Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE Popups and Google redirect


  • This topic is locked This topic is locked
26 replies to this topic

#1 jillchristine

jillchristine

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 29 January 2012 - 04:01 PM

Okay, so here goes...

My computer has constant IE popups and on Firefox Google is redirecting to random sites, which then redirect back to my initial Google search. I ran Malwarebytes several times, and every time it finds trojans and removes them, only to have new ones back up for the next scan. Recently, my computer's background changed to black, and the start menu lost all its pinned icons, and my icon tray has gone blank.

Even when my computer has no IE up (which I never use anyway, it only starts running from popups), the task manager shows IE running with over one million K memory. This is usually what's slowing my computer down, and so I end it through task manager and my computer is running smoothly again until the pop up starts over again. Occasionally, a windows download manager pops up with a list of all these random downloads that I don't recognize. I don't know if this is a fake pop up, or real downloads infecting my computer.

I tried to turn on my firewall as the Bleeping Computer instructions say to do. I got an error message reading "Due to an unidentified problem, Windows cannot display Windows Firewall settings." Per the instructions, I ran DDS, and attached the two files to this post. When I ran GMER, most of the check boxes were grayed out. The only available options were Services, Registry, and Files. The instructions had more options activated, so I wasn't sure if this was a problem. That log is also attached.

Thanks in advance for all your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 30 January 2012 - 07:40 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 31 January 2012 - 06:21 PM

