Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet Another Google Redirect Issue


  • This topic is locked This topic is locked
32 replies to this topic

#1 zzajlatem

zzajlatem

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 15 February 2012 - 05:26 PM

When I started my new job, I was given a laptop to use at work. The guy who did this job before me did something bad to it before leaving. I heard him talking to a friend about a website that didn't sound safe and came into work the next day to questions about what happened to the computer.
All of the desktop icons were hidden as well as the start menu list entries. I worked on it myself for a little while and got the desktop icons back, but now it is redirecting when I click on a google search results link.
The correct logs and reports are attached.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 15 February 2012 - 05:37 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 16 February 2012 - 01:19 PM

I turned off spybot s&d and ran combofix as per your instructions. Combofix restarted my computer and some desktop icons returned to the screen, all piled up in the upper left corner. I pulled them out and tried to access mozilla firefox, but an error message came up. It said that an illegal operation was attempted on a registry key that has been marked for deletion. I restarted the computer, hoping for this problem to go away and it ran "startup repair" and tried to do a system restore because "your computer was unable to start". The computer is currently functioning enough for me to reply to this thread using it. I'm not getting redirected when I click on google search results, but the desktop icons that were there after I ran combofix are gone again.
combofix log:
ComboFix 12-02-16.02 - EchoTone 02/16/2012 11:25:35.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1622 [GMT -5:00]
Running from: c:\users\EchoTone\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\system32\consrv.dll
c:\windows\system32\Thumbs.db
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 16:34 . 2012-02-16 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 16:34 . 2012-02-16 16:34 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-16 16:23 . 2012-02-16 16:40 -------- d-----w- C:\32788R22FWJFW
2012-02-16 01:11 . 2012-02-16 01:11 -------- d-----w- C:\46edceb61f6bfe822d89934faf86bf
2012-02-15 21:37 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 21:37 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 21:37 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 21:37 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 21:37 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 21:37 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-14 16:27 . 2012-01-06 05:15 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E256BF34-CED6-4C23-BAF0-9D19825B8A13}\mpengine.dll
2012-02-11 16:08 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 16:08 . 2012-02-13 20:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-09 19:32 . 2012-02-13 20:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-09 19:32 . 2012-02-13 20:57 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-09 16:44 . 2012-02-09 16:44 -------- d-----w- c:\users\EchoTone\AppData\Roaming\Malwarebytes
2012-02-09 16:43 . 2012-02-13 20:46 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 15:54 . 2012-02-16 16:36 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 15:58 . 2012-02-04 15:58 -------- d-----w- c:\users\EchoTone\AppData\Roaming\InstallShield
2012-01-24 16:13 . 2012-02-13 20:58 -------- d-----w- c:\windows\system32\SPReview
2012-01-24 16:11 . 2012-02-13 20:58 -------- d-----w- c:\windows\system32\EventProviders
2012-01-23 21:03 . 2012-02-13 20:58 -------- d-----w- c:\windows\Hewlett-Packard
2012-01-17 22:05 . 2012-01-17 22:05 -------- d-----w- c:\windows\Ema's stuff
2012-01-17 20:38 . 2012-01-17 20:38 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 15:53 . 2011-08-11 15:11 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-27 05:52 . 2011-01-05 20:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 16:28 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-24 16:28 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-11-19 14:58 . 2012-01-11 16:13 77312 ----a-w- c:\windows\system32\packager.dll
2011-11-19 14:01 . 2012-01-11 16:13 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-19 39408]
"SDPhotoBar.exe"="c:\smartd~1\SDPhotoBar.exe" [2003-01-10 192512]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-06-03 3218792]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-06-11 552960]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 pbzfteod;pbzfteod;c:\windows\system32\drivers\pbzfteod.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2011-06-06 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2009-08-24 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:19]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:19]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000Core.job
- c:\users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 21:19]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000UA.job
- c:\users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 21:19]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)"="" [BU]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"combofix"="c:\combofix\CF23274.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
w70n51
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\EchoTone\AppData\Roaming\Mozilla\Firefox\Profiles\kst9bbug.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2012-02-16 11:46:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-16 16:46
ComboFix2.txt 2012-02-13 17:30
.
Pre-Run: 194,275,106,816 bytes free
Post-Run: 194,200,961,024 bytes free
.
- - End Of File - - E9EF3DC360210F41C0A9B6CC2213A9B0

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 16 February 2012 - 01:53 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 17 February 2012 - 05:29 PM

I ran TDSSkiller and could view the report, but when I highlighted the text to copy and paste it, no menu came up when I right clicked. It said that it detected 0 infections/problems. I ran aswmbr and it found about 5 infections. I accidentally clicked fix and it restarted my computer so I ran it again and it found about 7 infections. Here is the log:
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-17 16:52:01
-----------------------------
16:52:01.162 OS Version: Windows x64 6.1.7601 Service Pack 1
16:52:01.162 Number of processors: 2 586 0x603
16:52:01.162 ComputerName: ECHOTONE-PC UserName: EchoTone
16:52:02.208 Initialize success
16:52:08.744 AVAST engine defs: 12021701
16:52:19.914 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:52:19.914 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 11
16:52:19.929 Disk 0 MBR read successfully
16:52:19.929 Disk 0 MBR scan
16:52:19.929 Disk 0 Windows VISTA default MBR code
16:52:19.945 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
16:52:19.961 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 227588 MB offset 3074048
16:52:19.992 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 9386 MB offset 469174272
16:52:20.007 Service scanning
16:52:26.325 Modules scanning
16:52:26.325 Disk 0 trace - called modules:
16:52:26.341 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
16:52:26.341 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80030e6060]
16:52:26.341 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003078060]
16:52:28.197 AVAST engine scan C:\windows
16:52:33.158 AVAST engine scan C:\windows\system32
16:52:49.446 File: C:\windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
16:54:48.960 File: C:\windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
16:54:51.800 File: C:\windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
16:56:25.306 File: C:\windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
16:56:25.415 File: C:\windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
16:56:38.129 AVAST engine scan C:\windows\system32\drivers
16:57:01.155 AVAST engine scan C:\Users\EchoTone
16:57:19.829 File: C:\Users\EchoTone\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
16:57:19.860 File: C:\Users\EchoTone\AppData\Local\Temp\~Quarantine.aswMBR\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
16:58:10.905 AVAST engine scan C:\ProgramData
16:59:23.883 Scan finished successfully
17:00:03.304 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
17:00:03.304 The log file has been saved successfully to "C:\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 17 February 2012 - 09:20 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 19 February 2012 - 11:38 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 20 February 2012 - 07:28 PM

Hello,
I ran the FRST program on the infected computer and saved the log, but was unable to upload the log from that machine. I brought a flash drive to work today and saved the file to it so I could reply from my home computer. Here is the log:
Scan result of Farbar Recovery Scan Tool Version: 17-02-2012 (L)
Ran by SYSTEM at 2012-02-18 12:07:00
Running from C:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-19] ()
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-03-03] (TOSHIBA Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-03-15] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1295736 2011-02-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218792 2010-06-02] (Toshiba)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-06-11] (Toshiba)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-07-05] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-07-19] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKU\EchoTone\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-07-19] (Google Inc.)
HKU\EchoTone\...\Run: [SDPhotoBar.exe] C:\SMARTD~1\SDPhotoBar.exe [192512 2003-01-10] ()
HKU\EchoTone\...\Run: [Google Update] "C:\Users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-07-19] (Google Inc.)
HKU\EchoTone\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\EchoTone\...\Policies\system: [disableregistrytools] 0
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe /s [123320 2011-06-06] (Symantec Corporation)
2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll" /prefetch:1 [132984 2009-08-29] (Symantec Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 w70n51; C:\Windows\System32\s24eventmonitor.dll [6656 2009-07-13] (Oak Technology Inc.)

