Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD on every restart + error message.


  • This topic is locked This topic is locked
47 replies to this topic

#1 topeira

topeira

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 21 November 2012 - 02:55 AM

hi everyone. im really new here and i really hope u can help.

in the past couple of days i've been having some issues:

1) every restart i make (or shut down) begins with a BSOD. then the computer starts anew, i get the "safe mode" options and other boot options but i can boot normally.
yesterday i had a BSOD in the middling of playing a game. this usually doesnt happen.

2)i think that because of the BSOD i get i can not uninstall or install anything that requires a reboot in the middle so trying to install the new ATI drivers really messed up everything and now i cant install these drivers at all. uninstalling them took a lot of googling and messing with the registry but that didnt help installing them any better.
when i try to uninstall or install the drivers the software locks up in the middle and doesnt budge. if i try installing in safe mode i get an error message telling me somehting like "detection programs error" or something. the installation locks up at the part where the installer is trying to figure out what hardware or drivers i have. it gets stuck in the "detecting graphic hardware" part.

3) when the computer boots up i get a message telling me i had an unexpected crash, of course. but i also have an error message telling me:
explorer.exe - driver not ready.
the driver is not ready for use; it's door may be open. please check drive a: and make sure that a disk is inserted and the door is close.

that's the message. whether i disable the a: drive in the bios or not it doesnt help. i've been told it's a virus but NOD32 didnt detect anything.
if i press "continue" or "try again" or "cancel" the message pops up again after a few seconds. i cant get rid of it no matter what.

please, help a man out.
thanks!



what i tried to do thus far is reset the bios to the defaults (within the bios. didnt remove the battery or anything) and i tried checking for viruses with NOD32 and while it did find some stuff, it put them in quarantine and that didnt help.
since i really need the latest ATI drivers i've been trying to uninstall and reinstall them over and over again. in safe mode or not. didnt help.