ComboFix 12-01-30.02 - Jill 01/31/2012 6:54.7.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1571 [GMT -6:00]
Running from: c:\users\Jill\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jill\AppData\Roaming\Acfud
c:\users\Jill\AppData\Roaming\Acfud\egny.exe
c:\users\Jill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\Jill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\Jill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\SysWow64\windrv.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 13:29 . 2012-01-31 13:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-31 13:29 . 2012-01-31 13:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-31 13:29 . 2012-01-31 13:29 -------- d-----w- c:\users\AppData\AppData\Local\temp
2012-01-28 00:10 . 2012-01-31 12:39 -------- d-----w- c:\users\Jill\AppData\Roaming\Hega
2012-01-20 01:31 . 2012-01-20 01:31 5 ----a-w- c:\windows\SysWow64\lMMLDeleteUserData42107612FX.tmp
2012-01-20 01:16 . 2012-01-20 01:25 -------- d-----w- c:\users\Jill\.gstreamer-0.10
2012-01-19 02:17 . 2012-01-19 02:17 -------- d-----w- c:\users\Jill\AppData\Local\Motorola
2012-01-19 02:16 . 2012-01-19 02:16 -------- d-----w- c:\program files (x86)\Common Files\Nero
2012-01-19 02:16 . 2012-01-20 01:32 -------- d-----w- c:\programdata\Nero
2012-01-19 02:16 . 2012-01-19 02:17 -------- d-----w- c:\programdata\Motorola
2012-01-14 23:30 . 2012-01-14 23:30 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-01-14 23:30 . 2012-01-14 23:30 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-14 23:30 . 2012-01-14 23:30 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-14 23:30 . 2012-01-14 23:30 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-07 02:58 . 2011-09-03 19:17 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 21:24 . 2010-02-28 21:12 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:57 . 2011-12-14 03:54 2764800 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:58 . 2011-12-14 03:54 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-08 14:42 . 2011-12-14 03:54 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-11-04 01:53 . 2011-12-14 03:55 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-11-04 01:44 . 2011-12-14 03:55 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 01:44 . 2011-12-14 03:55 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 01:34 . 2011-12-14 03:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-03 22:47 . 2011-12-14 03:55 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-11-03 22:40 . 2011-12-14 03:55 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-11-03 22:39 . 2011-12-14 03:55 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-11-03 22:31 . 2011-12-14 03:55 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-10-06 17:51 . 2011-10-06 17:51 4245600 ----a-r- c:\program files (x86)\ComFix.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-16_22.46.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 14:57 . 2011-11-18 17:47 66560 c:\windows\SysWOW64\packager.dll
+ 2012-01-11 14:57 . 2011-10-14 16:00 23552 c:\windows\SysWOW64\mciseq.dll
- 2006-11-02 12:13 . 2006-11-02 09:46 23552 c:\windows\SysWOW64\mciseq.dll
+ 2011-12-26 16:19 . 2011-12-31 07:32 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-11-15 21:53 . 2011-12-31 07:49 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2008-01-21 02:23 . 2012-01-20 03:05 65498 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-01-31 13:38 86534 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-17 19:52 . 2012-01-31 13:38 17010 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3747391320-3364095506-2391247398-1000_UserData.bin
+ 2012-01-11 14:57 . 2011-11-18 18:07 76800 c:\windows\system32\packager.dll
+ 2012-01-11 14:57 . 2011-10-14 17:27 28672 c:\windows\system32\mciwave.dll
- 2006-11-02 09:53 . 2006-11-02 11:17 28672 c:\windows\system32\mciwave.dll
- 2006-11-02 09:53 . 2006-11-02 11:17 28160 c:\windows\system32\mciseq.dll
+ 2012-01-11 14:57 . 2011-10-14 17:27 28160 c:\windows\system32\mciseq.dll
+ 2012-01-11 14:57 . 2011-10-14 17:27 48128 c:\windows\system32\mcicda.dll
- 2006-11-02 09:53 . 2006-11-02 11:17 48128 c:\windows\system32\mcicda.dll
+ 2009-08-17 19:47 . 2011-12-31 05:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-17 19:47 . 2011-12-16 22:18 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-17 19:47 . 2011-12-31 05:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-17 19:47 . 2011-12-16 22:18 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-17 19:47 . 2011-12-31 05:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-08-17 19:47 . 2011-12-16 22:18 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-31 14:54 . 2011-12-27 02:51 43280 c:\windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe
+ 2011-12-31 14:54 . 2011-12-27 02:51 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2012-01-19 01:28 . 2012-01-19 01:28 95744 c:\windows\Installer\57744d3.msi
- 2006-11-02 12:40 . 2011-10-25 16:02 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 12:40 . 2012-01-20 01:33 86016 c:\windows\inf\infstor.dat
- 2006-11-02 12:40 . 2011-10-25 16:02 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 12:40 . 2012-01-20 01:33 51200 c:\windows\inf\infpub.dat
+ 2012-01-02 20:04 . 2012-01-02 20:04 54784 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\32988c989fec0b0a6ea7420b687847f0\System.Web.DynamicData.Design.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\45904e3cf3a3043ade103996f8a89a5b\System.Web.DynamicData.Design.ni.dll