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atipmdag.sys [6403072 2010-03-15] (ATI Technologies Inc.)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [23152 2011-12-10] (Malwarebytes Corporation)
3 StillCam; C:\Windows\System32\DRIVERS\serscan.sys [12288 2009-07-13] (Microsoft Corporation)
1 pbzfteod; \??\C:\windows\system32\drivers\pbzfteod.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: w70n51

============ One Month Created Files and Folders ==============

2012-02-18 08:33 - 2012-02-18 08:33 - 1381727 ____A C:\FRST64.exe
2012-02-17 14:00 - 2012-02-17 14:00 - 0002594 ____A C:\aswMBR.txt
2012-02-17 14:00 - 2012-02-17 14:00 - 0000512 ____A C:\MBR.dat
2012-02-17 13:24 - 2012-02-17 13:39 - 0077252 ____A C:\TDSSKiller.2.7.13.0_17.02.2012_16.24.06_log.txt
2012-02-17 13:20 - 2012-02-17 13:21 - 4733440 ____A (AVAST Software) C:\Users\EchoTone\Downloads\aswMBR.exe
2012-02-17 13:20 - 2012-02-17 13:20 - 2060336 ____A (Kaspersky Lab ZAO) C:\Users\EchoTone\Downloads\tdsskiller(1).exe
2012-02-16 09:30 - 2012-01-04 02:44 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-02-16 09:30 - 2012-01-04 02:44 - 0509952 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-02-16 09:30 - 2012-01-04 00:59 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-02-16 09:30 - 2012-01-04 00:58 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll
2012-02-16 09:23 - 2012-02-16 09:23 - 0000000 ____D C:\Windows\system64
2012-02-16 08:55 - 2012-02-16 08:55 - 0016482 ____A C:\combofixlog1.txt
2012-02-16 08:46 - 2012-02-16 08:46 - 0016482 ____A C:\ComboFix.txt
2012-02-16 08:34 - 2012-02-16 08:34 - 0000000 __ASH C:\Windows\System32\config\components.tmp.LOG2
2012-02-16 08:34 - 2012-02-16 08:34 - 0000000 __ASH C:\Windows\System32\config\components.tmp.LOG1
2012-02-16 08:23 - 2012-02-16 08:40 - 0000000 ____D C:\32788R22FWJFW
2012-02-16 08:18 - 2012-02-16 08:18 - 4406022 ____A (Swearware) C:\Users\EchoTone\Downloads\ComboFix(1).exe
2012-02-15 17:11 - 2012-02-15 17:11 - 0000000 ____D C:\46edceb61f6bfe822d89934faf86bf
2012-02-15 14:19 - 2012-02-15 14:19 - 0000347 ____A C:\gmerlog.log
2012-02-15 13:50 - 2012-02-15 13:50 - 0302592 ____A C:\Users\EchoTone\Downloads\hfk0putl.exe
2012-02-15 13:49 - 2012-02-15 13:49 - 0020579 ____A C:\DDSlog1.txt
2012-02-15 13:49 - 2012-02-15 13:49 - 0007602 ____A C:\Attach.txt
2012-02-15 13:45 - 2012-02-15 13:45 - 0607260 ___RA (Swearware) C:\Users\EchoTone\Downloads\dds.scr
2012-02-15 13:40 - 2012-02-15 13:42 - 0077286 ____A C:\TDSSKiller.2.7.12.0_15.02.2012_16.40.54_log.txt
2012-02-15 13:40 - 2012-02-15 13:40 - 2061360 ____A (Kaspersky Lab ZAO) C:\Users\EchoTone\Downloads\tdsskiller.exe
2012-02-15 13:37 - 2012-01-13 20:06 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-15 13:37 - 2011-12-29 22:26 - 0515584 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2012-02-15 13:37 - 2011-12-29 21:27 - 0478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl
2012-02-15 13:37 - 2011-12-27 19:59 - 0498688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-02-15 13:37 - 2011-12-16 00:46 - 0634880 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2012-02-15 13:37 - 2011-12-16 00:45 - 9019904 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-15 13:37 - 2011-12-15 23:52 - 5997568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-15 13:37 - 2011-12-15 23:52 - 0690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll
2012-02-15 13:36 - 2011-12-16 00:47 - 1494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-15 13:36 - 2011-12-16 00:47 - 1188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-15 13:36 - 2011-12-16 00:47 - 0134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-15 13:36 - 2011-12-16 00:45 - 2454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-15 13:36 - 2011-12-16 00:45 - 12263936 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-15 13:36 - 2011-12-16 00:45 - 0702464 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-02-15 13:36 - 2011-12-16 00:45 - 0247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-15 13:36 - 2011-12-16 00:45 - 0097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-15 13:36 - 2011-12-16 00:45 - 0064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-15 13:36 - 2011-12-15 23:54 - 1231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-15 13:36 - 2011-12-15 23:54 - 0981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-15 13:36 - 2011-12-15 23:54 - 0132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-15 13:36 - 2011-12-15 23:52 - 2073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-15 13:36 - 2011-12-15 23:52 - 10992128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-15 13:36 - 2011-12-15 23:52 - 0599552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-02-15 13:36 - 2011-12-15 23:52 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-15 13:36 - 2011-12-15 23:52 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-15 13:36 - 2011-12-15 23:52 - 0048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-15 13:36 - 2011-12-15 22:44 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-15 13:36 - 2011-12-15 22:09 - 1638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-14 11:59 - 2012-02-14 12:01 - 14785768 ____A (SUPERAntiSpyware.com) C:\Users\EchoTone\Downloads\SUPERAntiSpyware.exe
2012-02-14 11:45 - 2012-02-14 11:45 - 0532480 ____A (Trend Micro Incorporated) C:\Users\EchoTone\Downloads\cwshredder.exe
2012-02-14 11:43 - 2012-02-14 11:43 - 0261120 ____A C:\Users\EchoTone\Downloads\anti_filefix.exe
2012-02-14 11:36 - 2012-02-14 11:36 - 0000162 ____A C:\Users\EchoTone\Desktop\~$ployment application.rtf
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-02-13 09:00 - 2012-02-16 12:18 - 0000000 ____D C:\Windows\ERDNT
2012-02-13 09:00 - 2012-02-16 12:17 - 0000000 ___SD C:\ComboFix
2012-02-13 09:00 - 2012-02-16 08:46 - 0000000 ____D C:\Qoobox
2012-02-13 09:00 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-02-13 09:00 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-02-13 09:00 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-02-13 09:00 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-02-13 09:00 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-02-13 09:00 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-02-13 09:00 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-02-13 09:00 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-02-13 08:59 - 2012-02-13 08:59 - 4403246 ___RA (Swearware) C:\Users\EchoTone\Downloads\ComboFix.exe
2012-02-13 08:50 - 2012-02-13 08:50 - 0446464 ____A (OldTimer Tools) C:\Users\EchoTone\Downloads\TFC.exe
2012-02-11 10:46 - 2012-02-11 10:46 - 0071398 ____A (jpshortstuff) C:\Users\EchoTone\Downloads\GooredFix.exe
2012-02-11 08:28 - 2012-02-16 12:01 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-02-11 08:28 - 2012-02-11 08:28 - 0002025 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-02-11 08:08 - 2012-02-16 12:17 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-02-11 08:08 - 2012-02-11 08:08 - 0001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-11 08:08 - 2011-12-10 12:24 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-02-09 11:32 - 2012-02-16 12:18 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-02-09 11:32 - 2012-02-16 12:18 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-02-09 11:32 - 2012-02-16 12:17 - 0000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-09 11:30 - 2012-02-09 11:30 - 16409960 ____A (Safer Networking Limited ) C:\Users\EchoTone\Downloads\spybotsd162.exe
2012-02-09 08:44 - 2012-02-16 12:08 - 0000000 ____D C:\Users\EchoTone\AppData\Roaming\Malwarebytes
2012-02-09 08:43 - 2012-02-16 12:06 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-02-09 08:43 - 2012-02-16 12:06 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-02-09 08:42 - 2012-02-09 08:42 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\EchoTone\Downloads\mbam-setup-1.60.1.1000.exe
2012-02-08 07:54 - 2012-02-18 08:26 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-04 07:58 - 2012-02-04 07:58 - 0000000 ____D C:\Users\EchoTone\AppData\Roaming\InstallShield
2012-01-31 07:52 - 2011-11-16 22:49 - 0152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-01-31 07:52 - 2011-11-16 22:49 - 0095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-01-31 07:52 - 2011-11-16 22:44 - 0459232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-01-31 07:52 - 2011-11-16 22:35 - 1447936 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2012-01-31 07:52 - 2011-11-16 22:35 - 0395776 ____A (Microsoft Corporation) C:\Windows\System32\webio.dll
2012-01-31 07:52 - 2011-11-16 22:35 - 0340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-01-31 07:52 - 2011-11-16 22:35 - 0136192 ____A (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2012-01-31 07:52 - 2011-11-16 22:35 - 0029184 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2012-01-31 07:52 - 2011-11-16 22:35 - 0028160 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll
2012-01-31 07:52 - 2011-11-16 22:33 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe
2012-01-31 07:52 - 2011-11-16 21:35 - 0314880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webio.dll
2012-01-31 07:52 - 2011-11-16 21:34 - 0224768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-01-31 07:52 - 2011-11-16 21:34 - 0022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-01-31 07:52 - 2011-11-16 21:28 - 0096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-01-24 13:18 - 2012-02-09 09:14 - 0017008 ____A C:\Users\EchoTone\Desktop\Echo-Tone Price List.txt
2012-01-24 11:39 - 2012-01-24 11:39 - 5650428 ____A C:\Users\EchoTone\Downloads\npp.5.9.8.Installer.exe
2012-01-24 08:31 - 2012-01-24 08:36 - 0002265 ____A C:\Windows\IE9_main.log
2012-01-24 08:29 - 2012-02-15 17:04 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-01-24 08:26 - 2012-01-24 08:26 - 0004171 ____A C:\Windows\SysWOW64\jupdate-1.6.0_30-b12.log
2012-01-24 08:26 - 2011-11-10 02:54 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-01-24 08:26 - 2011-11-10 02:54 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-01-24 08:26 - 2011-11-10 02:54 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-01-24 08:13 - 2012-02-16 12:19 - 0000000 ____D C:\Windows\System32\SPReview
2012-01-24 08:11 - 2012-02-16 12:19 - 0000000 ____D C:\Windows\System32\EventProviders
2012-01-23 13:22 - 2012-01-23 13:22 - 0035804 ____A C:\Users\EchoTone\Downloads\a logo new 2(1).JPG
2012-01-23 13:03 - 2012-02-16 12:18 - 0000000 ____D C:\Windows\Hewlett-Packard


