Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Anti-virus fix but Google redirect still exists


  • This topic is locked This topic is locked
20 replies to this topic

#1 az_educate

az_educate

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 16 January 2012 - 05:57 PM

I was recently infected with the Win 7 Anti-virus malware. I ran through the procedures outlined on this site for removal, including rKiller, TDSS killer, and Malwarebytes Anti-malware. The virus seemed to be removed. However, I am still experiencing Google redirects. I cannot click on any item in a Google search without it redirecting to other sites. I did not run the GMER because I have a 64-bit Windows and the information indicated that this would not work.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7600.16385
Run by Proctor at 15:40:59 on 2012-01-16
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.3235 [GMT -7:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local;192.168.*.*
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [HLBackupScheduler] C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\Proctor\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\KODAKE~1.LNK - C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: C:\Program Files (x86)\Neoteris\Secure Application Manager\gapsp.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://webaccess.azgfd.gov/dana-cached/setup/NeoterisSetup.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{6D4E7D6A-BF83-42A2-8BCC-2D4C931B186E} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{6D4E7D6A-BF83-42A2-8BCC-2D4C931B186E}\446455D434 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6D4E7D6A-BF83-42A2-8BCC-2D4C931B186E}\7496A7D6F6 : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-12-23 1157240]
S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120113.002\IDSviA64.sys [2012-1-13 488568]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
S2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-2-21 89600]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-6-12 400368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-5-21 103992]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-6-14 26680]
S2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-3-25 223088]
S2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 clwvd;HP Webcam Splitter;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
S3 EraserUtilDrvI13;EraserUtilDrvI13;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI13.sys [2012-1-16 138360]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-2 132656]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-9-2 227232]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys --> C:\Windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys --> C:\Windows\system32\DRIVERS\motccgpfl.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2012-01-16 05:14:19 -------- d-----w- C:\Users\Proctor\AppData\Roaming\Malwarebytes
2012-01-16 05:14:12 -------- d-----w- C:\ProgramData\Malwarebytes
2012-01-16 05:14:09 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-01-16 05:14:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-16 03:31:47 -------- d-----w- C:\Users\Proctor\AppData\Roaming\Tific
2012-01-16 03:31:20 -------- d-----w- C:\Users\Proctor\AppData\Local\Symantec
2012-01-16 00:04:31 -------- d-----we C:\Windows\system64
2012-01-16 00:04:21 332800 ----a-w- C:\Users\Proctor\AppData\Local\gcymofk.exe
2012-01-13 12:02:15 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3CE61170-A2F1-4B29-8615-43F4BD6ADEF1}\mpengine.dll
2012-01-11 03:14:33 1328640 ----a-w- C:\Windows\SysWow64\quartz.dll
2012-01-11 03:14:32 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-01-11 03:14:32 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-01-11 03:14:32 1572864 ----a-w- C:\Windows\System32\quartz.dll
2012-01-11 03:14:29 1739160 ----a-w- C:\Windows\System32\ntdll.dll
2012-01-11 03:14:29 1292592 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-01-11 03:14:26 77312 ----a-w- C:\Windows\System32\packager.dll
2012-01-11 03:14:26 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2011-12-22 06:42:20 -------- d-----w- C:\Users\Proctor\AppData\Local\HP MediaSmart Video
.
==================== Find3M ====================
.
2011-11-29 22:50:02 400168 ----a-w- C:\Windows\System32\SynCOM.dll
2011-11-29 22:50:02 271144 ----a-w- C:\Windows\System32\SynCtrl.dll
2011-11-29 22:50:02 215336 ----a-w- C:\Windows\System32\SynTPAPI.dll
2011-11-29 22:50:02 214312 ----a-w- C:\Windows\SysWow64\SynCtrl.dll
2011-11-29 22:50:02 173352 ----a-w- C:\Windows\SysWow64\SynCOM.dll
2011-11-29 22:50:02 147752 ----a-w- C:\Windows\System32\SynTPCo4.dll
2011-11-29 22:50:02 1390640 ----a-w- C:\Windows\System32\drivers\SynTP.sys
2011-11-29 22:50:02 107816 ----a-w- C:\Windows\SysWow64\SynTPCOM.dll
2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:26:29 1197568 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-11-05 05:17:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:35:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-11-05 04:30:11 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:19:07 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 15:44:26.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 20 January 2012 - 02:53 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 21 January 2012 - 02:45 PM

Hello gringo -

Thanks for the help.

