-20 00:30 . 2011-12-20 00:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-19 23:55 . 2011-12-19 23:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-20 00:30 . 2011-12-20 00:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2011-12-19 23:53 411736 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-20 00:11 411736 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-24 39408]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-06-20 2736128]
"TivoServer"="c:\program files (x86)\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]
"TivoTransfer"="c:\program files (x86)\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]
"TivoNotify"="c:\program files (x86)\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]
"TranscodingService"="c:\program files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]
"Spotify"="c:\users\phil\AppData\Roaming\Spotify\Spotify.exe" [2011-11-23 6856528]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Google Quick Search Box"="c:\program files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-08-18 126976]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SBAMTray"="c:\program files (x86)\GFI Software\VIPRE\SBAMTray.exe" [2011-11-01 3045744]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\cyg_server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-8-9 13574696]
Install LastPass IE RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-8-9 13574696]
.
c:\users\suzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\users\phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CNET TechTracker.lnk - c:\users\phil\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe [2011-12-1 2624512]
OpenVPN GUI.lnk - c:\program files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe [2010-11-8 104712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Media Server Tray Tool.lnk - c:\program files (x86)\Squeezebox\SqueezeTray.exe [2011-11-22 3051619]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2011-9-29 5059352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
R2 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2009-05-05 124256]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 136176]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [2011-03-24 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UPnPService;UPnPService;c:\program files (x86)\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 544768]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-09-23 4476096]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
R4 TivoBeacon2;TiVo Beacon Service;c:\program files (x86)\TiVo\Desktop\TiVoBeacon.exe [2010-08-24 1104656]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-10-26 57976]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-05-25 365568]
S2 DynDNS Updater;DynDNS Updater;c:\program files (x86)\DynDNS Updater\DynUpSvc.exe [2011-04-15 93048]
S2 Galleon;Galleon;c:\program files (x86)\Galleon\bin\Wrapper.exe [2009-03-25 204800]
S2 SBAMSvc;VIPRE Antivirus;c:\program files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2011-11-01 3287472]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2011-11-01 173424]
S2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2008-03-18 68096]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]
S2 tvnserver;TightVNC Server;c:\program files (x86)\TightVNC\tvnserver.exe [2010-07-08 815704]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-06-20 19:05 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-24 17:29]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 01:02]
.
2011-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-24 01:02]
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836764253-2021145812-997551708-1003Core.job
- c:\users\thomas\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 01:08]
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3836764253-2021145812-997551708-1003UA.job
- c:\users\thomas\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-24 01:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-09-29 13:50 4525336 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-09-29 13:50 4525336 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SBRegRebootCleaner"="c:\program files (x86)\GFI Software\VIPRE\SBRC.exe" [2011-11-01 200560]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.digsby.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://searchbox.digsby.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillforms
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.52.1
TCP: Interfaces\{C459AE87-4146-444E-A6C1-CDAC04A3FC41}: NameServer = 192.168.92.1
TCP: Interfaces\{E197AD07-AC68-47D2-87B9-83C22C02D0EC}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\phil\AppData\Roaming\Mozilla\Firefox\Profiles\5hy1zzkv.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\squeezesvc]
"ImagePath"="C:/PROGRA~2/SQUEEZ~1/server/SqueezeSvr.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\squeezesvc]
"ImagePath"="C:/PROGRA~2/SQUEEZ~1/server/SqueezeSvr.exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\java.exe
c:\progra~2\SQUEEZ~1\server\SqueezeSvr.exe
c:\cygwin\usr\sbin\sshd.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2011-12-19 19:39:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 00:39
ComboFix2.txt 2011-12-20 00:08
ComboFix3.txt 2011-12-16 22:46
.
Pre-Run: 81,280,978,944 bytes free
Post-Run: 81,181,323,264 bytes free
.
- - End Of File - - 223899B709C0527AB6D66FD73357EA47

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 20 December 2011 - 12:22 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Phillip S

Phillip S
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 20 December 2011 - 05:28 AM