============ 3 Months Modified Files and Folders =============

2012-02-18 12:07 - 2012-02-18 12:06 - 0000000 ____D C:\FRST
2012-02-18 09:04 - 2010-10-27 04:48 - 1062013 ____A C:\Windows\WindowsUpdate.log
2012-02-18 08:33 - 2012-02-18 08:33 - 1381727 ____A C:\FRST64.exe
2012-02-18 08:33 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-02-18 08:33 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-02-18 08:30 - 2009-07-13 21:13 - 0727334 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-18 08:26 - 2012-02-08 07:54 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-18 08:26 - 2010-10-27 04:43 - 2210578432 __ASH C:\hiberfil.sys
2012-02-18 08:26 - 2010-07-19 13:19 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-02-18 08:26 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-02-18 08:26 - 2009-07-13 20:51 - 0034447 ____A C:\Windows\setupact.log
2012-02-17 16:20 - 2011-07-15 12:44 - 0000920 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000UA.job
2012-02-17 16:20 - 2010-07-19 13:19 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-02-17 14:00 - 2012-02-17 14:00 - 0002594 ____A C:\aswMBR.txt
2012-02-17 14:00 - 2012-02-17 14:00 - 0000512 ____A C:\MBR.dat
2012-02-17 13:39 - 2012-02-17 13:24 - 0077252 ____A C:\TDSSKiller.2.7.13.0_17.02.2012_16.24.06_log.txt
2012-02-17 13:23 - 2011-01-05 09:33 - 0000174 ___SH C:\Users\EchoTone\Start Menu\Programs\Startup\desktop.ini
2012-02-17 13:23 - 2011-01-05 09:33 - 0000174 ___SH C:\Users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-17 13:21 - 2012-02-17 13:20 - 4733440 ____A (AVAST Software) C:\Users\EchoTone\Downloads\aswMBR.exe
2012-02-17 13:21 - 2011-07-15 12:44 - 0000868 ___AH C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000Core.job
2012-02-17 13:20 - 2012-02-17 13:20 - 2060336 ____A (Kaspersky Lab ZAO) C:\Users\EchoTone\Downloads\tdsskiller(1).exe
2012-02-16 12:20 - 2010-07-19 13:16 - 0000000 ___HD C:\Users\All Users\Blio
2012-02-16 12:20 - 2010-07-19 13:16 - 0000000 ___HD C:\ProgramData\Blio
2012-02-16 12:20 - 2010-07-19 12:44 - 0000000 ____D C:\Program Files\PlayReady
2012-02-16 12:20 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\sysprep
2012-02-16 12:20 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-02-16 12:20 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2012-02-16 12:20 - 2009-07-13 19:20 - 0000000 ___AD C:\Windows\System32\sysprep
2012-02-16 12:20 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\TAPI
2012-02-16 12:20 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Recovery
2012-02-16 12:20 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Recovery
2012-02-16 12:20 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Msdtc
2012-02-16 12:19 - 2012-01-24 08:13 - 0000000 ____D C:\Windows\System32\SPReview
2012-02-16 12:19 - 2012-01-24 08:11 - 0000000 ____D C:\Windows\System32\EventProviders
2012-02-16 12:19 - 2010-10-27 05:12 - 0000000 ____D C:\Windows\System32\Drivers\NortonPCCheckupx64
2012-02-16 12:19 - 2010-10-27 04:54 - 0000000 ____D C:\Windows\SysWOW64\Atheros_L1e
2012-02-16 12:19 - 2009-07-13 20:45 - 0000000 ___AD C:\Windows\Setup
2012-02-16 12:19 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\oobe
2012-02-16 12:19 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-16 12:19 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\security
2012-02-16 12:18 - 2012-02-13 09:00 - 0000000 ____D C:\Windows\ERDNT
2012-02-16 12:18 - 2012-02-09 11:32 - 0000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-02-16 12:18 - 2012-02-09 11:32 - 0000000 ____D C:\ProgramData\Spybot - Search & Destroy
2012-02-16 12:18 - 2012-01-23 13:03 - 0000000 ____D C:\Windows\Hewlett-Packard
2012-02-16 12:18 - 2011-07-26 12:12 - 0000000 ___HD C:\Users\EchoTone\Downloads\example1_files
2012-02-16 12:18 - 2011-07-13 14:20 - 0000000 ___HD C:\Users\All Users\Apple Computer
2012-02-16 12:18 - 2011-07-13 14:20 - 0000000 ___HD C:\ProgramData\Apple Computer
2012-02-16 12:18 - 2011-07-13 14:19 - 0000000 ___HD C:\Users\All Users\Apple
2012-02-16 12:18 - 2011-07-13 14:19 - 0000000 ___HD C:\ProgramData\Apple
2012-02-16 12:18 - 2011-07-13 13:57 - 0000000 ___HD C:\Users\EchoTone\AppData\Roaming\Skype
2012-02-16 12:18 - 2011-07-13 13:57 - 0000000 ___HD C:\Users\All Users\Skype
2012-02-16 12:18 - 2011-07-13 13:57 - 0000000 ___HD C:\ProgramData\Skype
2012-02-16 12:18 - 2011-07-07 12:14 - 0000000 ___HD C:\Users\EchoTone\Citrix
2012-02-16 12:18 - 2011-06-24 09:05 - 0000000 ___HD C:\Users\EchoTone\Desktop\email advertisements
2012-02-16 12:18 - 2011-06-21 09:45 - 0000000 ___HD C:\SmartDraw Photo
2012-02-16 12:18 - 2011-03-30 14:30 - 0000000 ___HD C:\Users\EchoTone\AppData\Roaming\Thunderbird
2012-02-16 12:18 - 2011-03-30 14:30 - 0000000 ___HD C:\Users\EchoTone\AppData\Roaming\Mozilla
2012-02-16 12:18 - 2011-01-05 13:54 - 0000000 ___HD C:\Users\EchoTone\AppData\Local\TOSHIBA_Corporation
2012-02-16 12:18 - 2011-01-05 10:45 - 0000000 ___HD C:\Users\EchoTone\AppData\Local\Toshiba
2012-02-16 12:18 - 2011-01-05 10:14 - 0000000 ___HD C:\Users\All Users\HP Photo Creations
2012-02-16 12:18 - 2011-01-05 10:14 - 0000000 ___HD C:\ProgramData\HP Photo Creations
2012-02-16 12:18 - 2011-01-05 10:12 - 0000000 ___HD C:\Users\All Users\HP Product Assistant
2012-02-16 12:18 - 2011-01-05 10:12 - 0000000 ___HD C:\ProgramData\HP Product Assistant
2012-02-16 12:18 - 2011-01-05 10:00 - 0000000 ___HD C:\Users\All Users\HP
2012-02-16 12:18 - 2011-01-05 10:00 - 0000000 ___HD C:\ProgramData\HP
2012-02-16 12:18 - 2011-01-05 09:51 - 0000000 ___HD C:\Users\EchoTone\AppData\Local\Tific
2012-02-16 12:18 - 2010-10-27 05:10 - 0000000 ___HD C:\Users\All Users\Norton
2012-02-16 12:18 - 2010-10-27 05:10 - 0000000 ___HD C:\ProgramData\Norton
2012-02-16 12:18 - 2010-10-27 05:04 - 0000000 ___HD C:\Users\All Users\WildTangent
2012-02-16 12:18 - 2010-10-27 05:04 - 0000000 ___HD C:\ProgramData\WildTangent
2012-02-16 12:18 - 2010-07-19 13:17 - 0000000 ___HD C:\Users\All Users\Toshiba
2012-02-16 12:18 - 2010-07-19 13:17 - 0000000 ___HD C:\ProgramData\Toshiba
2012-02-16 12:18 - 2010-07-19 13:07 - 0000000 ____D C:\Windows\Downloaded Installations
2012-02-16 12:18 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-02-16 12:17 - 2012-02-13 09:00 - 0000000 ___SD C:\ComboFix
2012-02-16 12:17 - 2012-02-11 08:08 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-02-16 12:17 - 2012-02-09 11:32 - 0000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-16 12:17 - 2011-08-05 08:35 - 0000000 ____D C:\Program Files\iTunes
2012-02-16 12:17 - 2011-08-05 08:35 - 0000000 ____D C:\Program Files\iPod
2012-02-16 12:17 - 2011-08-05 08:35 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-02-16 12:17 - 2011-08-05 08:34 - 0000000 ____D C:\Program Files\Bonjour
2012-02-16 12:17 - 2011-08-05 08:34 - 0000000 ____D C:\Program Files (x86)\Bonjour
2012-02-16 12:17 - 2011-08-05 08:32 - 0000000 ____D C:\Program Files (x86)\QuickTime
2012-02-16 12:17 - 2011-07-13 14:19 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-02-16 12:17 - 2011-07-13 14:19 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-02-16 12:17 - 2011-07-13 13:57 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-02-16 12:17 - 2011-07-12 12:38 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-02-16 12:17 - 2011-07-09 11:49 - 0000000 ____D C:\Program Files (x86)\Excel Inventory List Template Software