+ 2009-08-18 13:23 . 2012-01-20 01:13 2026 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2012-01-20 03:03 . 2012-01-31 13:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-16 22:46 . 2011-12-16 22:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-16 22:46 . 2011-12-16 22:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-20 03:03 . 2012-01-31 13:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-11 14:57 . 2011-10-14 16:03 189952 c:\windows\SysWOW64\winmm.dll
- 2009-12-05 01:28 . 2009-04-11 06:28 189952 c:\windows\SysWOW64\winmm.dll
- 2009-12-05 01:28 . 2009-04-11 06:28 497152 c:\windows\SysWOW64\qdvd.dll
+ 2012-01-11 14:57 . 2011-10-25 15:58 497152 c:\windows\SysWOW64\qdvd.dll
+ 2012-01-07 02:58 . 2012-01-07 02:58 247968 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe
- 2009-08-18 13:25 . 2011-12-16 22:28 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-18 13:25 . 2011-12-31 07:49 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-01-21 03:20 . 2012-01-31 13:36 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-15 23:08 . 2011-06-17 16:16 451072 c:\windows\system32\winsrv.dll
+ 2012-01-11 14:57 . 2011-11-25 16:25 451072 c:\windows\system32\winsrv.dll
- 2009-12-05 01:28 . 2009-04-11 07:11 211968 c:\windows\system32\winmm.dll
+ 2012-01-11 14:57 . 2011-10-14 17:31 211968 c:\windows\system32\winmm.dll
+ 2009-08-18 01:11 . 2011-12-31 06:56 247028 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-08-17 22:18 . 2012-01-31 09:00 328940 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2012-01-11 14:57 . 2011-10-25 16:13 352256 c:\windows\system32\qdvd.dll
- 2009-12-05 01:28 . 2009-04-11 07:11 352256 c:\windows\system32\qdvd.dll
+ 2006-11-02 12:46 . 2012-01-29 21:55 652090 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-01-29 21:55 122692 c:\windows\system32\perfc009.dat
- 2011-02-15 12:54 . 2011-12-16 22:45 274244 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-15 12:54 . 2012-01-20 03:02 274244 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-26 11:47 . 2011-12-26 11:47 261912 c:\windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
+ 2011-12-31 14:54 . 2011-12-27 02:51 744720 c:\windows\Microsoft.NET\Framework64\v2.0.50727\webengine.dll
+ 2011-12-26 10:39 . 2011-12-26 10:39 192792 c:\windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
+ 2011-12-31 14:54 . 2011-12-27 02:51 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2006-11-02 12:40 . 2012-01-20 01:33 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 12:40 . 2011-10-25 16:02 143360 c:\windows\inf\infstrng.dat
+ 2012-01-11 14:57 . 2011-11-01 16:35 196096 c:\windows\ehome\mstvcapn.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 187392 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\305bff6f5396544a7bfc56e84bfa1e87\System.Web.Routing.ni.dll
+ 2012-01-02 20:04 . 2012-01-02 20:04 449536 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity\0e0a0efe9ab9642700a8f57a4edbe976\System.Web.Entity.ni.dll
+ 2012-01-02 20:04 . 2012-01-02 20:04 398848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\d5d13f24e51a4fa41be09b8d2241f600\System.Web.Entity.Design.ni.dll
+ 2012-01-02 20:04 . 2012-01-02 20:04 754176 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\86f7d8a68c51823d89921f55ff7e2603\System.Web.DynamicData.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 204800 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\40994da02056e19475c5958f64195807\System.Web.Abstractions.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 438784 c:\windows\assembly\NativeImages_v2.0.50727_64\ServiceModelReg\6ba06b090714e51e8a92499ade057045\ServiceModelReg.ni.exe
+ 2012-01-02 20:05 . 2012-01-02 20:05 634368 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\69516fa94785ffdd2daeb4d27162dcbb\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 890880 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f5c0838992018101dae62373ad5fb6aa\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 871936 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7034b31825fa81917034d27511951629\WindowsLive.Writer.BlogClient.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 156672 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\4c370151e6463d6abc699f15c50d6361\WindowsLive.Writer.HtmlParser.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\1d3da9468a4b3eaf6e2ea9def503d888\System.Web.Routing.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\dba78af9f778d38117fe4ccf5f4c76f7\System.Web.Extensions.Design.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\fcd6fda81cab3ace8b9d77887a01e892\System.Web.Entity.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\337de84cce8fc2bcbbf7900132abbc2f\System.Web.Entity.Design.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d8313ac5d702f0ffc0e77ea9d945cfd2\System.Web.DynamicData.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\0de7bfc89e883f66f872c1158e06d5cb\System.Web.Abstractions.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\311bc26c3ed83409589eb6bae0eeb86e\System.Runtime.Remoting.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\c60afe58108cefe6b558996f0d9a1c11\System.Data.Entity.Design.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\050c7465e7222cdab000294af3131403\ServiceModelReg.ni.exe
