Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue screen -then help from a "friend"-now major probs.


  • This topic is locked This topic is locked
2 replies to this topic

#1 svpawn

svpawn

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 08 June 2012 - 11:02 PM

I got a blue screen while reading a message board then a "supposed ip guy helped me over the phone. (not remotely) Ran Combofix 2 times along with who knows what else. FYI the original topic post was before any kind of repair software was ran.(I say that due to the reply from tech in first forum) Thanks and I will try to answer and do everything as accurate as I can.

I had a problem finding the first Combofix log but I found some quarantined reg. items that may help. Thanks
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Papaw at 23:31:22 on 2012-06-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2297 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\notepad.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Papaw\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C0980195-1E6C-4C46-889B-AE81D058D4D5} : DhcpNameServer = 192.168.1.1
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-18 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-16 257696]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-18 136176]
S3 l2nd;Broadcom NetXtreme II BXND;C:\Windows\system32\DRIVERS\bxnd60a.sys --> C:\Windows\system32\DRIVERS\bxnd60a.sys [?]
S3 netr7364;Conceptronic RT73 Wireles Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-06-09 02:51:52 -------- d-----w- C:\ProgramData\SUPERSetup
2012-06-09 02:24:21 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-06-09 01:33:00 -------- d-----w- C:\Windows\SysWow64\FxsTmp
2012-06-09 01:33:00 -------- d-----w- C:\Windows\System32\FxsTmp
2012-06-09 01:33:00 -------- d-----w- C:\Windows\ShellNew
2012-06-09 01:33:00 -------- d-----w- C:\Windows\addins
2012-06-09 01:33:00 -------- d-----w- C:\Program Files\Windows Journal
2012-06-09 00:32:57 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2643FA94-7055-4903-ACA8-B0D6159D173F}\offreg.dll
2012-06-08 23:57:22 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-06-08 23:57:18 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2643FA94-7055-4903-ACA8-B0D6159D173F}\mpengine.dll
2012-06-08 23:43:32 -------- d-sh--w- C:\$RECYCLE.BIN
2012-06-08 22:45:29 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-08 22:45:16 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-08 22:45:05 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-08 22:45:05 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-08 07:46:08 98816 ----a-w- C:\Windows\sed.exe
2012-06-08 07:46:08 518144 ----a-w- C:\Windows\SWREG.exe
2012-06-08 07:46:08 256000 ----a-w- C:\Windows\PEV.exe
2012-06-08 07:46:08 208896 ----a-w- C:\Windows\MBR.exe
2012-06-08 05:31:31 -------- d-----w- C:\Users\Papaw\AppData\Local\ElevatedDiagnostics
2012-06-07 11:53:07 -------- d-----w- C:\Program Files\Speccy
2012-06-07 11:48:41 -------- d-----w- C:\Program Files\CCleaner
2012-06-07 11:39:50 35712 ----a-w- C:\Windows\SysWow64\drivers\BlackBox.sys
2012-05-27 23:10:54 -------- d-----w- C:\Users\Papaw\AppData\Roaming\Malwarebytes
2012-05-27 23:10:48 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-05-27 23:10:48 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-27 23:10:48 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-05-27 15:14:51 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-05-18 04:40:06 -------- d-----w- C:\Users\Papaw\AppData\Roaming\SUPERAntiSpyware.com
2012-05-18 04:39:23 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-05-18 02:36:16 -------- d-----w- C:\Users\Papaw\AppData\Roaming\AVG
2012-05-18 00:55:39 -------- d-----w- C:\Program Files (x86)\iolo
2012-05-18 00:53:17 -------- d-----w- C:\Users\Papaw\AppData\Roaming\iolo
2012-05-17 18:03:02 -------- d--h--w- C:\Windows\msdownld.tmp
2012-05-17 17:35:48 -------- d-----w- C:\Windows\SysWow64\Wat
2012-05-17 17:35:48 -------- d-----w- C:\Windows\System32\Wat
2012-05-17 16:36:54 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-05-17 16:36:54 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-05-17 16:36:54 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-05-17 16:36:54 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-05-17 16:36:54 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-05-17 16:36:54 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-05-17 16:36:54 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-05-17 16:33:50 1572864 ----a-w- C:\Windows\System32\quartz.dll
2012-05-17 16:32:53 605552 ----a-w- C:\Windows\System32\winload.exe
2012-05-17 16:31:41 723456 ----a-w- C:\Windows\System32\EncDec.dll
2012-05-17 16:31:41 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2012-05-17 16:22:57 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2012-05-17 16:22:57 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2012-05-17 16:22:57 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2012-05-17 16:22:57 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2012-05-17 16:22:57 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2012-05-17 16:19:12 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-05-17 16:19:12 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-05-17 16:19:12 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-05-17 16:19:12 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-05-17 16:18:49 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2012-05-17 16:18:49 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2012-05-17 16:18:47 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2012-05-17 16:18:46 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
2012-05-17 16:18:14 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-17 07:08:25 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-16 16:02:29 -------- d-----w- C:\Users\Papaw\AppData\Local\Google
2012-05-16 16:02:18 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-16 16:02:18 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-16 13:56:14 -------- d--h--w- C:\ProgramData\Common Files
2012-05-16 13:54:52 -------- d-----w- C:\Program Files (x86)\AVG
2012-05-16 13:48:48 -------- d-sh--w- C:\Windows\Installer
2012-05-16 13:48:46 -------- d-----w- C:\ProgramData\MFAData
2012-05-16 04:14:04 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2012-05-16 04:04:27 -------- d-----w- C:\Windows\Panther
2012-05-16 03:43:09 -------- d-----w- C:\Users\Papaw\AppData\Local\Diagnostics
.
==================== Find3M ====================
.
2012-03-31 06:05:57 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-31 04:39:37 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-31 04:39:37 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-31 03:10:03 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-03-17 07:58:57 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
.
============= FINISH: 23:31:49.10 ===============