Ace of Spades
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe After Effects CS5.5
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Reader X (10.1.1)
Adobe Story
Age of Empires Online
Age of Mythology
Amazon MP3 Downloader 1.0.12
AMD OverDrive
AMD VISION Engine Control Center
Ancients of Ooga - Demo
And Yet It Moves
AnkhSVN 2.3.10509.1073
Anomaly Warzone Earth Demo
AnswerWorks 5.0 English Runtime
Apago PDF Enhancer 3.2
Apago PDF Shrink 4.5
Apple Application Support
Apple Software Update
ArcSoft MediaImpression for Kodak
Atom Zombie Smasher
Batman: Arkham Asylum - Demo
Blockland
Blocks That Matter
Braid
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
CCC Help English
Chantelise - Demo
Cloning Clyde Demo
CNET TechTracker
Cogs
Company of Heroes
Crayon Physics Deluxe
Crystal Reports for Visual Studio
Demolition, Inc. Demo
DialogBlocks 4.41
Digsby
Dotfuscator Software Services - Community Edition
Dungeon Defenders Demo
Duplicate Cleaner 2.1b
DynDNS Updater
Exact Audio Copy 1.0beta1
Firebird SQL Server - MAGIX Edition 2.0.0.1 (CA)
Fortix 2 - Demo
Fraps
Galleon 2.5.5
Game Maker 7.0
GameFly
GameSpy Arcade
Garmin Communicator Plugin
Garmin USB Drivers
Garry's Mod
GIMP 2.6.11
Google Apps
Google Chrome
Google Desktop
Google Earth
Google Quick Search Box
Google SketchUp 8
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hammerfight
Hello World 0.1
HiJackThis
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2522890)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2529927)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2547352)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2548139)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2549864)
Hotfix for Microsoft Visual Studio 2010 Professional - ENU (KB2565057)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
ImgBurn
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 30
LastPass (uninstall only)
Lead and Gold - Gangs of the Wild West
Learn to Play Chess with Fritz and Chesster
LightScribe System Software
LightScribe Template Labeler
Logitech Media Server 7.7.1
Machinarium
Magic: The Gathering — Duels of the Planeswalkers 2012 - Demo
MAGIX Burn routines
MAGIX Goya burnR 1.3.1.2 (US)
MAGIX Movie Edit Pro 12 6.5.4.0 (CA)
MAGIX Music Manager 2007 8.1.0.899 (US)
MAGIX Photo Manager 2007 4.1.0.899 (US)
Malwarebytes' Anti-Malware version 1.51.2.1300
ManyCam 2.6.55 (remove only)
MemoryMixer 3
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft Silverlight 4 SDK
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Visual C++ Compilers 2010 Standard - enu - x86
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
Microsoft Visual F# 2.0 Runtime
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU
Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Professional - ENU
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 6.0 Professional Edition
Microsoft Visual Studio Macro Tools
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser
Microsoft XNA Framework Redistributable 4.0
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 8.0 (x86 en-US)
Mozilla Thunderbird (8.0)
MSDN Library for Visual Studio 2005
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
MTX
Mumble 1.2.3
MusicBrainz Picard
Nancy Drew: Last Train to Blue Moon Canyon
Nancy Drew: Message in a Haunted Mansion
Napster Download Manager
NVIDIA PhysX
OpenAL
OpenOffice.org 3.3
OpenVPN 2.1.4
Opera 11.60
Osmos
Pdf editor (Qt4 version)
PDFCanOpener
Picasa 3
Piktor 3.123
Pirates of Black Cove - Demo
Plants vs. Zombies: Game of the Year
Platform
PlayClaw
Portal
Portal 2
Prison Tycoon 4
ProtectDisc Driver, Version 11
Psychonauts Demo
PuTTY version 0.60
Python 2.5 Numeric-24.2
Python 2.5 pygame-1.7.1release
Python 2.5 PythonCard-0.8.2
Python 2.5.1
Quicken 2010
QuickTime
Realtek Ethernet Controller Driver
Recettear: An Item Shop's Tale
Revenge of the Titans
Rise of Nations
RISK Factions Demo
Scratch
Scrivener
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB2251481)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB2538218)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB2548826)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB971023)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB973673)
Sid Meier's Railroad Tycoon
Sideway Demo
Skype Audio Player (remove only)
Skype Click to Call
Skype™ 5.5
Solar 2 - Demo
Songbird 1.10.1b1 (Build 2148)
SPE
Spotify
Spring 84.0
Spybot - Search & Destroy
Star Wars - Jedi Knight II: Jedi Outcast
Star Wars - Jedi Knight: Mysteries of the Sith
Star Wars Jedi Knight: Dark Forces II
Star Wars Jedi Knight: Jedi Academy
Star Wars: Dark Forces
Star Wars: Knights of the Old Republic
StarCraft II
Steam
Steel Storm: Burning Retribution
Summa ColorControl September 2010
swMSM
TalkShoe Live! 2.0
Team Fortress 2
TeamViewer 6
Terraria
The Binding Of Isaac
The Next BIG Thing - Demo
TightVNC 2.0.2
TiVo Desktop 2.8.2
Trillian
TurboTax 2010
TurboTax 2010 wgaiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Unlockmaster 3
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB932232)
VIA Platform Device Manager
VIPRE Antivirus
Visual Assist X
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VLC media player 1.1.11
Voxatron 0.1.3
VVVVVV
Waves Demo
WCF RIA Services V1.0 SP1
WinMerge 2.12.4
Worms Reloaded Demo
wxPython 2.8.7.1 (unicode) for Python 2.5
wxWidgets 2.8.12
Youda Marina