- 2010-02-11 02:58 . 2009-12-04 18:29 1314816 c:\windows\SysWOW64\quartz.dll
+ 2012-01-11 14:57 . 2011-10-25 15:58 1314816 c:\windows\SysWOW64\quartz.dll
+ 2012-01-11 14:57 . 2011-11-18 20:55 1167984 c:\windows\SysWOW64\ntdll.dll
+ 2011-01-05 03:23 . 2012-01-07 02:58 8527008 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
+ 2008-01-21 03:20 . 2012-01-31 13:36 3194880 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-31 13:36 6619136 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-11 14:57 . 2011-10-25 16:13 1570816 c:\windows\system32\quartz.dll
- 2010-02-11 02:58 . 2009-12-04 18:51 1570816 c:\windows\system32\quartz.dll
+ 2012-01-11 14:57 . 2011-11-18 20:55 1585152 c:\windows\system32\ntdll.dll
+ 2011-11-07 20:08 . 2012-01-20 03:02 2372068 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3747391320-3364095506-2391247398-1000-12288.dat
+ 2011-11-16 00:49 . 2011-12-31 08:44 5798824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2011-12-31 14:54 . 2011-12-27 02:51 5259264 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Web.dll
+ 2011-12-31 14:54 . 2011-12-27 02:51 5251072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-12-25 11:48 . 2011-12-25 11:48 1505792 c:\windows\Installer\93551.msp
+ 2011-12-26 12:24 . 2011-12-26 12:24 8835072 c:\windows\Installer\93549.msp
+ 2012-01-02 20:04 . 2012-01-02 20:04 1754112 c:\windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\4223600dc6133441b1898abaf12031ca\System.WorkflowServices.ni.dll
+ 2012-01-02 16:19 . 2012-01-02 16:19 2702848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\afbeeaf9c41f39886704cbf181b1feb2\System.Workflow.Runtime.ni.dll
+ 2012-01-02 16:18 . 2012-01-02 16:18 5956608 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Com#\ac5a3688b743358aa5b24b9efd971d9d\System.Workflow.ComponentModel.ni.dll
+ 2012-01-02 16:18 . 2012-01-02 16:18 3893248 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Act#\007c8c2f4141fd472da7d3558efba598\System.Workflow.Activities.ni.dll
+ 2012-01-02 20:00 . 2012-01-02 20:00 2291712 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Services\f3222dbcdeebd53ee1c3f88c9ebf6c94\System.Web.Services.ni.dll
+ 2012-01-02 20:04 . 2012-01-02 20:04 3335680 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\525e8846136415d472c2e7ba482ccd54\System.Web.Mobile.ni.dll
+ 2012-01-02 20:04 . 2012-01-02 20:04 1154560 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\cedfd9b90274b017d11ed50abe8634e8\System.Web.Extensions.Design.ni.dll
+ 2012-01-02 20:04 . 2012-01-02 20:04 3046912 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\c0d2bc2e2357ed023b85d18b96e21d60\System.Web.Extensions.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 2239488 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel#\cb5200c2d67ebf37333bdd57a06e7a11\System.ServiceModel.Web.ni.dll
+ 2012-01-02 20:00 . 2012-01-02 20:00 1022464 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\a0a442c47ac0b846bb886aa405a10138\System.Runtime.Remoting.ni.dll
+ 2012-01-02 20:01 . 2012-01-02 20:01 1428992 c:\windows\assembly\NativeImages_v2.0.50727_64\System.IdentityModel\74f5ddf803f50c428293fe6115d6eea7\System.IdentityModel.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 1845248 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\3a35cfdccde13bc82cad2d185cbf499b\System.Data.Services.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 1078272 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity.#\31ea0ae493a84f5f9fdb53ac2ea0ef5e\System.Data.Entity.Design.ni.dll
+ 2012-01-02 20:02 . 2012-01-02 20:02 7836672 c:\windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\6029a4ca1be3d971d470eb2c1ff627e0\MIGUIControls.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 2173952 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\7fe40682a4f2f30ddb25da3a8796d282\Microsoft.VisualBasic.ni.dll
+ 2012-01-02 20:03 . 2012-01-02 20:03 2101248 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\23408f67b7fddc32d03fa6d8deeafcd7\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-01-02 20:02 . 2012-01-02 20:02 7721472 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\3894a5164ae656639bed7f6270f97182\Microsoft.MediaCenter.UI.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 7023616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6db4d77db4b9374e7c68656cc89ba0f0\WindowsLive.Writer.PostEditor.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 2193408 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1df1d5ab7fff1550f05f60a41b86392f\WindowsLive.Writer.CoreServices.ni.dll
+ 2012-01-02 20:07 . 2012-01-02 20:07 1316864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\32a67054a82cf24c011e116e94d11864\System.WorkflowServices.ni.dll
+ 2012-01-02 16:20 . 2012-01-02 16:20 1911296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\8bfc3619e3848592a4924cba58a00459\System.Workflow.Runtime.ni.dll
+ 2012-01-02 16:20 . 2012-01-02 16:20 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\3721ccdfdca60443a32ca9f8a937f315\System.Workflow.ComponentModel.ni.dll