ComboFix 12-06-07.04 - Papaw 06/08/2012 3:47.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2447 [GMT -4:00]
Running from: c:\users\Papaw\Desktop\ComboFix.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Internet Security 2012 *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Papaw\777.txt
c:\users\Papaw\AppData\Local\Temp\{BE7D7946-5DA6-4181-BB65-73EC6886AA9D}\fpb.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))
.
.
2012-06-08 07:50 . 2012-06-08 07:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-08 02:47 . 2012-06-08 02:47 -------- d-----w- c:\users\Guest
2012-06-08 02:39 . 2012-06-08 02:40 -------- d-----w- c:\users\fulw
2012-06-07 11:53 . 2012-06-07 11:53 -------- d-----w- c:\program files\Speccy
2012-06-07 11:48 . 2012-06-07 11:48 -------- d-----w- c:\program files\CCleaner
2012-06-07 11:39 . 2012-06-07 11:41 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
2012-05-27 23:10 . 2012-05-27 23:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-27 23:10 . 2012-05-27 23:10 -------- d-----w- c:\programdata\Malwarebytes
2012-05-27 23:10 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-27 15:14 . 2012-05-27 15:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-18 04:39 . 2012-05-27 15:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-18 00:55 . 2012-05-18 00:59 -------- d-----w- c:\program files (x86)\iolo
2012-05-17 18:03 . 2012-05-17 18:03 -------- d--h--w- c:\windows\msdownld.tmp
2012-05-17 17:35 . 2012-05-17 17:35 -------- d-----w- c:\windows\SysWow64\Wat
2012-05-17 17:35 . 2012-05-17 17:35 -------- d-----w- c:\windows\system32\Wat
2012-05-17 16:36 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-05-17 16:36 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-05-17 16:36 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-05-17 16:36 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-05-17 16:36 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-05-17 16:36 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-05-17 16:36 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-05-17 16:33 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-05-17 16:32 . 2011-02-05 17:06 605552 ----a-w- c:\windows\system32\winload.exe
2012-05-17 16:31 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2012-05-17 16:31 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-05-17 16:22 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2012-05-17 16:22 . 2011-05-24 10:40 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2012-05-17 16:22 . 2011-05-24 10:40 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2012-05-17 16:22 . 2011-05-24 10:39 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2012-05-17 16:22 . 2011-05-24 10:37 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2012-05-17 16:19 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-05-17 16:19 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-05-17 16:19 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-17 16:19 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-05-17 16:18 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-05-17 16:18 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2012-05-17 16:18 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-05-17 16:18 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-05-17 16:18 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-17 16:09 . 2012-05-17 16:11 -------- d-----w- c:\programdata\AVG Secure Search
2012-05-16 16:02 . 2012-05-17 17:25 -------- d-----w- c:\program files\Google