Right now it appears that the computer is working normally again. I have tried some searches on Google (including the same oes I did before) and am not being redirected anymore.

I should say that I did have to run ComboFix twice. The first time I ran it, it got stuck at Stage_48. I even left my house and came back about an hour later and it hadn't moved. When I ran it the second time, it asked to update the software (which it didn't ask the first time), and was completed quite fast.

Here is the log from that scan:

ComboFix 12-01-21.02 - Proctor 01/21/2012 12:01:16.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2754 [GMT -7:00]
Running from: c:\users\Proctor\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\kwrd.dll
c:\windows\system32\consrv.dll
c:\windows\system32\java.exe
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-12-21 to 2012-01-21 )))))))))))))))))))))))))))))))
.
.
2012-01-21 19:11 . 2012-01-21 19:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-16 05:14 . 2012-01-16 05:14 -------- d-----w- c:\users\Proctor\AppData\Roaming\Malwarebytes
2012-01-16 05:14 . 2012-01-16 05:14 -------- d-----w- c:\programdata\Malwarebytes
2012-01-16 05:14 . 2012-01-16 05:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-16 05:14 . 2011-12-10 22:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-16 03:31 . 2012-01-16 03:31 -------- d-----w- c:\users\Proctor\AppData\Roaming\Tific
2012-01-16 03:31 . 2012-01-16 03:31 -------- d-----w- c:\users\Proctor\AppData\Local\Symantec
2012-01-13 12:02 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3CE61170-A2F1-4B29-8615-43F4BD6ADEF1}\mpengine.dll
2012-01-11 03:14 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 03:14 . 2011-10-26 05:22 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 03:14 . 2011-10-26 05:22 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 03:14 . 2011-10-26 04:28 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 03:14 . 2011-11-17 07:14 1739160 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 03:14 . 2011-11-17 05:41 1292592 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 03:14 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 03:14 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 22:50 . 2011-11-29 22:50 400168 ----a-w- c:\windows\system32\SynCOM.dll
2011-11-29 22:50 . 2011-11-29 22:50 271144 ----a-w- c:\windows\system32\SynCtrl.dll
2011-11-29 22:50 . 2011-11-29 22:50 215336 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-11-29 22:50 . 2011-11-29 22:50 214312 ----a-w- c:\windows\SysWow64\SynCtrl.dll
2011-11-29 22:50 . 2011-11-29 22:50 173352 ----a-w- c:\windows\SysWow64\SynCOM.dll
2011-11-29 22:50 . 2011-11-29 22:50 147752 ----a-w- c:\windows\system32\SynTPCo4.dll
2011-11-29 22:50 . 2011-11-29 22:50 1390640 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-11-29 22:50 . 2011-11-29 22:50 107816 ----a-w- c:\windows\SysWow64\SynTPCOM.dll
2011-11-24 05:00 . 2011-12-13 23:03 3141632 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 05:26 . 2011-12-13 23:04 1197568 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 05:23 . 2011-12-13 23:04 57856 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 05:17 . 2011-12-13 23:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 04:35 . 2011-12-13 23:04 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-05 04:34 . 2011-12-13 23:04 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-11-05 04:30 . 2011-12-13 23:03 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-05 04:07 . 2011-12-13 23:04 482816 ----a-w- c:\windows\system32\html.iec
2011-11-05 03:28 . 2011-12-13 23:04 386048 ----a-w- c:\windows\SysWow64\html.iec
2011-11-05 03:25 . 2011-12-13 23:04 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-05 02:55 . 2011-12-13 23:04 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-26 05:19 . 2011-12-13 23:04 43520 ----a-w- c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2011-10-23 5013128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-16 98304]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-12-24 1157240]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120120.002\IDSvia64.sys [2012-01-13 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-02-22 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]
S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-03-25 223088]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-16 138360]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 17:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1885450638-4212614618-1725555435-1001Core.job
- c:\users\Proctor\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-10 02:58]
.
2012-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1885450638-4212614618-1725555435-1001UA.job
- c:\users\Proctor\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-10 02:58]
.
2012-01-20 c:\windows\Tasks\HPCeeScheduleForProctor.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-22 487424]
"combofix"="c:\combofix\CF25487.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\Neoteris\Secure Application Manager\gapsp.dll
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\hsplayer.exe
c:\program files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-01-21 12:22:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-21 19:22
.
Pre-Run: 352,092,344,320 bytes free
Post-Run: 357,431,640,064 bytes free
.
- - End Of File - - 502D07A68A0110AFEA5D5D544296714A