here is the DDS.txt file:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 10.5.1
Run by adar at 9:45:32 on 2012-11-21
Microsoft Windows 7 Ultimate 6.1.7600.0.1255.972.1033.18.8190.5306 [GMT 2:00]
.
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: AVG Internet Security 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: AVG Internet Security 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Wacom\Wacom_TouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
E:\Program Files\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
E:\Program Files (x86)\RadeonPro\RadeonProSupport.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
e:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
e:\program files\X-Mouse Button Control\XMouseButtonSvc.exe
e:\program files\X-Mouse Button Control\XMouseButtonControl.exe
E:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
e:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
e:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
e:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
E:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Windows\system32\SearchProtocolHost.exe
E:\SketchBook Pro 6.0.1\SketchBookSnapshot.exe
C:\Users\adar\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Users\adar\Userdata\explorer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468
uWindow Title = Internet Explorer, optimized for Bing and MSN
uProxyOverride = localhost;*.local
uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
uURLSearchHooks: uTorrentControl_v2 Toolbar: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
mURLSearchHooks: uTorrentControl_v2 Toolbar: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
mWinlogon: Userinit = userinit.exe
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - <orphaned>
BHO: uTorrentControl_v2 Toolbar: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\adar\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: uTorrentControl_v2 Toolbar: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
uRun: [Windows Explorer] C:\Users\adar\Userdata\iexplorer.exe
uRun: [IDMan] E:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
mRun: [Windows Explorer] C:\Users\adar\Userdata\iexplorer.exe
mRun: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFaTUstV1FQWTYtOTIzTVItUU1JTVAtTk1ONkUtUQ"&"inst=NzYtMTIyMDYwMjkxMi1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVMyKzEtTFNEKzItRERUKzM0OTE4LVNUMTBBUFArMS1ERDEwKzEtUzEwRERGKzEtRlVJKzItQ0lBMTArMi1DSUQrMS1JSVNBKzY"&"prod=94"&"ver=10.0.1424
StartupFolder: C:\Users\adar\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\adar\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Adobe Gamma Loader.lnk - D:\temp\from c prog files 86\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SketchBook Snapshot.lnk - E:\SketchBook Pro 6.0.1\SketchBookSnapshot.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: ????3?? - <no file>
IE: ????3?????? - <no file>
IE: Download all by FlashGet3 - C:\Users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download all links with IDM - E:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download by FlashGet3 - C:\Users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: Download with IDM - E:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - E:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: ????3?? - <no file>
IE: ????3?????? - <no file>
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{8B5B51B1-FB86-45C7-B56F-C8DA96788F98} : DHCPNameServer = 10.0.0.138
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll
x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - <orphaned>
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 119.42.146.34 www.warez-bb.org
Hosts: 119.42.146.36 www.warez-bb.org
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\
FF - prefs.js: browser.search.selectedEngine - uTorrentControl_v2 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\Users\adar\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: E:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff4.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\0.80.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.0\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}\plugins\np-mswmp.dll
FF - plugin: C:\Users\adar\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\adar\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\NPSWF32.dll
FF - plugin: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: E:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL
FF - plugin: E:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin.dll
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: E:\Program Files (x86)\QuickTime\Plugins\npqtplugin7.dll
FF - ExtSQL: 2012-10-07 22:37; {7473b6bd-4691-4744-a82b-7854eb3d70b6}; C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
.
============= SERVICES / DRIVERS ===============
.
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2012-3-14 209768]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-11-20 239616]
R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2011-1-5 219360]
R2 ekrn;ESET Service;E:\Program Files\ESET NOD32 Antivirus\x86\ekrn.exe [2012-3-7 913144]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2012-3-14 137144]
R2 GEST Service;GEST Service for program management.;C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe [2011-1-5 68136]
R2 IDMWFP;IDMWFP;C:\Windows\System32\drivers\idmwfp.sys [2012-10-10 160992]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]
R2 RadeonPro Support Service;RadeonPro Support Service;E:\Program Files (x86)\RadeonPro\RadeonProSupport.exe [2012-6-13 12800]
R2 SBSDWSCService;SBSD Security Center Service;E:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-6-13 1153368]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-2 3064000]
R2 TabletServiceWacom;TabletServiceWacom;C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe [2012-6-14 8518008]
R2 TeamViewer7;TeamViewer 7;E:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-6-13 2666880]
R2 TouchServiceWacom;Wacom Professional Touch Service;C:\Program Files\Tablet\Wacom\Wacom_TouchService.exe [2012-6-14 567672]
R2 XMouseButton Launcher;XMouseButton Launcher;E:\Program Files\X-Mouse Button Control\XMouseButtonSvc.exe [2012-6-13 86016]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-20 96896]
R3 hidkmdf;KMDF Driver;C:\Windows\System32\drivers\hidkmdf.sys [2012-6-14 13688]
R3 RecFltr;Reclusa Keyboard;C:\Windows\System32\drivers\RecFltr.sys [2007-1-18 45440]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-8-26 726160]
R3 WacHidRouter;Wacom Hid Router;C:\Windows\System32\drivers\wachidrouter.sys [2012-6-14 65912]
R3 wacomrouterfilter;Wacom Router Filter Driver;C:\Windows\System32\drivers\wacomrouterfilter.sys [2012-6-14 15736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-9-7 160944]
S2 WysePocketCloud;Wyse PocketCloud;C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [2012-3-20 175520]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-1-5 1432400]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-1-10 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-9-7 130976]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);C:\Windows\System32\drivers\s0017bus.sys [2011-4-23 113704]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;C:\Windows\System32\drivers\s0017mdfl.sys [2011-4-23 19496]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;C:\Windows\System32\drivers\s0017mdm.sys [2011-4-23 152616]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);C:\Windows\System32\drivers\s0017mgmt.sys [2011-4-23 133160]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);C:\Windows\System32\drivers\s0017nd5.sys [2011-4-23 34856]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;C:\Windows\System32\drivers\s0017obex.sys [2011-4-23 128552]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);C:\Windows\System32\drivers\s0017unic.sys [2011-4-23 145960]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;C:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2012-9-7 150528]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-5-10 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-23 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
.
=============== Created Last 30 ================
.
2042-01-06 07:40:54 4263 --sh--w- C:\Windows\windllreg1c.sys
2012-11-20 23:16:07 -------- d-sh--w- C:\Users\adar\Userdata
2012-11-20 21:25:34 0 ----a-w- C:\Windows\ativpsrm.bin
2012-11-20 21:19:01 -------- d-----w- C:\ProgramData\AMD
2012-11-20 21:19:00 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-11-20 21:18:52 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-11-20 21:18:42 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2012-11-20 21:18:42 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2012-11-20 20:41:08 -------- d-----w- C:\Program Files\ATI Technologies
2012-11-20 20:41:06 -------- d-----w- C:\Program Files\ATI
2012-11-20 20:40:26 -------- d-----w- C:\AMD
2012-11-20 19:43:05 -------- d-----w- D:\temp\from local\Local\ElevatedDiagnostics
2012-11-20 15:12:33 388096 ----a-r- C:\Users\adar\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-20 09:38:05 -------- d-----w- D:\temp\from local\Local\ESET
2012-11-19 09:24:14 -------- d-----w- C:\Users\adar\AppData\Roaming\AVG10
2012-11-19 08:29:21 -------- d-----w- D:\temp\from local\Local\MFAData
2012-11-19 08:29:21 -------- d-----w- D:\temp\from local\Local\Avg2013
2012-11-19 08:15:21 -------- d-----w- C:\Users\adar\AppData\Roaming\AVG2012
2012-11-19 08:15:02 -------- d-----w- C:\ProgramData\AVG2012
2012-11-18 22:51:29 -------- d-sh--w- C:\Users\adar\Drivers
2012-11-15 22:55:29 -------- d-----w- D:\temp\from local\Local\dxhr
2012-11-15 22:55:01 -------- d-----w- D:\temp\from local\Local\28050
2012-10-31 10:28:28 -------- d-----w- D:\temp\from local\Local\FLT
2012-10-30 15:32:13 -------- d-----w- D:\temp\from local\Local\Ubisoft Game Launcher
2012-10-25 01:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-10-25 01:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-10-23 10:46:53 -------- d-----w- D:\temp\from local\Local\PunkBuster
2012-10-23 10:45:20 -------- d-----w- D:\temp\from local\Local\Origin
.
==================== Find3M ====================
.
2012-11-21 00:28:18 25640 ----a-w- C:\Windows\gdrv.sys
2012-11-18 22:20:46 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-11-18 22:20:44 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-11-15 22:55:31 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-15 22:55:31 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-25 18:07:59 280600 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-10-25 10:57:32 280600 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-09-28 13:37:02 221696 ----a-w- C:\Windows\System32\clinfo.exe
2012-09-28 13:36:44 75776 ----a-w- C:\Windows\System32\OpenVideo64.dll
2012-09-28 13:36:40 65536 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-09-28 13:36:36 63488 ----a-w- C:\Windows\System32\OVDecode64.dll
2012-09-28 13:36:34 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-09-28 13:36:24 32635904 ----a-w- C:\Windows\System32\amdocl64.dll
2012-09-28 13:32:16 27341824 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-09-28 02:23:00 5557928 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-09-28 02:21:20 10697216 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-09-28 02:05:38 70144 ----a-w- C:\Windows\System32\coinst_9.002.dll
2012-09-28 02:03:52 163840 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-09-28 02:02:30 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-09-28 02:02:28 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-09-28 02:02:22 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-09-28 02:02:20 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-09-28 02:02:08 16082432 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-09-28 01:59:56 23825920 ----a-w- C:\Windows\System32\atio6axx.dll
2012-09-28 01:57:20 13703168 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-09-28 01:43:28 935424 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-09-28 01:41:40 1120768 ----a-w- C:\Windows\System32\aticfx64.dll
2012-09-28 01:41:14 19624960 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-09-28 01:39:36 6536192 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-09-28 01:39:14 442368 ----a-w- C:\Windows\System32\atidemgy.dll
2012-09-28 01:39:08 538112 ----a-w- C:\Windows\System32\atieclxx.exe
2012-09-28 01:38:16 239616 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-09-28 01:36:50 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-09-28 01:36:36 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-09-28 01:36:30 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-09-28 01:36:26 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-09-28 01:31:26 3127296 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-09-28 01:25:24 6704640 ----a-w- C:\Windows\System32\atiumd64.dll
2012-09-28 01:22:42 7167488 ----a-w- C:\Windows\System32\atidxx64.dll
2012-09-28 01:22:30 2691584 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-09-28 01:13:40 595456 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-09-28 01:13:30 405504 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-09-28 01:13:16 17920 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-09-28 01:13:12 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-09-28 01:13:12 14848 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-09-28 01:13:08 41984 ----a-w- C:\Windows\System32\atig6txx.dll
2012-09-28 01:13:00 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-09-28 01:12:58 56320 ----a-w- C:\Windows\System32\atimpc64.dll
2012-09-28 01:12:58 56320 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-09-28 01:12:52 460288 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-09-28 01:12:48 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-09-28 01:12:48 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-09-28 01:11:22 129536 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-09-28 01:11:16 109568 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-09-28 01:11:08 103424 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-09-28 01:10:58 82944 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-09-28 01:09:48 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-09-27 18:07:26 160992 ----a-w- C:\Windows\System32\drivers\idmwfp.sys
2012-09-12 15:41:43 2568 --sha-w- C:\ProgramData\KGyGaAvL.sys
.
============= FINISH: 9:46:19.00 ===============

*Moderator Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Queen-Evie*

Attached Files


Edited by Queen-Evie, 21 November 2012 - 07:53 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 24 November 2012 - 05:21 PM

Greetings topeira and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 24 November 2012 - 06:07 PM

Hi topeira,

I want to thank you again for your patience.

Can you tell me if you recognize this at all:

Hosts: 119.42.146.34 www.warez-bb.org
Hosts: 119.42.146.36 www.warez-bb.org



There are a couple thing I would like to caution you about and then I am going to provide you with some steps to take. There is a lot to cover so take your time and don't feel rushed. If you have questions please don't hesitate to stop and post a question.