2012-05-16 16:02 . 2012-05-18 04:42 -------- d-----w- c:\program files (x86)\Google
2012-05-16 16:02 . 2012-05-16 16:02 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-16 16:02 . 2012-05-16 16:02 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-16 16:02 . 2012-05-16 16:02 -------- d-----w- c:\windows\SysWow64\Macromed
2012-05-16 16:02 . 2012-05-16 16:02 -------- d-----w- c:\windows\system32\Macromed
2012-05-16 14:04 . 2012-05-16 14:04 -------- d-----w- c:\program files\DIFX
2012-05-16 13:56 . 2012-05-27 15:12 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-05-16 13:56 . 2012-05-17 16:11 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-05-16 13:56 . 2012-05-16 13:56 -------- d--h--w- c:\programdata\Common Files
2012-05-16 13:56 . 2012-05-16 13:56 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2012-05-16 13:55 . 2012-06-07 22:58 -------- d-----w- c:\windows\system32\drivers\AVG
2012-05-16 13:55 . 2012-05-16 14:00 -------- d-----w- c:\programdata\AVG2012
2012-05-16 13:54 . 2012-05-27 15:12 -------- d-----w- c:\program files (x86)\AVG
2012-05-16 13:48 . 2012-06-06 02:37 -------- d-sh--w- c:\windows\Installer
2012-05-16 13:48 . 2012-06-08 07:35 -------- d-----w- c:\programdata\MFAData
2012-05-16 04:14 . 2012-05-17 16:44 -------- d-----w- c:\program files (x86)\Intel
2012-05-16 04:14 . 2009-08-26 19:04 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2012-05-16 04:04 . 2012-06-07 11:50 -------- d-----w- c:\windows\Panther
2012-05-16 03:30 . 2012-06-08 07:49 -------- d-----w- c:\users\Papaw
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 08:50 . 2012-04-19 08:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-03-19 09:17 . 2012-03-19 09:17 383808 ----a-w- c:\windows\system32\drivers\avgtdia.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-05-17 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-05-17 982880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 257696]
R3 BlackBox;BlackBox SR2; [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 136176]
R3 l2nd;Broadcom NetXtreme II BXND;c:\windows\system32\DRIVERS\bxnd60a.sys [x]
R3 netr7364;Conceptronic RT73 Wireles Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 avgfws;AVG Firewall;c:\program files (x86)\AVG\AVG2012\avgfws.exe [2012-03-23 2321520]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2012-04-30 5106744]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [2012-05-17 918880]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 16:02]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 04:39]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 04:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-08 03:55:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-08 07:55
.
Pre-Run: 291,887,300,608 bytes free
Post-Run: 291,370,168,320 bytes free
.
- - End Of File - - A5EFA12DFC488D73F12D99CE2C7BDD402012-06-08 23:33:32 . 2012-06-08 23:33:32 424,096 ----a-w- C:\Qoobox\Quarantine\C\Users\Papaw\AppData\Local\Temp\{0CD5C70D-9E85-45B4-8AAC-1CA405C5975C}\fpb.tmp.vir
2012-06-08 07:54:55 . 2012-06-08 23:45:31 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}.reg.dat
2012-06-08 07:49:08 . 2012-06-08 23:40:05 4,820 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-06-08 07:46:04 . 2012-06-08 23:37:05 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-06-08 07:39:47 . 2012-06-08 07:39:47 424,096 ----a-w- C:\Qoobox\Quarantine\C\Users\Papaw\AppData\Local\Temp\{BE7D7946-5DA6-4181-BB65-73EC6886AA9D}\fpb.tmp.vir
2012-06-08 03:55:14 . 2012-06-08 03:55:14 719 ----a-w- C:\Qoobox\Quarantine\C\Users\Papaw\777.txt.vir