+ 2012-01-02 16:20 . 2012-01-02 16:20 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\79e0fe6c014999d64e7cf9717624013f\System.Workflow.Activities.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2cf510e07b605923c496b1ae3c31335f\System.Web.Services.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\800af0d5c4bcd9b600a229050b22d6bd\System.Web.Mobile.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c759aa20f1f012c1dc5dd7076d0816f7\System.Web.Extensions.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 1651200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\3c93a9b25482a56053eb509a58860dbf\System.ServiceModel.Web.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\6a1e2938633d08d9d97c6940a537b1ff\System.IdentityModel.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\d75b561b3c22f68af985785352660022\System.Data.Services.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 6340096 c:\windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\6e0b0d4d67c760e1e2f6cfd7cd6a8492\MIGUIControls.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 1711616 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\902ba03598b46f478f3d7561ece592e6\Microsoft.VisualBasic.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 1609728 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a87927f7dc8997fa2854c8dee4bd98c4\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-01-02 20:06 . 2012-01-02 20:06 5486080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\bb28192d6fcdca44077406c2bf1ad37c\Microsoft.MediaCenter.UI.ni.dll
+ 2011-12-31 14:54 . 2011-12-27 02:51 5259264 c:\windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-12-31 14:54 . 2011-12-27 02:51 5251072 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2006-11-02 12:33 . 2011-12-14 13:33 11272192 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 12:33 . 2012-01-29 23:05 11272192 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 12:35 . 2012-01-14 00:00 54008112 c:\windows\system32\mrt.exe
+ 2012-01-02 20:00 . 2012-01-02 20:00 15245824 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web\0a2ea7a9a9d9fd9ae47468adbdee2e05\System.Web.ni.dll
+ 2012-01-02 20:01 . 2012-01-02 20:01 23813632 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel\efc60b11b649ed506c64172b3373f936\System.ServiceModel.ni.dll
+ 2012-01-02 16:18 . 2012-01-02 16:18 13718528 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Design\c41b930b44ddfaef2faf314f690bb35e\System.Design.ni.dll
+ 2012-01-02 20:02 . 2012-01-02 20:02 15825920 c:\windows\assembly\NativeImages_v2.0.50727_64\ehshell\b8a06c151452395f513aaa5d730fb5a4\ehshell.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 11820032 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\fecd1103dd16dc1192402770caf56575\System.Web.ni.dll
+ 2012-01-02 20:05 . 2012-01-02 20:05 17404416 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\a2046fbb45b00425d083cc8706b75479\System.ServiceModel.ni.dll
+ 2012-01-02 16:20 . 2012-01-02 16:20 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\30a87086e78b69d17416bfb74aab355f\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"FATrayAlert"="c:\program files (x86)\Sensible Vision\Fast Access\FATrayMon.exe" [2009-03-07 95496]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"FAStartup"="" [BU]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-14 1527128]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
c:\users\Jill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Jill\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files (x86)\Audible\Bin\AudibleDownloadHelper.exe [N/A]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-3-1 5828952]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-7-6 1156968]
QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2009\QBW32.EXE [2011-7-6 1178984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2009-03-07 19:15 140552 ----a-w- c:\program files (x86)\Sensible Vision\Fast Access\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-28 18:37]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-28 18:37]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\Jill\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-25 305664]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-30 15960608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-30 82464]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://home.joobers.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://search.joobers.com/toolbar/SearchAssistant
uCustomizeSearch = hxxp://search.joobers.com/toolbar/CustomizeSearch
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Jill\AppData\Roaming\Mozilla\Firefox\Profiles\itjo0dma.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20110925&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-{F3A75C62-A7B4-63CB-34A7-A95CEEFA4347} - c:\users\Jill\AppData\Roaming\Acfud\egny.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{048DBD20-445E8C82-05040104}]
"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3747391320-3364095506-2391247398-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ó3š0]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3747391320-3364095506-2391247398-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ó3š0\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Sensible Vision\Fast Access\FAService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Dell\DellComms\bin\sprtsvc.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2012-01-31 08:01:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-31 14:01
ComboFix2.txt 2011-12-31 09:14
ComboFix3.txt 2011-12-16 22:54
ComboFix4.txt 2011-12-14 02:13
ComboFix5.txt 2012-01-31 12:45
.
Pre-Run: 166,318,555,136 bytes free
Post-Run: 166,418,599,936 bytes free
.
- - End Of File - - 36F89EC8CB41352646A9936F8839F4A3