Please consider and do this.


===================================================


P2P Warning

--------------------

Going over your logs I noticed that you have Torrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Torrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.


===================================================


Spybot S&D No Longer Recommended

--------------------

MVPS.org is no longer recommending Spybot S&D due to poor testing results. (scroll down on the web site and read under Freeware Antispyware Products)

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

I strongly recommend uninstalling Spybot Search & Destroy. The presence of this program can make cleaning your computer more difficult.

Please go to Start > Control Panel > Add/Remove Programs (or Programs and Features) and delete the program.

Reboot your computer prior to the next step.


===================================================


Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which

do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove all but one of the following:

ESET
AVG

===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
If Combofix fails to run properly using the above instructions please attempt the following:

  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Do you recognize the Host entries?
  • Were you able to uninstall utorrent, Spybot and an antivirus program?
  • Combofix log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 topeira

topeira
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 26 November 2012 - 02:28 AM

thank you very much for replying and trying to help.

first - the questions:

1) i didnt uninstall utorrent because i chose not to. i usually know what im doing and how to be careful and i even think i know where i got the maleware from. it was my mistake to let a file i dont know it's origin onto my machine. at least i have a guess what it was.

2) i tried uninstalling AVG many times right before i installed NOD32 on my computer. i had issues removing it. eventually i thought i succeeded but apparently there are still traces of it. bugger.
the AppRemover software you gave here didnt even FIND the AVG antivirus on my computer. i can't find it either.
however i DID uninstall Spybot.


3) i use NOD32 5 and the tips you gave to disabling it before using COMBOFIX were not all possible. the tip about deactivating it via the task bar couldnt be dont since i have no NOD32 icon on the task bar and couldnt find the command you asked me to find on the control panel of the antivirus :(

4) after running combofix i need to check how the computer is running for a few hours or a day so im posting this BEFORE i made that check. will report back later.

5) what does combofix do? also, according to the log im pasting below - what did it find?

6) here is the combofix log:


ComboFix 12-11-24.02 - adar 11/26/2012 1:46.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1255.972.1033.18.8190.4823 [GMT 2:00]
Running from: c:\users\adar\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: ESET NOD32 Antivirus 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\5584E05258.sys
c:\users\adar\AppData\Roaming\chrtmp
c:\users\adar\drivers\explorer.exe
c:\users\adar\Userdata\iexplorer.exe
c:\windows\SysWow64\tmpC2E5.tmp
c:\windows\SysWow64\tmpC2F5.tmp
c:\windows\SysWow64\tmpF547.tmp
c:\windows\SysWow64\tmpF577.tmp
c:\windows\XSxS
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-25 to 2012-11-25 )))))))))))))))))))))))))))))))
.
.
2042-01-06 07:40 . 2042-01-06 07:40 4263 --sh--w- c:\windows\windllreg1c.sys
2012-11-25 23:53 . 2012-11-25 23:53 -------- d-----w- d:\temp\from local\Local\temp
2012-11-25 23:53 . 2012-11-25 23:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-25 23:53 . 2012-11-25 23:53 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-11-25 21:15 . 2012-11-25 21:15 -------- d-----w- c:\users\adar\AppData\Roaming\JAM Software
2012-11-25 18:38 . 2012-11-25 18:38 -------- d-----w- d:\temp\from local\Local\Rockstar Games
2012-11-23 18:59 . 2012-11-23 18:59 -------- d-----w- c:\users\adar\Impostazioni locali
2012-11-21 20:41 . 2012-11-21 20:41 -------- d-----w- c:\users\adar\AppData\Roaming\Theta
2012-11-20 23:16 . 2012-11-25 23:52 -------- d-sh--w- c:\users\adar\Userdata
2012-11-20 21:26 . 2012-11-20 21:26 -------- d-----w- c:\users\adar\AppData\Roaming\ATI
2012-11-20 21:26 . 2012-11-20 21:26 -------- d-----w- c:\programdata\ATI
2012-11-20 21:25 . 2012-11-20 21:25 0 ----a-w- c:\windows\ativpsrm.bin
2012-11-20 21:19 . 2012-11-20 21:19 -------- d-----w- c:\programdata\AMD
2012-11-20 21:19 . 2012-11-20 21:19 -------- d-----w- c:\program files (x86)\AMD AVT
2012-11-20 21:18 . 2012-11-20 21:18 -------- d-----w- c:\program files (x86)\AMD APP
2012-11-20 21:18 . 2012-11-20 21:18 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-11-20 21:18 . 2012-11-20 21:18 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-11-20 20:41 . 2012-11-20 21:18 -------- d-----w- c:\program files\ATI Technologies
2012-11-20 20:41 . 2012-11-20 20:41 -------- d-----w- c:\program files\ATI
2012-11-20 20:40 . 2012-11-20 20:40 -------- d-----w- C:\AMD
2012-11-20 19:43 . 2012-11-20 19:43 -------- d-----w- d:\temp\from local\Local\ElevatedDiagnostics
2012-11-20 15:12 . 2012-11-20 15:12 388096 ----a-r- c:\users\adar\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-20 09:38 . 2012-11-20 09:38 -------- d-----w- d:\temp\from local\Local\ESET
2012-11-19 09:24 . 2012-11-19 09:24 -------- d-----w- c:\users\adar\AppData\Roaming\AVG10
2012-11-19 08:29 . 2012-11-19 08:29 -------- d-----w- d:\temp\from local\Local\MFAData
2012-11-19 08:29 . 2012-11-19 08:29 -------- d-----w- d:\temp\from local\Local\Avg2013
2012-11-19 08:15 . 2012-11-19 08:15 -------- d-----w- c:\users\adar\AppData\Roaming\AVG2012
2012-11-19 08:15 . 2012-11-19 10:45 -------- d-----w- c:\programdata\AVG2012
2012-11-18 22:51 . 2012-11-25 23:52 -------- d-sh--w- c:\users\adar\Drivers
2012-11-15 22:55 . 2012-11-16 00:30 -------- d-----w- d:\temp\from local\Local\dxhr
2012-11-15 22:55 . 2012-11-15 22:55 -------- d-----w- d:\temp\from local\Local\28050
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-11-09 18:53 . 2012-11-09 18:53 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-10-31 10:28 . 2012-10-31 10:28 -------- d-----w- d:\temp\from local\Local\FLT
2012-10-30 15:32 . 2012-11-21 20:40 -------- d-----w- d:\temp\from local\Local\Ubisoft Game Launcher
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-25 18:35 . 2011-01-05 23:15 25640 ----a-w- c:\windows\gdrv.sys
2012-11-18 22:20 . 2011-01-08 01:17 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-11-18 22:20 . 2011-01-08 01:17 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-11-15 22:55 . 2012-04-04 14:32 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-15 22:55 . 2011-05-19 13:12 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 18:07 . 2011-01-08 01:47 280600 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-10-25 10:57 . 2011-01-08 01:17 280600 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-10-25 01:12 . 2012-10-25 01:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 01:12 . 2012-10-25 01:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-09-29 19:12 . 2012-09-29 19:12 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-09-29 19:12 . 2012-09-29 19:12 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-09-29 19:12 . 2012-09-29 19:12 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-09-29 19:12 . 2012-09-29 19:12 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-09-29 19:12 . 2012-09-29 19:12 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-09-29 19:12 . 2012-09-29 19:12 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-09-29 19:12 . 2012-09-29 19:12 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-09-29 19:12 . 2012-09-29 19:12 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-09-29 19:12 . 2012-09-29 19:12 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-09-29 19:12 . 2012-09-29 19:12 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-09-29 19:12 . 2012-09-29 19:12 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-09-29 19:12 . 2012-09-29 19:12 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-09-29 19:12 . 2012-09-29 19:12 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-09-29 19:12 . 2012-09-29 19:12 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-09-29 19:12 . 2012-09-29 19:12 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-09-29 19:12 . 2012-09-29 19:12 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-09-29 19:12 . 2012-09-29 19:12 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-09-29 19:12 . 2012-09-29 19:12 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-09-29 19:12 . 2012-09-29 19:12 816640 ----a-w- c:\windows\system32\jscript.dll
2012-09-29 19:12 . 2012-09-29 19:12 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-09-29 19:12 . 2012-09-29 19:12 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-09-29 19:12 . 2012-09-29 19:12 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-09-29 19:12 . 2012-09-29 19:12 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-09-29 19:12 . 2012-09-29 19:12 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-09-29 19:12 . 2012-09-29 19:12 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-09-29 19:12 . 2012-09-29 19:12 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-09-29 19:12 . 2012-09-29 19:12 448512 ----a-w- c:\windows\system32\html.iec
2012-09-29 19:12 . 2012-09-29 19:12 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-09-29 19:12 . 2012-09-29 19:12 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-09-29 19:12 . 2012-09-29 19:12 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-09-29 19:12 . 2012-09-29 19:12 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-09-29 19:12 . 2012-09-29 19:12 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-09-29 19:12 . 2012-09-29 19:12 248320 ----a-w- c:\windows\system32\ieui.dll
2012-09-29 19:12 . 2012-09-29 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-09-29 19:12 . 2012-09-29 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-09-29 19:12 . 2012-09-29 19:12 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-09-29 19:12 . 2012-09-29 19:12 222208 ----a-w- c:\windows\system32\msls31.dll
2012-09-29 19:12 . 2012-09-29 19:12 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-09-29 19:12 . 2012-09-29 19:12 197120 ----a-w- c:\windows\system32\msrating.dll
2012-09-29 19:12 . 2012-09-29 19:12 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-09-29 19:12 . 2012-09-29 19:12 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-09-29 19:12 . 2012-09-29 19:12 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-09-29 19:12 . 2012-09-29 19:12 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-09-29 19:12 . 2012-09-29 19:12 149504 ----a-w- c:\windows\system32\occache.dll
2012-09-29 19:12 . 2012-09-29 19:12 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-09-29 19:12 . 2012-09-29 19:12 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-09-29 19:12 . 2012-09-29 19:12 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-09-29 19:12 . 2012-09-29 19:12 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-09-29 19:12 . 2012-09-29 19:12 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-09-29 19:12 . 2012-09-29 19:12 12288 ----a-w- c:\windows\system32\mshta.exe
2012-09-29 19:12 . 2012-09-29 19:12 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-09-29 19:12 . 2012-09-29 19:12 114176 ----a-w- c:\windows\system32\admparse.dll
2012-09-29 19:12 . 2012-09-29 19:12 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-09-29 19:12 . 2012-09-29 19:12 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-09-29 19:12 . 2012-09-29 19:12 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-09-29 19:12 . 2012-09-29 19:12 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-09-29 19:12 . 2012-09-29 19:12 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-09-29 19:12 . 2012-09-29 19:12 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-09-29 19:12 . 2012-09-29 19:12 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-09-29 19:12 . 2012-09-29 19:12 82432 ----a-w- c:\windows\system32\icardie.dll
2012-09-29 19:12 . 2012-09-29 19:12 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-09-29 19:12 . 2012-09-29 19:12 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-09-29 19:12 . 2012-09-29 19:12 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-09-29 19:12 . 2012-09-29 19:12 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-09-29 19:12 . 2012-09-29 19:12 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-09-29 19:12 . 2012-09-29 19:12 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-09-29 19:12 . 2012-09-29 19:12 237056 ----a-w- c:\windows\system32\url.dll
2012-09-29 19:12 . 2012-09-29 19:12 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-09-29 19:12 . 2012-09-29 19:12 160256 ----a-w- c:\windows\system32\wextract.exe
2012-09-29 19:12 . 2012-09-29 19:12 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-09-29 19:12 . 2012-09-29 19:12 103936 ----a-w- c:\windows\system32\inseng.dll
2012-09-28 13:37 . 2012-09-28 13:37 221696 ----a-w- c:\windows\system32\clinfo.exe
2012-09-28 13:36 . 2012-09-28 13:36 75776 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-09-28 13:36 . 2012-09-28 13:36 65536 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-09-28 13:36 . 2012-09-28 13:36 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-09-28 13:36 . 2012-09-28 13:36 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-09-28 13:36 . 2012-09-28 13:36 32635904 ----a-w- c:\windows\system32\amdocl64.dll
2012-09-28 13:32 . 2012-09-28 13:32 27341824 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-09-27 18:07 . 2012-10-10 09:36 160992 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-09-12 15:41 . 2011-01-16 22:49 2568 --sha-w- c:\programdata\KGyGaAvL.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2011-05-23 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2011-05-23 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="e:\program files (x86)\Internet Download Manager\IDMan.exe" [2012-10-11 3536320]
"Steam"="d:\steam\steam.exe" [2012-08-14 1353080]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"RGSC"="c:\program files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-12 306088]
"FlashGet 3"="c:\program files (x86)\FlashGet Network\FlashGet 3\Flashget3.exe" [2009-12-22 2127408]
"CGFLoader"="e:\program files (x86)\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="e:\program files (x86)\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"WinampAgent"="e:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Share-to-Web Namespace Daemon"="e:\program files (x86)\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Reclusa"="e:\program files (x86)\Razer\Reclusa\razerhid.exe" [2007-03-07 167936]
"QuickTime Task"="e:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="e:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFaTUstV1FQWTYtOTIzTVItUU1JTVAtTk1ONkUtUQ&inst=NzYtMTIyMDYwMjkxMi1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVMyKzEtTFNEKzItRERUKzM0OTE4LVNUMTBBUFArMS1ERDEwKzEtUzEwRERGKzEtRlVJKzItQ0lBMTArMi1DSUQrMS1JSVNBKzY&prod=94&ver=10.0.1424" [?]
.
c:\users\adar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\adar\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - d:\temp\from c prog files 86\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-9-7 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0e:\program files (x86)\AVG2012\avgrsa.exe /sync /restart
.
R0 AFS;AFS; [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [2012-03-20 175520]
R3 ATICDSDr;ATICDSDr;c:\users\adar\AppData\Local\Temp\ATICDSDr.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-09-20 1432400]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-03-01 130976]
R3 GPU-Z;GPU-Z;c:\users\adar\AppData\Local\Temp\GPU-Z.sys [x]
R3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\DRIVERS\s0017bus.sys [2008-10-21 113704]
R3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0017mdfl.sys [2008-10-21 19496]
R3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0017mdm.sys [2008-10-21 152616]
R3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0017mgmt.sys [2008-10-21 133160]
R3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\DRIVERS\s0017nd5.sys [2008-10-21 34856]
R3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0017obex.sys [2008-10-21 128552]
R3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\DRIVERS\s0017unic.sys [2008-10-21 145960]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-23 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-14 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 148528]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-09-28 239616]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-08-04 219360]
S2 ekrn;ESET Service;e:\program files\ESET NOD32 Antivirus\x86\ekrn.exe [2012-03-07 913144]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-14 137144]
S2 GEST Service;GEST Service for program management.;c:\program files (x86)\GIGABYTE\EnergySaver\GSvr.exe [2009-07-30 68136]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2012-09-27 160992]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 RadeonPro Support Service;RadeonPro Support Service;e:\program files (x86)\RadeonPro\RadeonProSupport.exe [2011-02-09 12800]
S2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [2012-04-18 8518008]
S2 TeamViewer7;TeamViewer 7;e:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 2666880]
S2 TouchServiceWacom;Wacom Professional Touch Service;c:\program files\Tablet\Wacom\Wacom_TouchService.exe [2012-04-18 567672]
S2 XMouseButton Launcher;XMouseButton Launcher;e:\program files\X-Mouse Button Control\XMouseButtonSvc.exe [2010-11-13 86016]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
S3 hidkmdf;KMDF Driver;c:\windows\system32\DRIVERS\hidkmdf.sys [2012-03-29 13688]
S3 RecFltr;Reclusa Keyboard;c:\windows\system32\drivers\RecFltr.sys [2007-01-18 45440]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-06-12 726160]
S3 WacHidRouter;Wacom Hid Router;c:\windows\system32\DRIVERS\wachidrouter.sys [2012-03-29 65912]
S3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\DRIVERS\wacomrouterfilter.sys [2012-03-29 15736]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 22:55]
.
2012-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-07 11:08]
.
2012-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-07 11:08]
.
2012-11-25 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-11-21 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2012-09-07 09:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 23432 ----a-w- e:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-03 11842152]
"PocketCloud Location"="c:\program files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2012-03-20 881568]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = localhost;*.local
IE: ????3??
IE: ????3??????
IE: Download all by FlashGet3 - c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download all links with IDM - e:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download by FlashGet3 - c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: Download with IDM - e:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - e:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: ????3?? - c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: ????3?????? - c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=
FF - ExtSQL: 2012-10-07 22:37; {7473b6bd-4691-4744-a82b-7854eb3d70b6}; c:\users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-YouSendIt.exe - e:\program files (x86)\YouSendIt\Express\YouSendIt.exe
Wow6432Node-HKCU-Run-SpybotSD TeaTimer - e:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe
Wow6432Node-HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
Wow6432Node-HKLM-Run-Windows Explorer - c:\users\adar\Userdata\iexplorer.exe
Wow6432Node-HKLM-Run-StartCCC - e:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
Wow6432Node-HKLM-Run-SwitchBoard - c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
Wow6432Node-HKLM-Run-AdobeCS5ServiceManager - c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
Wow6432Node-HKLM-Run-AdobeCS5.5ServiceManager - c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
Wow6432Node-HKLM-Run-AdobeCS4ServiceManager - c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
Wow6432Node-HKLM-Run-Adobe ARM - c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-AdobeAAMUpdater-1.0 - c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
AddRemove-Descent Manager Tools - c:\windows\system32\uninstdm.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-{CB04D8E1-7B9C-4F35-B2E2-E87CBE520805} - c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\core\PDApp.exe
AddRemove-FXAA Post Process Injector - d:\games\The Elder Scrolls V - Skyrim\Uninstal.exe
AddRemove-Google Chrome - c:\users\adar\AppData\Local\Google\Chrome\Application\21.0.1180.89\Installer\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3* N}]
@Allowed: (Read) (RestrictedCode)
@="c:\\Users\\adar\\AppData\\Roaming\\FlashGetBHO\\GetUrl.htm"
"contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3* N}hQט‏c]
@Allowed: (Read) (RestrictedCode)
@="c:\\Users\\adar\\AppData\\Roaming\\FlashGetBHO\\GetAllUrl.htm"
"contexts"=dword:000000f3
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\SecuROM\License information*]
"datasecu"=hex:47,55,a9,ca,37,80,fe,4d,6f,88,52,f4,a3,31,ca,86,64,87,00,2a,9a,
31,9f,8d,b5,56,e7,fc,fd,a5,9c,d9,ba,3c,71,66,59,57,ca,4a,8e,c8,68,fc,4e,32,\
"rkeysecu"=hex:01,76,38,c2,22,b9,c4,63,b2,f2,9c,8e,5d,af,6c,4b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-26 01:56:21
ComboFix-quarantined-files.txt 2012-11-25 23:56
.
Pre-Run: 468,762,624 bytes free
Post-Run: 6,764,642,304 bytes free
.
- - End Of File - - 55F3290A95C89FBEA4966ECA0043C15A