2012-02-16 12:17 - 2011-01-05 10:59 - 0000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-02-16 12:17 - 2011-01-05 10:14 - 0000000 ____D C:\Program Files (x86)\Yahoo!
2012-02-16 12:17 - 2011-01-05 10:14 - 0000000 ____D C:\Program Files (x86)\HP Photo Creations
2012-02-16 12:17 - 2011-01-05 10:14 - 0000000 ____D C:\Program Files (x86)\Coupons
2012-02-16 12:17 - 2011-01-05 10:03 - 0000000 ____D C:\Program Files (x86)\HP
2012-02-16 12:17 - 2010-10-27 05:12 - 0000000 ____D C:\Program Files (x86)\Toshiba Online Backup
2012-02-16 12:17 - 2010-10-27 05:12 - 0000000 ____D C:\Program Files (x86)\Norton PC Checkup
2012-02-16 12:17 - 2010-10-27 05:11 - 0000000 ____D C:\Program Files\Intuit
2012-02-16 12:17 - 2010-10-27 05:04 - 0000000 ____D C:\Program Files (x86)\TOSHIBA Games
2012-02-16 12:17 - 2010-10-27 04:56 - 0000000 ____D C:\Program Files (x86)\Atheros
2012-02-16 12:17 - 2010-10-27 04:55 - 0000000 ____D C:\Program Files\Synaptics
2012-02-16 12:17 - 2010-10-27 04:52 - 0000000 ____D C:\Program Files\CONEXANT
2012-02-16 12:17 - 2010-07-19 13:24 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-16 12:17 - 2010-07-19 13:22 - 0000000 ____D C:\Program Files (x86)\Windows Live SkyDrive
2012-02-16 12:17 - 2010-07-19 13:22 - 0000000 ____D C:\Program Files (x86)\Windows Live
2012-02-16 12:17 - 2010-07-19 13:18 - 0000000 ____D C:\Program Files\Google
2012-02-16 12:17 - 2010-07-19 13:18 - 0000000 ____D C:\Program Files (x86)\Google
2012-02-16 12:17 - 2010-07-19 13:07 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-02-16 12:17 - 2010-07-19 13:07 - 0000000 ____D C:\Program Files\TOSHIBA
2012-02-16 12:17 - 2010-07-19 13:07 - 0000000 ____D C:\Program Files (x86)\TOSHIBA
2012-02-16 12:17 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Microsoft Games
2012-02-16 12:17 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2012-02-16 12:17 - 2009-07-13 19:18 - 0000000 __SHD C:\$Recycle.Bin
2012-02-16 12:15 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\winrm
2012-02-16 12:15 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\WCN
2012-02-16 12:15 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2012-02-16 12:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Web
2012-02-16 12:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Vss
2012-02-16 12:15 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-02-16 12:14 - 2010-07-19 13:17 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-02-16 12:14 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\slmgr
2012-02-16 12:14 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\spp
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Speech
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\NetworkList
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\MUI
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Msdtc
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\InstallShield
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\IME
2012-02-16 12:14 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Dism
2012-02-16 12:12 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\winrm
2012-02-16 12:12 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\WCN
2012-02-16 12:12 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\slmgr
2012-02-16 12:12 - 2009-07-13 21:37 - 0000000 ____D C:\Windows\System32\Printing_Admin_Scripts
2012-02-16 12:12 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\WindowsPowerShell
2012-02-16 12:12 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\WinBioPlugIns
2012-02-16 12:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\com
2012-02-16 12:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\spp
2012-02-16 12:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\spool
2012-02-16 12:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Speech
2012-02-16 12:12 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\SMI
2012-02-16 12:11 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Performance
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NetworkList
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\MUI
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\migwiz
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\IME
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Dism
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\com
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Speech
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\schemas
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Resources
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PolicyDefinitions
2012-02-16 12:11 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\PLA
2012-02-16 12:09 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\IME
2012-02-16 12:09 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Help
2012-02-16 12:09 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Globalization
2012-02-16 12:09 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Branding
2012-02-16 12:08 - 2012-02-09 08:44 - 0000000 ____D C:\Users\EchoTone\AppData\Roaming\Malwarebytes
2012-02-16 12:08 - 2011-01-05 11:00 - 0000000 ___HD C:\Users\EchoTone\AppData\Roaming\SoftGrid Client
2012-02-16 12:08 - 2011-01-05 09:51 - 0000000 ___HD C:\Users\EchoTone\AppData\Roaming\Adobe
2012-02-16 12:08 - 2011-01-05 09:31 - 0000000 ____D C:\Users\EchoTone\AppData\LocalLow
2012-02-16 12:08 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-02-16 12:08 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-02-16 12:07 - 2011-07-13 14:21 - 0000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-02-16 12:07 - 2011-07-13 14:21 - 0000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-02-16 12:07 - 2011-03-30 14:30 - 0000000 ___HD C:\Users\EchoTone\AppData\Local\Thunderbird
2012-02-16 12:07 - 2011-01-05 16:33 - 0000000 ___HD C:\Users\EchoTone\AppData\Local\Microsoft Games
2012-02-16 12:07 - 2011-01-05 10:56 - 0000000 ___HD C:\Users\EchoTone\AppData\Local\Google
2012-02-16 12:07 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-02-16 12:06 - 2012-02-09 08:43 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-02-16 12:06 - 2012-02-09 08:43 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-02-16 12:06 - 2010-07-19 13:18 - 0000000 ___HD C:\Users\All Users\Google
2012-02-16 12:06 - 2010-07-19 13:18 - 0000000 ___HD C:\ProgramData\Google
2012-02-16 12:06 - 2010-07-19 13:16 - 0000000 ___HD C:\Users\All Users\Adobe
2012-02-16 12:06 - 2010-07-19 13:16 - 0000000 ___HD C:\ProgramData\Adobe
2012-02-16 12:06 - 2009-07-13 23:45 - 0000000 ____D C:\Program Files\Windows Journal
2012-02-16 12:06 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Photo Viewer
2012-02-16 12:06 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Defender
2012-02-16 12:06 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Windows NT
2012-02-16 12:05 - 2011-01-05 10:59 - 0000000 ____D C:\Program Files\Microsoft Office
2012-02-16 12:05 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Reference Assemblies
2012-02-16 12:05 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\MSBuild