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 20 December 2011 - 05:50 AM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Phillip S

Phillip S
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 20 December 2011 - 06:45 AM

I fixed the hosts file myself yesterday (redirects). I found the MS tool to reset it to the default, but that failed. I tried it in safe mode and it wouldn't run because it couldn't use the TrustedInstaller. I was able to edit the file in safe mode, though.


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8402

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

12/20/2011 6:34:36 AM
mbam-log-2011-12-20 (06-34-36).txt

Scan type: Quick scan
Objects scanned: 318098
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:40:45 AM, on 12/20/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Opera\opera.exe
C:\PROGRA~2\Java\jre6\bin\jp2launcher.exe
C:\Program Files (x86)\Java\jre6\bin\java.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.digsby.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://searchbox.digsby.com/search?q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe
O4 - HKCU\..\Run: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe
O4 - HKCU\..\Run: [Spotify] "C:\Users\phil\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CNET TechTracker.lnk = phil\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe
O4 - Startup: OpenVPN GUI.lnk = C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
O4 - Global Startup: Logitech Media Server Tray Tool.lnk = C:\Program Files (x86)\Squeezebox\SqueezeTray.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C459AE87-4146-444E-A6C1-CDAC04A3FC41}: Domain = apago.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C459AE87-4146-444E-A6C1-CDAC04A3FC41}: NameServer = 192.168.92.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E197AD07-AC68-47D2-87B9-83C22C02D0EC}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: AODService - Unknown owner - C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynDNS Updater - Dynamic Network Services, Inc. - C:\Program Files (x86)\DynDNS Updater\DynUpSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files (x86)\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Galleon - Unknown owner - C:\Program Files (x86)\Galleon\bin\Wrapper.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: VIPRE Antivirus (SBAMSvc) - GFI Software - C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - GFI Software - C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Logitech Media Server (squeezesvc) - Logitech Inc. - C:/PROGRA~2/SQUEEZ~1/server/SqueezeSvr.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: TightVNC Server (tvnserver) - GlavSoft LLC. - C:\Program Files (x86)\TightVNC\tvnserver.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: UPnPService - Magix AG - C:\Program Files (x86)\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 14609 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 20 December 2011 - 07:52 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
      O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
      O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
      O4 - HKCU\..\Run: [TivoServer] C:\Program Files (x86)\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
      O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files (x86)\TiVo\Desktop\TiVoTransfer.exe
      O4 - HKCU\..\Run: [TivoNotify] C:\Program Files (x86)\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
      O4 - HKCU\..\Run: [TranscodingService] C:\Program Files (x86)\TiVo\Desktop\Plus\\TranscodingService.exe
      O4 - HKCU\..\Run: [Spotify] "C:\Users\phil\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
      O4 - Startup: CNET TechTracker.lnk = phil\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe
      O4 - Global Startup: Logitech Media Server Tray Tool.lnk = C:\Program Files (x86)\Squeezebox\SqueezeTray.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Phillip S

Phillip S
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 20 December 2011 - 08:13 PM

I wasn't able to copy anything from the window, but it said no threats were found. Here's the log from "C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt":

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK


Thanks so much for your help! I'd probably still be trying to get rid of the consrv.dll without it (or reinstalling Windows).

Phillip

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 20 December 2011 - 09:17 PM

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:13 AM

Posted 23 December 2011 - 11:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users