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 26 November 2012 - 11:35 AM

Hi topeira,

Thank you for the explanations. It is certainly up to you whether or not you want to use Peer to Peer programs but it seems apparent that the utilization of that file sharing mechanism infected your computer quite severly.


what does combofix do?


Combofix scans your computer for malicious software and settings and removes them. It also provides a variety of information for review so we can check for irregularities and/or additional signs of infection, which is true in your case.


I am providing some steps for you to take but I must first advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document

    SecCenter::
    AV: AVG Internet Security 2011 *Disabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
    SP: AVG Internet Security 2011 *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    Folder::
    c:\users\adar\AppData\Roaming\AVG10
    d:\temp\from local\Local\MFAData
    d:\temp\from local\Local\Avg2013
    c:\users\adar\AppData\Roaming\AVG2012
    c:\programdata\AVG2012
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
    DDS::
    IE: ????3??
    IE: ????3??????
    IE: Download all by FlashGet3 - c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    IE: Download all links with IDM - e:\program files (x86)\Internet Download Manager\IEGetAll.htm
    IE: Download by FlashGet3 - c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
    IE: ????3?? - c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
    IE: ????3?????? - c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    Files::
    c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
    e:\program files (x86)\Internet Download Manager\IEGetAll.htm
    c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
    RegLockDel::
    [HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}]
    [HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}hQט‏c]
    

  • Save this on your desktop as CFScript.txt.