2012-02-16 12:04 - 2010-10-27 04:48 - 0000000 ____D C:\Program Files\ATI
2012-02-16 12:04 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\DVD Maker
2012-02-16 12:04 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2012-02-16 12:04 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Defender
2012-02-16 12:04 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\System
2012-02-16 12:04 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files\Common Files\SpeechEngines
2012-02-16 12:04 - 2009-07-13 19:20 - 0000000 ____D C:\Program Files (x86)\Windows NT
2012-02-16 12:03 - 2010-10-27 05:11 - 0000000 ____D C:\Program Files (x86)\Intuit
2012-02-16 12:03 - 2010-10-27 05:09 - 0000000 ____D C:\Program Files (x86)\NortonInstaller
2012-02-16 12:03 - 2010-10-27 04:56 - 0000000 ____D C:\Program Files (x86)\Realtek
2012-02-16 12:03 - 2010-07-19 13:27 - 0000000 ____D C:\Program Files (x86)\Microsoft Office
2012-02-16 12:03 - 2010-07-19 13:23 - 0000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-02-16 12:03 - 2010-07-19 13:07 - 0000000 ____D C:\Program Files (x86)\Java
2012-02-16 12:03 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Reference Assemblies
2012-02-16 12:03 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\MSBuild
2012-02-16 12:02 - 2010-07-19 13:18 - 0000000 ____D C:\Program Files (x86)\Corel
2012-02-16 12:01 - 2012-02-11 08:28 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-02-16 12:01 - 2011-01-05 11:09 - 0000000 __RHD C:\MSOCache
2012-02-16 12:01 - 2010-10-27 04:48 - 0000000 ____D C:\Program Files (x86)\ATI Technologies
2012-02-16 09:33 - 2011-01-05 09:31 - 0000000 ___HD C:\users\EchoTone
2012-02-16 09:23 - 2012-02-16 09:23 - 0000000 ____D C:\Windows\system64
2012-02-16 09:23 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-02-16 08:55 - 2012-02-16 08:55 - 0016482 ____A C:\combofixlog1.txt
2012-02-16 08:46 - 2012-02-16 08:46 - 0016482 ____A C:\ComboFix.txt
2012-02-16 08:46 - 2012-02-13 09:00 - 0000000 ____D C:\Qoobox
2012-02-16 08:40 - 2012-02-16 08:23 - 0000000 ____D C:\32788R22FWJFW
2012-02-16 08:35 - 2009-07-13 18:34 - 60555264 ____A C:\Windows\System32\config\software.bak
2012-02-16 08:35 - 2009-07-13 18:34 - 38535168 ____A C:\Windows\System32\config\components.bak
2012-02-16 08:35 - 2009-07-13 18:34 - 13369344 ____A C:\Windows\System32\config\system.bak
2012-02-16 08:35 - 2009-07-13 18:34 - 1048576 ____A C:\Windows\System32\config\default.bak
2012-02-16 08:35 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\security.bak
2012-02-16 08:35 - 2009-07-13 18:34 - 0262144 ____A C:\Windows\System32\config\sam.bak
2012-02-16 08:34 - 2012-02-16 08:34 - 0000000 __ASH C:\Windows\System32\config\components.tmp.LOG2
2012-02-16 08:34 - 2012-02-16 08:34 - 0000000 __ASH C:\Windows\System32\config\components.tmp.LOG1
2012-02-16 08:18 - 2012-02-16 08:18 - 4406022 ____A (Swearware) C:\Users\EchoTone\Downloads\ComboFix(1).exe
2012-02-16 08:13 - 2009-07-13 20:45 - 0276168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-02-15 17:15 - 2009-07-13 21:08 - 0023962 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-02-15 17:11 - 2012-02-15 17:11 - 0000000 ____D C:\46edceb61f6bfe822d89934faf86bf
2012-02-15 17:10 - 2011-01-05 10:59 - 0744014 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-02-15 17:04 - 2012-01-24 08:29 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-02-15 14:19 - 2012-02-15 14:19 - 0000347 ____A C:\gmerlog.log
2012-02-15 13:50 - 2012-02-15 13:50 - 0302592 ____A C:\Users\EchoTone\Downloads\hfk0putl.exe
2012-02-15 13:49 - 2012-02-15 13:49 - 0020579 ____A C:\DDSlog1.txt
2012-02-15 13:49 - 2012-02-15 13:49 - 0007602 ____A C:\Attach.txt
2012-02-15 13:45 - 2012-02-15 13:45 - 0607260 ___RA (Swearware) C:\Users\EchoTone\Downloads\dds.scr
2012-02-15 13:42 - 2012-02-15 13:40 - 0077286 ____A C:\TDSSKiller.2.7.12.0_15.02.2012_16.40.54_log.txt
2012-02-15 13:40 - 2012-02-15 13:40 - 2061360 ____A (Kaspersky Lab ZAO) C:\Users\EchoTone\Downloads\tdsskiller.exe
2012-02-14 12:01 - 2012-02-14 11:59 - 14785768 ____A (SUPERAntiSpyware.com) C:\Users\EchoTone\Downloads\SUPERAntiSpyware.exe
2012-02-14 11:45 - 2012-02-14 11:45 - 0532480 ____A (Trend Micro Incorporated) C:\Users\EchoTone\Downloads\cwshredder.exe
2012-02-14 11:43 - 2012-02-14 11:43 - 0261120 ____A C:\Users\EchoTone\Downloads\anti_filefix.exe
2012-02-14 11:36 - 2012-02-14 11:36 - 0000162 ____A C:\Users\EchoTone\Desktop\~$ployment application.rtf
2012-02-13 12:56 - 2009-07-13 23:44 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-02-13 11:01 - 2010-07-19 13:33 - 0225802 ____A C:\Windows\PFRO.log
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-02-13 09:13 - 2012-02-13 09:13 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-02-13 08:59 - 2012-02-13 08:59 - 4403246 ___RA (Swearware) C:\Users\EchoTone\Downloads\ComboFix.exe
2012-02-13 08:50 - 2012-02-13 08:50 - 0446464 ____A (OldTimer Tools) C:\Users\EchoTone\Downloads\TFC.exe
2012-02-11 10:46 - 2012-02-11 10:46 - 0071398 ____A (jpshortstuff) C:\Users\EchoTone\Downloads\GooredFix.exe
2012-02-11 08:28 - 2012-02-11 08:28 - 0002025 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-02-11 08:28 - 2011-07-07 13:15 - 0000000 ____D C:\Users\EchoTone\AppData\Local\Adobe
2012-02-11 08:08 - 2012-02-11 08:08 - 0001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-09 11:30 - 2012-02-09 11:30 - 16409960 ____A (Safer Networking Limited ) C:\Users\EchoTone\Downloads\spybotsd162.exe
2012-02-09 09:14 - 2012-01-24 13:18 - 0017008 ____A C:\Users\EchoTone\Desktop\Echo-Tone Price List.txt
2012-02-09 08:42 - 2012-02-09 08:42 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\EchoTone\Downloads\mbam-setup-1.60.1.1000.exe
2012-02-08 07:53 - 2011-08-11 07:11 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-02-04 07:58 - 2012-02-04 07:58 - 0000000 ____D C:\Users\EchoTone\AppData\Roaming\InstallShield
2012-01-30 14:51 - 2011-01-05 10:13 - 0000000 ____D C:\Users\EchoTone\AppData\Roaming\HpUpdate
2012-01-26 21:52 - 2011-01-05 12:52 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-01-24 12:23 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-01-24 11:39 - 2012-01-24 11:39 - 5650428 ____A C:\Users\EchoTone\Downloads\npp.5.9.8.Installer.exe
2012-01-24 08:38 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files\Windows Portable Devices
2012-01-24 08:38 - 2009-07-13 21:32 - 0000000 ____D C:\Program Files (x86)\Windows Portable Devices
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\sppui
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\Setup
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\oobe
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\manifeststore
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\es-ES
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\da-DK
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\sppui
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\Setup
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\manifeststore
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\es-ES
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\da-DK
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\cs-CZ