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 21 January 2012 - 03:44 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 22 January 2012 - 06:07 PM

Gringo -

I did what you requested. ComboFix ran fine. My computer seems to be working fine.

I have tried to add the post a couple times to this reply and it keeps saying it is too long, even if I split it up. So, I just have to attach it. Unfortunately, it is too large to attach it in a single file so I have split it into two attachments a and b. I will attach a in this reply and b in the next. I hope that works for you.

Attached Files



#6 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 22 January 2012 - 06:09 PM

Actually, I can't post the second part because it is too large so you need to provide me another option for getting it to you.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 22 January 2012 - 09:32 PM

upload it to mediafire.com and send me the link here


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 24 January 2012 - 05:36 PM

Here is the link for the log file:

http://www.mediafire.com/?55mb6z42ce4eub1

#9 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 24 January 2012 - 05:38 PM

It should also be noted that for the first time there is a little black box that pops up every now and then and disappears. It disappears too quickly for me to get a good look, but it appears to be a DOS command box. I think it says something like "0 files copied" or something like that.

It just started happening this afternoon when I got on to check this message.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 24 January 2012 - 07:23 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 26 January 2012 - 11:45 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 January 2012 - 05:45 PM

Sorry. I got caught up with other projects. I am working on it now. I'll post the log shortly.

#13 az_educate

az_educate
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 January 2012 - 06:04 PM

No problems running Combofix and no apparent problems with computer. Here is the log:

ComboFix 12-01-27.01 - Proctor 01/27/2012 15:47:51.4.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2737 [GMT -7:00]
Running from: c:\users\Proctor\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 22:58 . 2012-01-27 22:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-27 22:58 . 2012-01-27 22:58 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-01-24 22:33 . 2012-01-24 22:33 -------- d-----w- c:\programdata\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-01-16 05:14 . 2012-01-16 05:14 -------- d-----w- c:\users\Proctor\AppData\Roaming\Malwarebytes
2012-01-16 05:14 . 2012-01-16 05:14 -------- d-----w- c:\programdata\Malwarebytes
2012-01-16 05:14 . 2012-01-16 05:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-16 05:14 . 2011-12-10 22:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-16 03:31 . 2012-01-16 03:31 -------- d-----w- c:\users\Proctor\AppData\Roaming\Tific
2012-01-16 03:31 . 2012-01-16 03:31 -------- d-----w- c:\users\Proctor\AppData\Local\Symantec
2012-01-13 12:02 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3CE61170-A2F1-4B29-8615-43F4BD6ADEF1}\mpengine.dll
2012-01-11 03:14 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-11 03:14 . 2011-10-26 05:22 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 03:14 . 2011-10-26 05:22 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 03:14 . 2011-10-26 04:28 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-11 03:14 . 2011-11-17 07:14 1739160 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 03:14 . 2011-11-17 05:41 1292592 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-11 03:14 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-11 03:14 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 22:50 . 2011-11-29 22:50 400168 ----a-w- c:\windows\system32\SynCOM.dll
2011-11-29 22:50 . 2011-11-29 22:50 271144 ----a-w- c:\windows\system32\SynCtrl.dll
2011-11-29 22:50 . 2011-11-29 22:50 215336 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-11-29 22:50 . 2011-11-29 22:50 214312 ----a-w- c:\windows\SysWow64\SynCtrl.dll
2011-11-29 22:50 . 2011-11-29 22:50 173352 ----a-w- c:\windows\SysWow64\SynCOM.dll
2011-11-29 22:50 . 2011-11-29 22:50 147752 ----a-w- c:\windows\system32\SynTPCo4.dll
2011-11-29 22:50 . 2011-11-29 22:50 1390640 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-11-29 22:50 . 2011-11-29 22:50 107816 ----a-w- c:\windows\SysWow64\SynTPCOM.dll
2011-11-24 05:00 . 2011-12-13 23:03 3141632 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 05:26 . 2011-12-13 23:04 1197568 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 05:23 . 2011-12-13 23:04 57856 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 05:17 . 2011-12-13 23:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 04:35 . 2011-12-13 23:04 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-05 04:34 . 2011-12-13 23:04 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-11-05 04:30 . 2011-12-13 23:03 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-05 04:07 . 2011-12-13 23:04 482816 ----a-w- c:\windows\system32\html.iec
2011-11-05 03:28 . 2011-12-13 23:04 386048 ----a-w- c:\windows\SysWow64\html.iec
2011-11-05 03:25 . 2011-12-13 23:04 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-05 02:55 . 2011-12-13 23:04 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-22_22.44.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-03 04:19 . 2012-01-22 23:12 41462 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-01-21 19:15 45408 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-22 23:13 45408 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-10-31 21:02 . 2012-01-22 23:13 10366 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1885450638-4212614618-1725555435-1001_UserData.bin
+ 2010-10-31 12:58 . 2012-01-27 22:41 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-10-31 12:58 . 2012-01-22 01:26 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-10-31 12:58 . 2012-01-27 22:41 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-10-31 12:58 . 2012-01-22 01:26 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-27 22:41 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-22 01:26 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-10-31 21:51 . 2012-01-22 23:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-10-31 21:51 . 2012-01-21 19:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-01-26 22:45 79976 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-10-31 21:51 . 2012-01-21 19:16 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-10-31 21:51 . 2012-01-22 23:13 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-10-31 21:51 . 2012-01-21 19:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-10-31 21:51 . 2012-01-22 23:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-10-31 21:00 . 2012-01-22 20:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-10-31 21:00 . 2012-01-27 22:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-10-31 21:00 . 2012-01-22 20:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-10-31 21:00 . 2012-01-27 22:34 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-24 22:35 . 2012-01-24 22:35 98304 c:\windows\Installer\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\HPSF.exe2_2EBA634C3DB04BEC8765F065A06AB6AA.exe