    Posted Image

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================


Virustotal Online Virus Scanner

--------------------

  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file, double click on it so the file name is populated, then click Scan it!
  • IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

    c:\windows\windllreg1c.sys
  • Once completed, highlight the information in the address bar and copy then paste the link in your reply


    Posted Image

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix log
  • Virustotal link
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 topeira

topeira
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 27 November 2012 - 03:22 AM

hi there.

again - thanks a lot for all the professional help. very VERY much appreciated. :)

my computer does not contain sensitive information. it holds games, media and work, which is only graphics (flash files, video files and picture files like PSD and JPGs) and all my banking is done on my bank website which, of course, doesnt save any password on cookies and whatnot.

what is the big risk to me due to the backdoor breach if there is little , if any, important information on my HDD? or am i missing\forgetting something?

also, the BSOD i used to have when shutting down has disappeared even before the first combofix run. dont know why :-O. but the weird error message vanished AFTER the first combofix as well as about free 5GB of harddisk space that suddenly became free on my C: drive. WTF? what da heck did combofix do that gave me an extra 5GB of free HDD space?! (im not complaining. problems are resolved, as far as i can see, but im still really curious).



in any case im doing my best to follow your requests so first - here is the online scan URL:

https://www.virustotal.com/file/1fa2240b4426b4eecfff0b389a2c60cc72f95f8a0d920c53a0146b39019fd3da/analysis/1354004240/



here is the content of the combofix text file:


ComboFix 12-11-24.02 - adar 11/27/2012 2:27.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1255.972.1033.18.8190.5860 [GMT 2:00]
Running from: c:\users\adar\Desktop\ComboFix.exe
Command switches used :: c:\users\adar\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\AVG2012
c:\programdata\AVG2012\Cfg\admin.cfg
c:\programdata\AVG2012\Cfg\idp.cfg
c:\programdata\AVG2012\Cfg\krnl.cfg
c:\programdata\AVG2012\Cfg\rsexcludes.cfg
c:\programdata\AVG2012\Cfg\setup.cfg
c:\programdata\AVG2012\Cfg\updatecomps.cfg
c:\programdata\AVG2012\cfgall\fw.cfg
c:\programdata\AVG2012\cfgall\krnlall.cfg
c:\programdata\AVG2012\cfgall\updateall.cfg
c:\programdata\AVG2012\cfgall\userall.cfg
c:\programdata\AVG2012\IDS\config\internalList.zip.bak
c:\programdata\AVG2012\IDS\config\md5Cache.dat
c:\programdata\AVG2012\IDS\config\quarantinedList.zip
c:\programdata\AVG2012\IDS\config\quarantinedList.zip.bak
c:\programdata\AVG2012\IDS\config\ShortcutCache.dat
c:\programdata\AVG2012\IDS\config\userList.zip
c:\programdata\AVG2012\IDS\config\userList.zip.bak
c:\programdata\AVG2012\IDS\malwareprofile\backup.dat
c:\programdata\AVG2012\IDS\malwareprofile\nodes.dat
c:\programdata\AVG2012\IDS\profile\globalLoadable.bak
c:\programdata\AVG2012\IDS\profile\globalLoadable.gdb
c:\programdata\AVG2012\log\avgcfg.log
c:\programdata\AVG2012\log\avgcfg.log.lock
c:\programdata\AVG2012\log\avgcore.log
c:\programdata\AVG2012\log\avgcore.log.1
c:\programdata\AVG2012\log\avgcore.log.2
c:\programdata\AVG2012\log\avgcore.log.3
c:\programdata\AVG2012\log\avgcore.log.4
c:\programdata\AVG2012\log\avgcore.log.5
c:\programdata\AVG2012\log\avgcore.log.6
c:\programdata\AVG2012\log\avgcore.log.lock
c:\programdata\AVG2012\log\avgdecider.log
c:\programdata\AVG2012\log\avgdecider.log.lock
c:\programdata\AVG2012\log\avgfw.log
c:\programdata\AVG2012\log\avgfw.log.lock
c:\programdata\AVG2012\log\avgidpagent.log
c:\programdata\AVG2012\log\avgidpagent.log.1
c:\programdata\AVG2012\log\avgidpagent.log.lock
c:\programdata\AVG2012\log\avgldr.log
c:\programdata\AVG2012\log\avgldr.log.lock
c:\programdata\AVG2012\log\avglng.log
c:\programdata\AVG2012\log\avglng.log.lock
c:\programdata\AVG2012\log\avgscan.log
c:\programdata\AVG2012\log\avgscan.log.lock
c:\programdata\AVG2012\log\avgsrm.log
c:\programdata\AVG2012\log\avgsrm.log.lock
c:\programdata\AVG2012\log\avgtdi.log
c:\programdata\AVG2012\log\avgtdi.log.lock
c:\programdata\AVG2012\log\avgual.log
c:\programdata\AVG2012\log\avgual.log.lock
c:\programdata\AVG2012\log\avgui.log
c:\programdata\AVG2012\log\avgui.log.lock
c:\programdata\AVG2012\log\avgui_idp_adar.log
c:\programdata\AVG2012\log\avgui_idp_adar.log.lock
c:\programdata\AVG2012\log\avgwd.log
c:\programdata\AVG2012\log\avgwd.log.lock
c:\programdata\AVG2012\log\avgwdsvc.log
c:\programdata\AVG2012\log\avgwdsvc.log.lock
c:\programdata\AVG2012\log\fwstats_2012_11_19_10_11_00.fwstats
c:\programdata\AVG2012\log\fwstats_2012_11_19_10_44_11.fwstats
c:\programdata\AVG2012\log\history.xml
c:\programdata\AVG2012\log\vault.log
c:\programdata\AVG2012\log\vault.log.lock
c:\programdata\AVG2012\scanlogs\I_00000005.log
c:\programdata\AVG2012\scanlogs\I_00000006.log
c:\programdata\AVG2012\scanlogs\I_00000007.log
c:\programdata\AVG2012\scanlogs\I_00000008.log
c:\programdata\AVG2012\scanlogs\srm.idx
c:\users\adar\AppData\Roaming\AVG10
c:\users\adar\AppData\Roaming\AVG10\cfgall\usergui.cfg
c:\users\adar\AppData\Roaming\AVG2012
c:\users\adar\AppData\Roaming\AVG2012\cfgall\userawacs.cfg
c:\users\adar\AppData\Roaming\AVG2012\cfgall\usergui.cfg
c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
d:\temp\from local\Local\Avg2013
d:\temp\from local\Local\MFAData
d:\temp\from local\Local\MFAData\logs\mfa-20121119-082921.log
d:\temp\from local\Local\MFAData\logs\mfa-20121119-095721.log
d:\temp\from local\Local\MFAData\logs\mfa-20121119-100256.log
d:\temp\from local\Local\MFAData\logs\mfa-20121119-105037.log
d:\temp\from local\Local\MFAData\logs\mfa-20121119-105718.log
d:\temp\from local\Local\MFAData\logs\msi-20121119-082921.log
d:\temp\from local\Local\MFAData\logs\r64-20121119-082952.log
e:\program files (x86)\Internet Download Manager\IEGetAll.htm
.
.
((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 )))))))))))))))))))))))))))))))
.
.
2042-01-06 07:40 . 2042-01-06 07:40 4263 --sh--w- c:\windows\windllreg1c.sys
2012-11-27 02:17 . 2012-11-27 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-27 02:16 . 2012-11-27 02:16 -------- d-----w- d:\temp\from local\Local\temp
2012-11-25 21:15 . 2012-11-26 07:53 -------- d-----w- c:\users\adar\AppData\Roaming\JAM Software
2012-11-25 18:38 . 2012-11-25 18:38 -------- d-----w- d:\temp\from local\Local\Rockstar Games
2012-11-23 18:59 . 2012-11-23 18:59 -------- d-----w- c:\users\adar\Impostazioni locali
2012-11-21 20:41 . 2012-11-21 20:41 -------- d-----w- c:\users\adar\AppData\Roaming\Theta
2012-11-20 23:16 . 2012-11-25 23:52 -------- d-sh--w- c:\users\adar\Userdata
2012-11-20 21:26 . 2012-11-20 21:26 -------- d-----w- c:\users\adar\AppData\Roaming\ATI
2012-11-20 21:26 . 2012-11-20 21:26 -------- d-----w- c:\programdata\ATI
2012-11-20 21:25 . 2012-11-20 21:25 0 ----a-w- c:\windows\ativpsrm.bin
2012-11-20 21:19 . 2012-11-20 21:19 -------- d-----w- c:\programdata\AMD
2012-11-20 21:19 . 2012-11-20 21:19 -------- d-----w- c:\program files (x86)\AMD AVT
2012-11-20 21:18 . 2012-11-20 21:18 -------- d-----w- c:\program files (x86)\AMD APP
2012-11-20 21:18 . 2012-11-20 21:18 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-11-20 21:18 . 2012-11-20 21:18 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-11-20 20:41 . 2012-11-20 21:18 -------- d-----w- c:\program files\ATI Technologies
2012-11-20 20:41 . 2012-11-20 20:41 -------- d-----w- c:\program files\ATI
2012-11-20 20:40 . 2012-11-20 20:40 -------- d-----w- C:\AMD
2012-11-20 19:43 . 2012-11-20 19:43 -------- d-----w- d:\temp\from local\Local\ElevatedDiagnostics
2012-11-20 15:12 . 2012-11-20 15:12 388096 ----a-r- c:\users\adar\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-11-20 09:38 . 2012-11-20 09:38 -------- d-----w- d:\temp\from local\Local\ESET
2012-11-18 22:51 . 2012-11-25 23:52 -------- d-sh--w- c:\users\adar\Drivers
2012-11-15 22:55 . 2012-11-16 00:30 -------- d-----w- d:\temp\from local\Local\dxhr
2012-11-15 22:55 . 2012-11-15 22:55 -------- d-----w- d:\temp\from local\Local\28050
2012-10-31 10:28 . 2012-10-31 10:28 -------- d-----w- d:\temp\from local\Local\FLT
2012-10-30 15:32 . 2012-11-21 20:40 -------- d-----w- d:\temp\from local\Local\Ubisoft Game Launcher
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-26 07:30 . 2011-01-05 23:15 25640 ----a-w- c:\windows\gdrv.sys
2012-11-18 22:20 . 2011-01-08 01:17 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-11-18 22:20 . 2011-01-08 01:17 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-11-15 22:55 . 2012-04-04 14:32 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-15 22:55 . 2011-05-19 13:12 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 18:07 . 2011-01-08 01:47 280600 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-10-25 10:57 . 2011-01-08 01:17 280600 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-10-25 01:12 . 2012-10-25 01:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 01:12 . 2012-10-25 01:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-09-29 19:12 . 2012-09-29 19:12 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-09-29 19:12 . 2012-09-29 19:12 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-09-29 19:12 . 2012-09-29 19:12 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-09-29 19:12 . 2012-09-29 19:12 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-09-29 19:12 . 2012-09-29 19:12 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-09-29 19:12 . 2012-09-29 19:12 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-09-29 19:12 . 2012-09-29 19:12 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-09-29 19:12 . 2012-09-29 19:12 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-09-29 19:12 . 2012-09-29 19:12 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-09-29 19:12 . 2012-09-29 19:12 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-09-29 19:12 . 2012-09-29 19:12 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-09-29 19:12 . 2012-09-29 19:12 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-09-29 19:12 . 2012-09-29 19:12 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-09-29 19:12 . 2012-09-29 19:12 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-09-29 19:12 . 2012-09-29 19:12 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-09-29 19:12 . 2012-09-29 19:12 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-09-29 19:12 . 2012-09-29 19:12 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-09-29 19:12 . 2012-09-29 19:12 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-09-29 19:12 . 2012-09-29 19:12 816640 ----a-w- c:\windows\system32\jscript.dll
2012-09-29 19:12 . 2012-09-29 19:12 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-09-29 19:12 . 2012-09-29 19:12 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-09-29 19:12 . 2012-09-29 19:12 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-09-29 19:12 . 2012-09-29 19:12 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-09-29 19:12 . 2012-09-29 19:12 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-09-29 19:12 . 2012-09-29 19:12 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-09-29 19:12 . 2012-09-29 19:12 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-09-29 19:12 . 2012-09-29 19:12 448512 ----a-w- c:\windows\system32\html.iec
2012-09-29 19:12 . 2012-09-29 19:12 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-09-29 19:12 . 2012-09-29 19:12 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-09-29 19:12 . 2012-09-29 19:12 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-09-29 19:12 . 2012-09-29 19:12 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-09-29 19:12 . 2012-09-29 19:12 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-09-29 19:12 . 2012-09-29 19:12 248320 ----a-w- c:\windows\system32\ieui.dll