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2012-01-24 08:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\servicing
2012-01-24 08:36 - 2012-01-24 08:31 - 0002265 ____A C:\Windows\IE9_main.log
2012-01-24 08:28 - 2009-07-13 18:36 - 0175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-01-24 08:28 - 2009-07-13 18:36 - 0152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2012-01-24 08:26 - 2012-01-24 08:26 - 0004171 ____A C:\Windows\SysWOW64\jupdate-1.6.0_30-b12.log
2012-01-23 13:22 - 2012-01-23 13:22 - 0035804 ____A C:\Users\EchoTone\Downloads\a logo new 2(1).JPG
2012-01-18 13:21 - 2012-01-18 13:21 - 0043620 ____A C:\Users\EchoTone\Documents\Trinity.rtf
2012-01-17 14:07 - 2012-01-17 14:07 - 0071565 ____A C:\Users\EchoTone\Documents\Doc2.docx
2012-01-17 14:05 - 2012-01-17 14:05 - 0000000 ____D C:\Windows\Ema's stuff
2012-01-17 14:01 - 2012-01-17 14:01 - 0191476 ____A C:\Users\EchoTone\Documents\prnt scrn.pdf
2012-01-17 14:01 - 2012-01-17 13:58 - 0140714 ____A C:\Users\EchoTone\Documents\Doc3.docx
2012-01-17 13:33 - 2012-01-17 11:11 - 0045982 ____A C:\Users\EchoTone\Downloads\ema flyer 1 (1).docx
2012-01-17 13:31 - 2012-01-17 13:31 - 0116373 ____A C:\Users\EchoTone\Downloads\EchotoneTraining (1).pdf
2012-01-17 13:27 - 2012-01-17 13:27 - 0116373 ____A C:\Users\EchoTone\Downloads\EchotoneTraining.pdf
2012-01-17 13:19 - 2012-01-17 13:19 - 2976101 ____A C:\Users\EchoTone\Downloads\09- Portfolio Page and Add Portfolio Post.zip
2012-01-17 12:43 - 2012-01-17 12:43 - 0039589 ____A C:\Users\EchoTone\Desktop\ETM logo new (1).JPG
2012-01-17 12:38 - 2012-01-17 12:38 - 0000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2012-01-17 12:37 - 2012-01-17 12:37 - 0039839 ____A C:\Users\EchoTone\Downloads\ETM logo new (1).JPG
2012-01-16 12:34 - 2012-01-16 12:34 - 0000000 ____A C:\Users\EchoTone\Desktop\New Microsoft Word Document.docx
2012-01-16 12:29 - 2012-01-16 12:27 - 0001801 ___AH C:\Users\EchoTone\Desktop\chrome - Shortcut.lnk
2012-01-16 12:27 - 2012-01-16 12:27 - 0001507 ___AH C:\Users\EchoTone\Desktop\firefox - Shortcut.lnk
2012-01-13 20:06 - 2012-02-15 13:37 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-10 12:41 - 2012-01-10 12:38 - 0072669 ____A C:\Users\EchoTone\Desktop\ema flyer 1.docx
2012-01-10 12:37 - 2012-01-10 12:37 - 0045490 ____A C:\Users\EchoTone\Downloads\ema flyer 1.docx
2012-01-10 10:33 - 2012-01-10 10:32 - 0009255 ____A C:\Users\EchoTone\Documents\Renters guide EK.xlsx
2012-01-10 09:59 - 2012-01-09 13:03 - 0084240 ____A C:\Users\EchoTone\Desktop\membership card.docx
2012-01-10 09:37 - 2012-01-10 09:37 - 0039839 ____A C:\Users\EchoTone\Downloads\ETM logo new.JPG
2012-01-09 11:34 - 2012-01-09 11:34 - 8239264 ___AH (AOL Inc.) C:\Users\EchoTone\Downloads\Install_AIM.exe
2012-01-09 11:06 - 2012-01-09 11:06 - 0082999 ____A C:\Users\EchoTone\Desktop\LOGO.jpg
2012-01-09 10:27 - 2011-01-05 09:34 - 0057944 ____A C:\Users\EchoTone\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-09 10:05 - 2012-01-09 10:05 - 0045484 ____A C:\Users\EchoTone\Documents\ema flyer 1.docx
2012-01-06 08:18 - 2012-01-06 08:18 - 0006996 ____A C:\Users\EchoTone\Downloads\RE Kathleen from Flight Centre Barrington.eml
2012-01-04 02:44 - 2012-02-16 09:30 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-01-04 02:44 - 2012-02-16 09:30 - 0509952 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-01-04 00:59 - 2012-02-16 09:30 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-01-04 00:58 - 2012-02-16 09:30 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll
2011-12-29 22:26 - 2012-02-15 13:37 - 0515584 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2011-12-29 21:27 - 2012-02-15 13:37 - 0478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl
2011-12-29 09:35 - 2011-12-29 09:35 - 0104064 ____A C:\Users\EchoTone\Downloads\1094265530p5H13Z.jpg
2011-12-29 09:33 - 2011-12-29 09:33 - 0108315 ____A C:\Users\EchoTone\Downloads\super-cool-handpaintings.jpg
2011-12-27 19:59 - 2012-02-15 13:37 - 0498688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2011-12-27 09:41 - 2011-12-27 09:41 - 0093927 ____A C:\Users\EchoTone\Documents\Doc1.docx
2011-12-16 00:47 - 2012-02-15 13:36 - 1494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-16 00:47 - 2012-02-15 13:36 - 1188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-16 00:47 - 2012-02-15 13:36 - 0134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-16 00:46 - 2012-02-15 13:37 - 0634880 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2011-12-16 00:45 - 2012-02-15 13:37 - 9019904 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-16 00:45 - 2012-02-15 13:36 - 2454528 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-16 00:45 - 2012-02-15 13:36 - 12263936 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-16 00:45 - 2012-02-15 13:36 - 0702464 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2011-12-16 00:45 - 2012-02-15 13:36 - 0247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-16 00:45 - 2012-02-15 13:36 - 0097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-16 00:45 - 2012-02-15 13:36 - 0064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-15 23:54 - 2012-02-15 13:36 - 1231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-12-15 23:54 - 2012-02-15 13:36 - 0981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-12-15 23:54 - 2012-02-15 13:36 - 0132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-12-15 23:52 - 2012-02-15 13:37 - 5997568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-12-15 23:52 - 2012-02-15 13:37 - 0690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcrt.dll
2011-12-15 23:52 - 2012-02-15 13:36 - 2073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-12-15 23:52 - 2012-02-15 13:36 - 10992128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-12-15 23:52 - 2012-02-15 13:36 - 0599552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2011-12-15 23:52 - 2012-02-15 13:36 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-12-15 23:52 - 2012-02-15 13:36 - 0067072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-12-15 23:52 - 2012-02-15 13:36 - 0048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-12-15 22:44 - 2012-02-15 13:36 - 1638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-15 22:09 - 2012-02-15 13:36 - 1638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-12-10 12:24 - 2012-02-11 08:08 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-10 08:16 - 2011-12-10 08:16 - 0078613 ____A C:\Users\EchoTone\Documents\PA layaway.docx
2011-12-10 08:16 - 2011-12-09 13:24 - 0115486 ____A C:\Users\EchoTone\Documents\PA Rental.docx
2011-12-09 13:37 - 2011-12-09 13:37 - 0078940 ____A C:\Users\EchoTone\Downloads\30 Day Layaway Sign.jpg
2011-12-09 13:19 - 2011-12-09 13:19 - 0101170 ____A C:\Users\EchoTone\Downloads\i'm a speaker.jpg
2011-12-06 15:14 - 2011-12-06 15:13 - 0014331 ____A C:\Users\EchoTone\Documents\Things we post on the regular.docx
2011-12-02 16:56 - 2011-12-02 16:56 - 0013823 ____A C:\Users\EchoTone\Documents\Pricing.docx
2011-11-28 15:01 - 2011-11-28 15:01 - 0035804 ____A C:\Users\EchoTone\Downloads\a logo new 2.JPG
2011-11-28 14:59 - 2011-11-28 15:00 - 0057269 ____A C:\Users\EchoTone\Downloads\a logo new.jpg