Thanks!

Attached Files

  • Attached File  log.txt   37.73KB   3 downloads

Edited by RPMcMurphy, 31 January 2012 - 09:53 PM.
added log


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 31 January 2012 - 10:01 PM

jillchristine:

Please so this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DirLook::

DirLook::
c:\users\Jill\AppData\Roaming\Hega
Suspect::[131]
c:\program files (x86)\ComFix.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 02 February 2012 - 06:57 PM

Attached are the two files requested. When running Malwarebytes, there were no issues not in the Qoobox files.

Thanks for your help!

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 02 February 2012 - 07:42 PM

jillchristine:

How is your computer running now? Please so this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Folder::
c:\users\Jill\AppData\Roaming\Hega
ClearJavaCache::

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to www.java.com and press the "Do I have Java" link near the middle of the page
  • Press "Verify Java Version" on the page you are directed to and follow the prompts to update
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now
  • ComboFix log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 04 February 2012 - 06:35 PM

I tried to run ComboFix and kept receiving this message:

"Error saving file C:\\Windows\erdnt\Hiv-backup\SYSTEM ! Continue with next file? [RegSaveKeyEx: 1016 - An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry.]"

How did you want me to proceed?

Thanks!

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 05 February 2012 - 12:28 AM

Please reboot the computer and try running the ComboFix script again.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 05 February 2012 - 12:29 PM

I rebooted and am still receiving the same error.

Did you still want me to continue with the other scans/updates you listed?

Thanks for your help, sorry for all the hiccups!

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 05 February 2012 - 01:13 PM

Yes, please go ahead with the remaining instructions.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 05 February 2012 - 04:29 PM

I've attached the ESET log. I also updated Java.

As for how the computer is running, the IE popups had stopped since last time I ran Malwarebytes. However, today, when I rebooted I got another IE pop up, but just one instead of multiple. Also, Google is still redirecting.

Attached Files



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 05 February 2012 - 10:38 PM

jillchristine:

Please so this next:

Posted Image Please download Listparts64
  • Run the tool, click Scan and post the log (Result.txt) it makes.
Please include the following in your next post:
ListParts log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 06 February 2012 - 08:09 PM

List Parts Log attached.

Thanks

Sorry - last post forgot to attach.

Attached Files



#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 06 February 2012 - 09:39 PM

Please so this next:

Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Please include the following in your next post:
aswMBR log

Edited by RPMcMurphy, 06 February 2012 - 09:39 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 jillchristine

jillchristine
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 07 February 2012 - 07:54 AM

I downloaded aswMBR.exe, but it won't run. I tried redownloading it and restarting my computer, but still no luck. How did you want me to proceed?

Also, can I get an update on how my computer is doing? If we're making progress or not?

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users