I found the 1st CF txt

ComboFix 12-06-08.02 - Papaw 06/08/2012 19:38:06.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.2847 [GMT -4:00]
Running from: c:\users\Papaw\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Papaw\AppData\Local\Temp\{0CD5C70D-9E85-45B4-8AAC-1CA405C5975C}\fpb.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))
.
.
2012-06-08 23:41 . 2012-06-08 23:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-08 22:49 . 2012-06-08 22:49 -------- d-----w- c:\users\fulw
2012-06-08 22:45 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-08 22:45 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-08 22:45 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-08 22:45 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-08 22:45 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-08 22:45 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-08 22:45 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-08 22:45 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-08 22:45 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-07 11:53 . 2012-06-07 11:53 -------- d-----w- c:\program files\Speccy
2012-06-07 11:48 . 2012-06-07 11:48 -------- d-----w- c:\program files\CCleaner
2012-06-07 11:39 . 2012-06-07 11:41 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
2012-05-27 23:10 . 2012-05-27 23:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-27 23:10 . 2012-05-27 23:10 -------- d-----w- c:\programdata\Malwarebytes
2012-05-27 23:10 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-27 15:14 . 2012-05-27 15:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-18 04:39 . 2012-05-27 15:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-18 00:55 . 2012-05-18 00:59 -------- d-----w- c:\program files (x86)\iolo
2012-05-17 18:03 . 2012-05-17 18:03 -------- d--h--w- c:\windows\msdownld.tmp
2012-05-17 17:35 . 2012-05-17 17:35 -------- d-----w- c:\windows\SysWow64\Wat
2012-05-17 17:35 . 2012-05-17 17:35 -------- d-----w- c:\windows\system32\Wat
2012-05-17 16:36 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-05-17 16:36 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-05-17 16:36 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-05-17 16:36 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-05-17 16:36 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-05-17 16:36 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-05-17 16:36 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-05-17 16:33 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-05-17 16:32 . 2011-02-05 17:06 605552 ----a-w- c:\windows\system32\winload.exe
2012-05-17 16:31 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2012-05-17 16:31 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-05-17 16:22 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2012-05-17 16:22 . 2011-05-24 10:40 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2012-05-17 16:22 . 2011-05-24 10:40 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2012-05-17 16:22 . 2011-05-24 10:39 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2012-05-17 16:22 . 2011-05-24 10:37 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2012-05-17 16:19 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-05-17 16:19 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-05-17 16:19 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-05-17 16:19 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-05-17 16:18 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-05-17 16:18 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2012-05-17 16:18 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-05-17 16:18 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-05-17 16:18 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-17 07:08 . 2012-02-28 06:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-16 16:02 . 2012-05-17 17:25 -------- d-----w- c:\program files\Google
2012-05-16 16:02 . 2012-05-18 04:42 -------- d-----w- c:\program files (x86)\Google
2012-05-16 16:02 . 2012-05-16 16:02 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-16 16:02 . 2012-05-16 16:02 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-16 16:02 . 2012-05-16 16:02 -------- d-----w- c:\windows\SysWow64\Macromed
2012-05-16 16:02 . 2012-05-16 16:02 -------- d-----w- c:\windows\system32\Macromed
2012-05-16 14:04 . 2012-05-16 14:04 -------- d-----w- c:\program files\DIFX
2012-05-16 13:56 . 2012-05-16 13:56 -------- d--h--w- c:\programdata\Common Files