+ 2012-01-24 22:35 . 2012-01-24 22:35 98304 c:\windows\Installer\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\HPSF.exe1_5321553C1DE9413FB5EC5DBF79DC538E.exe
+ 2012-01-24 22:35 . 2012-01-24 22:35 98304 c:\windows\Installer\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\HPSF.exe_01B09B243E324170B7925EAE4C76365E.exe
+ 2012-01-24 22:35 . 2012-01-24 22:35 98304 c:\windows\Installer\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\ARPPRODUCTICON.exe
- 2011-09-30 18:51 . 2011-09-30 18:51 10134 c:\windows\Installer\{6F340107-F9AA-47C6-B54C-C3A19F11553F}\ARPPRODUCTICON.exe
+ 2012-01-24 22:36 . 2012-01-24 22:36 10134 c:\windows\Installer\{6F340107-F9AA-47C6-B54C-C3A19F11553F}\ARPPRODUCTICON.exe
+ 2012-01-24 22:36 . 2012-01-24 22:36 10134 c:\windows\Installer\{07FA4960-B038-49EB-891B-9F95930AA544}\ARPPRODUCTICON.exe
- 2010-09-03 05:48 . 2010-09-03 05:48 10134 c:\windows\Installer\{07FA4960-B038-49EB-891B-9F95930AA544}\ARPPRODUCTICON.exe
- 2011-09-30 18:54 . 2010-10-27 20:28 11320 c:\windows\Help\OEM\Scripts\HPSARedirectorLauncher.exe
+ 2012-01-24 22:40 . 2010-10-27 20:28 11320 c:\windows\Help\OEM\Scripts\HPSARedirectorLauncher.exe
- 2011-09-30 18:54 . 2011-04-27 17:36 21048 c:\windows\Help\OEM\Scripts\checkMui.dll
+ 2012-01-24 22:40 . 2011-04-27 17:36 21048 c:\windows\Help\OEM\Scripts\checkMui.dll
+ 2011-09-30 18:49 . 2011-09-30 18:49 22584 c:\windows\assembly\temp\GR98C1K4K9\HP.SupportFramework.Communicator.dll
- 2011-09-30 18:48 . 2011-09-30 18:48 92728 c:\windows\assembly\GAC_MSIL\hpcasl\3.5.1.1__9c6f83d5b7f3d097\hpcasl.dll
+ 2012-01-24 22:32 . 2012-01-24 22:32 92728 c:\windows\assembly\GAC_MSIL\hpcasl\3.5.1.1__9c6f83d5b7f3d097\hpcasl.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 98872 c:\windows\assembly\GAC_MSIL\HP.SupportFramework.Logging\1.0.0.0__a5a013d267b3a679\HP.SupportFramework.Logging.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 98872 c:\windows\assembly\GAC_MSIL\HP.SupportFramework.Logging\1.0.0.0__a5a013d267b3a679\HP.SupportFramework.Logging.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 22584 c:\windows\assembly\GAC_MSIL\HP.SupportFramework.Communicator\1.0.0.0__370cd15173f7ac8f\HP.SupportFramework.Communicator.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 22584 c:\windows\assembly\GAC_MSIL\HP.SupportFramework.Communicator\1.0.0.0__370cd15173f7ac8f\HP.SupportFramework.Communicator.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 13368 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant\6.0.1.1__ff8a51a3dda870ab\HP.SupportAssistant.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 13368 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant\6.0.1.1__ff8a51a3dda870ab\HP.SupportAssistant.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 25144 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.ServiceManager\6.0.1.1__afd7346f05a57c11\HP.SupportAssistant.ServiceManager.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 25144 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.ServiceManager\6.0.1.1__afd7346f05a57c11\HP.SupportAssistant.ServiceManager.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 74296 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.Common\6.0.1.1__41bdec5abf54f6dc\HP.SupportAssistant.Common.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 36920 c:\windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 36920 c:\windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll
- 2011-09-30 18:51 . 2011-09-30 18:51 36920 c:\windows\assembly\GAC_MSIL\HP.ActiveCheckLocalMode.SessionManager\1.1.0.0__87cc6405259abc0f\HP.ActiveCheckLocalMode.SessionManager.dll
+ 2012-01-24 22:36 . 2012-01-24 22:36 36920 c:\windows\assembly\GAC_MSIL\HP.ActiveCheckLocalMode.SessionManager\1.1.0.0__87cc6405259abc0f\HP.ActiveCheckLocalMode.SessionManager.dll
- 2011-09-30 18:51 . 2011-09-30 18:51 32312 c:\windows\assembly\GAC_MSIL\HP.ActiveCheckLocalMode.ServiceFacade\1.1.0.0__87cc6405259abc0f\HP.ActiveCheckLocalMode.ServiceFacade.dll
+ 2012-01-24 22:36 . 2012-01-24 22:36 32312 c:\windows\assembly\GAC_MSIL\HP.ActiveCheckLocalMode.ServiceFacade\1.1.0.0__87cc6405259abc0f\HP.ActiveCheckLocalMode.ServiceFacade.dll
- 2011-09-30 18:48 . 2011-09-30 18:48 77880 c:\windows\assembly\GAC_MSIL\CaslShared\3.5.1.1__9c6f83d5b7f3d097\CaslShared.dll
+ 2012-01-24 22:32 . 2012-01-24 22:32 77880 c:\windows\assembly\GAC_MSIL\CaslShared\3.5.1.1__9c6f83d5b7f3d097\CaslShared.dll
+ 2012-01-27 22:43 . 2012-01-27 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-22 22:26 . 2012-01-22 22:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-27 22:43 . 2012-01-27 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-22 22:26 . 2012-01-22 22:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-24 22:40 . 2006-09-29 21:28 4096 c:\windows\Help\OEM\Scripts\Interop.HelpPane.dll