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 2810.9 MB
Available physical RAM: 2336.39 MB
Total Pagefile: 2809.05 MB
Available Pagefile: 2315.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI105948W0D) (Fixed) (Total:222.25 GB) (Free:180.48 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 222 GB 1501 MB
Partition 3 Primary 9 GB 223 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105948W0D NTFS Partition 222 GB Healthy

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.



==========================================================

Last Boot: 2012-02-09 14:53

======================= End Of Log ==========================

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 20 February 2012 - 09:11 PM

Hello

I want you to run the fix below and when it is complete I would like you to rerun combofix for me


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess
2 w70n51; C:\Windows\System32\s24eventmonitor.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\s24eventmonitor.dll
NETSVC: w70n51


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 February 2012 - 06:51 PM

Thank you for your continuing help with my computer problems. I performed all of the procedures as requested while I was at work, but did not have time to post the logs. I'm responding now from home to make sure that the thread stays active. I will post tomorrow at work if possible. If I encounter trouble posting from the computer in question,I will post after work from home.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 22 February 2012 - 07:45 PM

very good see you then


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 23 February 2012 - 11:17 AM

After combofix ran, it restarted the computer as usual. I then shut the computer down and went home. I came in this morning and turned the computer on and combofix was preparing a log when I started it up. Shouldn't that have already happened? The desktop icons reappeared in the upper left corner and I pulled them out. As before, when I tried to use Mozilla Firefox, Google Chrome or Internet Explorer, the following error message appeared:
"illegal operation attempted on a registry key that has been marked for deletion"
I restarted again (this seems to solve that issue temporarily, but I tend to lose the desktop icons) and the desktop icons stayed there! I've tested google and I'm not currently getting redirected. Here are the log files:
FRST64:
Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 17-02-2012 (L)
Ran by SYSTEM at 2012-02-22 16:59:59 R:1
Running from C:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
w70n51 service deleted successfully.
C:\Windows\System32\s24eventmonitor.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs w70n51 Deleted successfully.

==== End of Fixlog ====

combofix:
ComboFix 12-02-22.01 - EchoTone 02/22/2012 17:07:09.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1832 [GMT -5:00]
Running from: c:\users\EchoTone\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\EchoTone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\EchoTone\ComboFix.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\Thumbs.db
c:\windows\SysWow64\config\systemprofile\appdata\roaming\adobe\sp.Dll
c:\windows\Temp\_ex-08.exe
c:\windows\Temp\_ex-68.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-22 22:13 . 2012-02-22 22:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-22 22:13 . 2012-02-22 22:13 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-21 20:06 . 2012-02-21 20:07 84146 ----a-w- c:\windows\SysWow64\457xJ4.com_
2012-02-21 16:06 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AE033245-B5BD-443E-A8D2-5A5E7D20A37C}\mpengine.dll
2012-02-21 15:54 . 2012-02-21 15:54 -------- d-----w- c:\windows\system32\Macromed
2012-02-18 20:06 . 2012-02-18 20:08 -------- d-----w- C:\FRST
2012-02-16 17:30 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 17:30 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 17:23 . 2012-02-16 17:23 -------- d-----we c:\windows\system64
2012-02-16 01:11 . 2012-02-16 01:11 -------- d-----w- C:\46edceb61f6bfe822d89934faf86bf
2012-02-15 21:37 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 21:37 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 21:37 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 21:37 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 21:37 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 21:37 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-11 16:08 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 16:08 . 2012-02-16 20:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-09 19:32 . 2012-02-16 20:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-09 19:32 . 2012-02-16 20:17 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-09 16:44 . 2012-02-16 20:08 -------- d-----w- c:\users\EchoTone\AppData\Roaming\Malwarebytes
2012-02-09 16:43 . 2012-02-16 20:06 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 15:54 . 2012-02-22 21:43 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 15:58 . 2012-02-04 15:58 -------- d-----w- c:\users\EchoTone\AppData\Roaming\InstallShield
2012-01-24 16:13 . 2012-02-16 20:19 -------- d-----w- c:\windows\system32\SPReview
2012-01-24 16:11 . 2012-02-16 20:19 -------- d-----w- c:\windows\system32\EventProviders
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 15:54 . 2011-08-11 15:11 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-29 10:10 . 2011-01-05 20:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 16:28 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-24 16:28 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-19 39408]
"SDPhotoBar.exe"="c:\smartd~1\SDPhotoBar.exe" [2003-01-10 192512]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-06-03 3218792]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-06-11 552960]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 pbzfteod;pbzfteod;c:\windows\system32\drivers\pbzfteod.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2011-06-06 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2009-08-24 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\At10.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At12.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At14.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At16.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At18.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At2.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At20.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At22.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-22 c:\windows\Tasks\At24.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-22 c:\windows\Tasks\At26.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-22 c:\windows\Tasks\At28.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-22 c:\windows\Tasks\At30.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-22 c:\windows\Tasks\At32.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At34.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At36.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At38.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At4.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At40.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At42.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At44.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At46.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At48.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At6.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-21 c:\windows\Tasks\At8.job
- c:\windows\system32\457xJ4.com_ [2012-02-21 20:07]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:19]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:19]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000Core.job
- c:\users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 21:19]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000UA.job
- c:\users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 21:19]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)"="" [BU]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"combofix"="c:\combofix\CF13773.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\EchoTone\AppData\Roaming\Mozilla\Firefox\Profiles\kst9bbug.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2012-02-23 11:02:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 16:02
ComboFix2.txt 2012-02-16 16:46
ComboFix3.txt 2012-02-13 17:30
.
Pre-Run: 195,715,051,520 bytes free
Post-Run: 195,432,816,640 bytes free
.
- - End Of File - - 61111AD011E58D29923A16268A51E8A3