2012-05-16 13:54 . 2012-05-27 15:12 -------- d-----w- c:\program files (x86)\AVG
2012-05-16 13:48 . 2012-06-08 23:29 -------- d-sh--w- c:\windows\Installer
2012-05-16 13:48 . 2012-06-08 23:29 -------- d-----w- c:\programdata\MFAData
2012-05-16 04:14 . 2012-05-17 16:44 -------- d-----w- c:\program files (x86)\Intel
2012-05-16 04:14 . 2009-08-26 19:04 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2012-05-16 04:04 . 2012-06-07 11:50 -------- d-----w- c:\windows\Panther
2012-05-16 03:30 . 2012-06-08 07:49 -------- d-----w- c:\users\Papaw
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-08_07.53.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-06-08 22:25 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-06-08 04:13 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-06-08 22:25 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-08 04:13 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-08 22:25 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-08 04:13 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-06-08 23:44 25894 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-08 23:44 34802 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-05-16 03:22 . 2012-06-08 04:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-05-16 03:22 . 2012-06-08 22:52 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-05-16 03:22 . 2012-06-08 22:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-05-16 03:22 . 2012-06-08 04:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-08 04:12 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-08 22:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-06-08 23:33 97224 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-05-16 03:40 . 2012-06-08 23:44 8972 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3270910946-4045399453-725205587-1000_UserData.bin
+ 2012-06-08 23:42 . 2012-06-08 23:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-08 07:51 . 2012-06-08 07:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-08 23:42 . 2012-06-08 23:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-08 07:51 . 2012-06-08 07:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2012-06-08 23:41 226304 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-06-08 07:50 226304 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-05-17 16:49 . 2012-06-08 07:50 730292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1000-8192.dat
+ 2012-05-17 16:49 . 2012-06-08 23:29 730292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1000-8192.dat
+ 2012-05-17 16:49 . 2012-06-08 23:29 608726 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1000-12288.dat
- 2012-05-17 16:49 . 2012-06-08 07:50 608726 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1000-12288.dat
- 2009-07-14 02:34 . 2012-06-06 02:48 9961472 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-06-08 23:02 9961472 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:45 . 2012-06-06 02:51 7183440 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2012-06-08 23:33 7183440 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-06-08 23:29 . 2012-06-08 23:29 2300964 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1001-8192.dat
- 2012-05-17 07:11 . 2012-06-08 07:50 3058868 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1000-4096.dat
+ 2012-05-17 07:11 . 2012-06-08 23:41 3058868 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3270910946-4045399453-725205587-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 257696]
R3 BlackBox;BlackBox SR2; [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 136176]
R3 l2nd;Broadcom NetXtreme II BXND;c:\windows\system32\DRIVERS\bxnd60a.sys [x]
R3 netr7364;Conceptronic RT73 Wireles Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 16:02]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 04:39]
.
2012-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-18 04:39]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-08 19:46:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-08 23:46
ComboFix2.txt 2012-06-08 07:55
.
Pre-Run: 290,857,848,832 bytes free
Post-Run: 290,460,344,320 bytes free
.
- - End Of File - - 591AB3BA8BF73E9A43FD0EB806E7B3A1

Attached Files


Edited by svpawn, 08 June 2012 - 11:38 PM.


BC AdBot (Login to Remove)

 


#2 svpawn

svpawn
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 10 June 2012 - 08:06 PM

This topic can be closed.

#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:32 AM

Posted 11 June 2012 - 11:29 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users