- 2011-09-30 18:54 . 2006-09-29 21:28 4096 c:\windows\Help\OEM\Scripts\Interop.HelpPane.dll
+ 2012-01-24 22:40 . 2008-12-03 17:24 7168 c:\windows\Help\OEM\Scripts\HPHS_Launcher.exe
- 2011-09-30 18:54 . 2008-12-03 17:24 7168 c:\windows\Help\OEM\Scripts\HPHS_Launcher.exe
+ 2009-07-14 04:54 . 2012-01-27 22:32 376832 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-22 22:22 376832 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-10-31 21:51 . 2012-01-27 22:32 391988 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-01-24 13:53 624412 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-19 14:08 624412 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-19 14:08 106756 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-01-24 13:53 106756 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-01-22 22:25 404068 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-27 22:40 404068 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-24 22:36 . 2012-01-24 22:36 412832 c:\windows\Installer\a29ba11.msi
+ 2012-01-24 22:35 . 2012-01-24 22:35 877624 c:\windows\assembly\GAC_MSIL\HP.SupportFramework\1.0.0.0__2a4860322af7ba08\HP.SupportFramework.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 150584 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.Engine\6.0.1.1__e1eab6ede003577a\HP.SupportAssistant.Engine.dll
+ 2012-01-24 22:35 . 2012-01-24 22:35 150584 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.Engine\6.0.1.1__e1eab6ede003577a\HP.SupportAssistant.Engine.dll
+ 2009-07-14 04:54 . 2012-01-27 22:32 3457024 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-22 22:22 3457024 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-22 22:22 1458176 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-27 22:32 1458176 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:45 . 2012-01-11 12:36 3777877 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2012-01-26 22:44 3777877 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2010-09-18 09:50 . 2012-01-20 03:23 3124344 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-09-18 09:50 . 2012-01-27 22:40 3124344 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-11-03 00:19 . 2012-01-22 22:25 2574340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1885450638-4212614618-1725555435-1001-8192.dat
+ 2010-11-03 00:19 . 2012-01-27 22:40 2574340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1885450638-4212614618-1725555435-1001-8192.dat
+ 2011-08-24 00:01 . 2011-08-24 00:01 3480576 c:\windows\Installer\a29ba06.msi
+ 2012-01-24 22:35 . 2012-01-24 22:35 2430008 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.Localization\6.0.1.1__a2352a4c73e11587\HP.SupportAssistant.Localization.dll
- 2011-09-30 18:49 . 2011-09-30 18:49 2430008 c:\windows\assembly\GAC_MSIL\HP.SupportAssistant.Localization\6.0.1.1__a2352a4c73e11587\HP.SupportAssistant.Localization.dll
- 2009-07-14 02:34 . 2012-01-22 20:00 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-01-27 22:42 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2012-01-24 22:33 . 2012-01-24 22:33 47848756 c:\windows\Installer\a29b9ff.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2011-10-23 5013128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-16 98304]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20120121.002\BHDrvx64.sys [2011-12-24 1157240]
R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120125.002\IDSvia64.sys [2011-12-15 488568]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-02-22 89600]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-10 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
R2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]
R2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-03-25 223088]
R2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-16 138360]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 17:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1885450638-4212614618-1725555435-1001Core.job
- c:\users\Proctor\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-10 02:58]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1885450638-4212614618-1725555435-1001UA.job
- c:\users\Proctor\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-10 02:58]
.
2012-01-24 c:\windows\Tasks\HPCeeScheduleForProctor.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-22 487424]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\Neoteris\Secure Application Manager\gapsp.dll
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-27 16:01:50
ComboFix-quarantined-files.txt 2012-01-27 23:01
ComboFix2.txt 2012-01-22 22:47
ComboFix3.txt 2012-01-21 19:22
.
Pre-Run: 354,309,234,688 bytes free
Post-Run: 353,839,255,552 bytes free
.
- - End Of File - - 9C9003834F58AC72D403509F7EE51FD0

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 27 January 2012 - 09:58 PM

Greetings

Run in normal mode

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:17 PM

Posted 29 January 2012 - 11:49 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users