Are my troubles over? If so, thank you very much for your help. Please let me know for sure.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 23 February 2012 - 11:47 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

AtJob::

RootKit::
C:\windows\system32\consrv.dll
C:\windows\SysWow64\457xJ4.com_
c:\windows\system32\dds_trash_log.cmd
C:\windows\assembly\GAC_32\Desktop.ini
C:\windows\assembly\GAC_64\Desktop.ini
C:\windows\assembly\temp\U\80000004.@ 
C:\windows\assembly\temp\U\80000032.@

Folder::
C:\windows\assembly\temp\U

Driver::
pbzfteod

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 zzajlatem

zzajlatem
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 23 February 2012 - 01:51 PM

I ran combofix as directed, by dragging the text file onto it. When it was creating a system restore point, an error message popped up:
"The contents of folder C:\windows\erdnt\Hiv-backup could not be completely deleted!"
I clicked o.k. on that box and combofix continued to work. Then while combofix was on stage 2, this message popped up:
"Pev.3xe has stopped working
a problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."
I clicked o.k. and combofix continued to work. It restarted the computer and made a log report. I tried to open the internet (firefox, chrome, explorer) and got the error message:
"illegal operation attempted on a registry key that has been marked for deletion"
Again I restarted the computer and now I'm posting this. Here is the log report generated by combofix:
ComboFix 12-02-22.01 - EchoTone 02/23/2012 12:44:27.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.1684 [GMT -5:00]
Running from: c:\users\EchoTone\Desktop\ComboFix.exe
Command switches used :: c:\users\EchoTone\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\U
c:\windows\assembly\temp\U\00000001.@
c:\windows\assembly\temp\U\00000002.@
c:\windows\assembly\temp\U\00000004.@
c:\windows\assembly\temp\U\000000c0.@
c:\windows\assembly\temp\U\000000cb.@
c:\windows\assembly\temp\U\000000cf.@
c:\windows\assembly\temp\U\80000000.@
c:\windows\assembly\temp\U\80000004.@
c:\windows\assembly\temp\U\80000032.@
c:\windows\assembly\temp\U\80000064.@
c:\windows\assembly\temp\U\800000c0.@
c:\windows\assembly\temp\U\800000cb.@
c:\windows\assembly\temp\U\800000cf.@
c:\windows\Tasks\At10.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At8.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_pbzfteod
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 18:13 . 2012-02-23 18:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-23 18:13 . 2012-02-23 18:13 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-02-21 20:06 . 2012-02-21 20:07 84146 ----a-w- c:\windows\SysWow64\457xJ4.com_
2012-02-21 16:06 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AE033245-B5BD-443E-A8D2-5A5E7D20A37C}\mpengine.dll
2012-02-21 15:54 . 2012-02-21 15:54 -------- d-----w- c:\windows\system32\Macromed
2012-02-18 20:06 . 2012-02-18 20:08 -------- d-----w- C:\FRST
2012-02-16 17:30 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 17:30 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 17:23 . 2012-02-16 17:23 -------- d-----we c:\windows\system64
2012-02-16 01:11 . 2012-02-16 01:11 -------- d-----w- C:\46edceb61f6bfe822d89934faf86bf
2012-02-15 21:37 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 21:37 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 21:37 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 21:37 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 21:37 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 21:37 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-11 16:08 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 16:08 . 2012-02-16 20:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-09 19:32 . 2012-02-16 20:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-09 19:32 . 2012-02-16 20:17 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-09 16:44 . 2012-02-16 20:08 -------- d-----w- c:\users\EchoTone\AppData\Roaming\Malwarebytes
2012-02-09 16:43 . 2012-02-16 20:06 -------- d-----w- c:\programdata\Malwarebytes
2012-02-08 15:54 . 2012-02-22 21:43 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 15:58 . 2012-02-04 15:58 -------- d-----w- c:\users\EchoTone\AppData\Roaming\InstallShield
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 15:54 . 2011-08-11 15:11 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-29 10:10 . 2011-01-05 20:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 16:28 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-24 16:28 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-23_15.55.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-02-22 22:22 . 2012-02-22 22:22 13354 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-02-23 18:14 . 2012-02-23 18:14 13354 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2010-10-27 12:52 . 2012-02-23 16:07 37958 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-02-22 22:03 47004 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-23 16:07 47004 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-05 17:33 . 2012-02-23 16:07 11946 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-76174547-4078152793-674785834-1000_UserData.bin
- 2011-01-05 16:28 . 2012-02-22 15:54 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-05 16:28 . 2012-02-23 17:01 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-05 16:28 . 2012-02-22 15:54 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-05 16:28 . 2012-02-23 17:01 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-22 15:54 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-23 17:01 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-10-27 12:52 . 2012-02-23 16:07 37958 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-23 16:07 47004 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-02-22 22:03 47004 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-05 17:33 . 2012-02-23 16:07 11946 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-76174547-4078152793-674785834-1000_UserData.bin
+ 2011-01-05 16:28 . 2012-02-23 17:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-05 16:28 . 2012-02-22 15:54 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-05 16:28 . 2012-02-22 15:54 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-01-05 16:28 . 2012-02-23 17:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-22 15:54 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-23 17:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-05 17:31 . 2012-02-23 18:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-01-05 17:31 . 2012-02-22 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-05 17:31 . 2012-02-23 18:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-05 17:31 . 2012-02-22 22:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-23 15:55 . 2012-02-23 15:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-23 18:15 . 2012-02-23 18:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-23 18:15 . 2012-02-23 18:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-23 15:55 . 2012-02-23 15:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2012-02-23 15:55 622592 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-23 18:15 622592 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 02:36 . 2012-02-22 22:19 624864 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-23 16:01 624864 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-02-22 22:19 106950 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-23 16:01 106950 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-23 16:01 624864 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-22 22:19 624864 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-23 16:01 106950 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-02-22 22:19 106950 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-02-23 18:14 231260 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-22 22:22 231260 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-14 15:29 . 2012-02-23 18:14 693396 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-76174547-4078152793-674785834-1000-8192.dat
- 2011-07-14 15:29 . 2012-02-22 22:14 693396 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-76174547-4078152793-674785834-1000-8192.dat
+ 2009-07-14 04:54 . 2012-02-23 18:15 4014080 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-23 15:55 4014080 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-23 18:15 4653056 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-23 15:55 4653056 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-28 12:48 . 2011-04-28 12:48 3510600 c:\windows\Microsoft.NET\Framework64\v4.0.30319\System.dll
+ 2011-04-28 12:48 . 2011-04-28 12:48 3510600 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-19 39408]
"SDPhotoBar.exe"="c:\smartd~1\SDPhotoBar.exe" [2003-01-10 192512]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-06-03 3218792]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-06-11 552960]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2011-06-06 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2009-08-24 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:19]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-19 21:19]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000Core.job
- c:\users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 21:19]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-76174547-4078152793-674785834-1000UA.job
- c:\users\EchoTone\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-15 21:19]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"combofix"="c:\combofix\CF14755.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\EchoTone\AppData\Roaming\Mozilla\Firefox\Profiles\kst9bbug.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2012-02-23 13:28:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 18:28
ComboFix2.txt 2012-02-23 16:02
ComboFix3.txt 2012-02-16 16:46
ComboFix4.txt 2012-02-13 17:30
.
Pre-Run: 195,181,395,968 bytes free
Post-Run: 194,754,719,744 bytes free
.
- - End Of File - - EDCA8ECA4298C801210E98F422818CD0

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:17 AM

Posted 23 February 2012 - 03:01 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
DeleteFile:
C:\windows\system32\consrv.dll
C:\windows\SysWow64\457xJ4.com_
c:\windows\system32\dds_trash_log.cmd
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users