2012-09-29 19:12 . 2012-09-29 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-09-29 19:12 . 2012-09-29 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-09-29 19:12 . 2012-09-29 19:12 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-09-29 19:12 . 2012-09-29 19:12 222208 ----a-w- c:\windows\system32\msls31.dll
2012-09-29 19:12 . 2012-09-29 19:12 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-09-29 19:12 . 2012-09-29 19:12 197120 ----a-w- c:\windows\system32\msrating.dll
2012-09-29 19:12 . 2012-09-29 19:12 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-09-29 19:12 . 2012-09-29 19:12 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-09-29 19:12 . 2012-09-29 19:12 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-09-29 19:12 . 2012-09-29 19:12 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-09-29 19:12 . 2012-09-29 19:12 149504 ----a-w- c:\windows\system32\occache.dll
2012-09-29 19:12 . 2012-09-29 19:12 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-09-29 19:12 . 2012-09-29 19:12 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-09-29 19:12 . 2012-09-29 19:12 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-09-29 19:12 . 2012-09-29 19:12 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-09-29 19:12 . 2012-09-29 19:12 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-09-29 19:12 . 2012-09-29 19:12 12288 ----a-w- c:\windows\system32\mshta.exe
2012-09-29 19:12 . 2012-09-29 19:12 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-09-29 19:12 . 2012-09-29 19:12 114176 ----a-w- c:\windows\system32\admparse.dll
2012-09-29 19:12 . 2012-09-29 19:12 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-09-29 19:12 . 2012-09-29 19:12 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-09-29 19:12 . 2012-09-29 19:12 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-09-29 19:12 . 2012-09-29 19:12 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-09-29 19:12 . 2012-09-29 19:12 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-09-29 19:12 . 2012-09-29 19:12 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-09-29 19:12 . 2012-09-29 19:12 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-09-29 19:12 . 2012-09-29 19:12 82432 ----a-w- c:\windows\system32\icardie.dll
2012-09-29 19:12 . 2012-09-29 19:12 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-09-29 19:12 . 2012-09-29 19:12 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-09-29 19:12 . 2012-09-29 19:12 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-09-29 19:12 . 2012-09-29 19:12 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-09-29 19:12 . 2012-09-29 19:12 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-09-29 19:12 . 2012-09-29 19:12 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-09-29 19:12 . 2012-09-29 19:12 237056 ----a-w- c:\windows\system32\url.dll
2012-09-29 19:12 . 2012-09-29 19:12 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-09-29 19:12 . 2012-09-29 19:12 160256 ----a-w- c:\windows\system32\wextract.exe
2012-09-29 19:12 . 2012-09-29 19:12 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-09-29 19:12 . 2012-09-29 19:12 103936 ----a-w- c:\windows\system32\inseng.dll
2012-09-28 13:37 . 2012-09-28 13:37 221696 ----a-w- c:\windows\system32\clinfo.exe
2012-09-28 13:36 . 2012-09-28 13:36 75776 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-09-28 13:36 . 2012-09-28 13:36 65536 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-09-28 13:36 . 2012-09-28 13:36 63488 ----a-w- c:\windows\system32\OVDecode64.dll
2012-09-28 13:36 . 2012-09-28 13:36 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-09-28 13:36 . 2012-09-28 13:36 32635904 ----a-w- c:\windows\system32\amdocl64.dll
2012-09-28 13:32 . 2012-09-28 13:32 27341824 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-09-27 18:07 . 2012-10-10 09:36 160992 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-09-12 15:41 . 2011-01-16 22:49 2568 --sha-w- c:\programdata\KGyGaAvL.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2011-05-23 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2011-05-23 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{7473b6bd-4691-4744-a82b-7854eb3d70b6}"= "c:\program files (x86)\uTorrentControl_v2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{7473b6bd-4691-4744-a82b-7854eb3d70b6}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="e:\program files (x86)\Internet Download Manager\IDMan.exe" [2012-10-11 3536320]
"Steam"="d:\steam\steam.exe" [2012-08-14 1353080]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"RGSC"="c:\program files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-12 306088]
"FlashGet 3"="c:\program files (x86)\FlashGet Network\FlashGet 3\Flashget3.exe" [2009-12-22 2127408]
"CGFLoader"="e:\program files (x86)\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="e:\program files (x86)\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"WinampAgent"="e:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Share-to-Web Namespace Daemon"="e:\program files (x86)\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Reclusa"="e:\program files (x86)\Razer\Reclusa\razerhid.exe" [2007-03-07 167936]
"QuickTime Task"="e:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="e:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]
.
c:\users\adar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\adar\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - d:\temp\from c prog files 86\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-9-7 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R0 AFS;AFS; [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 ATICDSDr;ATICDSDr;c:\users\adar\AppData\Local\Temp\ATICDSDr.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-09-20 1432400]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-03-01 130976]
R3 GPU-Z;GPU-Z;c:\users\adar\AppData\Local\Temp\GPU-Z.sys [x]
R3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\DRIVERS\s0017bus.sys [2008-10-21 113704]
R3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0017mdfl.sys [2008-10-21 19496]
R3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0017mdm.sys [2008-10-21 152616]
R3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0017mgmt.sys [2008-10-21 133160]
R3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\DRIVERS\s0017nd5.sys [2008-10-21 34856]
R3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0017obex.sys [2008-10-21 128552]
R3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\DRIVERS\s0017unic.sys [2008-10-21 145960]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-23 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-14 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 148528]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-09-28 239616]
S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-08-04 219360]
S2 ekrn;ESET Service;e:\program files\ESET NOD32 Antivirus\x86\ekrn.exe [2012-03-07 913144]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2012-03-14 137144]
S2 GEST Service;GEST Service for program management.;c:\program files (x86)\GIGABYTE\EnergySaver\GSvr.exe [2009-07-30 68136]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2012-09-27 160992]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 RadeonPro Support Service;RadeonPro Support Service;e:\program files (x86)\RadeonPro\RadeonProSupport.exe [2011-02-09 12800]
S2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [2012-04-18 8518008]
S2 TeamViewer7;TeamViewer 7;e:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 2666880]
S2 TouchServiceWacom;Wacom Professional Touch Service;c:\program files\Tablet\Wacom\Wacom_TouchService.exe [2012-04-18 567672]
S2 WysePocketCloud;Wyse PocketCloud;c:\program files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [2012-03-20 175520]
S2 XMouseButton Launcher;XMouseButton Launcher;e:\program files\X-Mouse Button Control\XMouseButtonSvc.exe [2010-11-13 86016]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
S3 hidkmdf;KMDF Driver;c:\windows\system32\DRIVERS\hidkmdf.sys [2012-03-29 13688]
S3 RecFltr;Reclusa Keyboard;c:\windows\system32\drivers\RecFltr.sys [2007-01-18 45440]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-06-12 726160]
S3 WacHidRouter;Wacom Hid Router;c:\windows\system32\DRIVERS\wachidrouter.sys [2012-03-29 65912]
S3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\DRIVERS\wacomrouterfilter.sys [2012-03-29 15736]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 22:55]
.
2012-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-07 11:08]
.
2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-07 11:08]
.
2012-11-26 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-11-21 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2012-09-07 09:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 97792 ----a-w- c:\users\adar\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 23432 ----a-w- e:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-03 11842152]
"PocketCloud Location"="c:\program files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2012-03-20 881568]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1680976]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = localhost;*.local
IE: Download with IDM - e:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - e:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: ????3?? - c:\users\adar\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: ????3?????? - c:\users\adar\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=
FF - ExtSQL: 2012-10-07 22:37; {7473b6bd-4691-4744-a82b-7854eb3d70b6}; c:\users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Descent Manager Tools - c:\windows\system32\uninstdm.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-{CB04D8E1-7B9C-4F35-B2E2-E87CBE520805} - c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\core\PDApp.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3* N}]
@Allowed: (Read) (RestrictedCode)
@="c:\\Users\\adar\\AppData\\Roaming\\FlashGetBHO\\GetUrl.htm"
"contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3* N}hQט‏”¥c]
@Allowed: (Read) (RestrictedCode)
@="c:\\Users\\adar\\AppData\\Roaming\\FlashGetBHO\\GetAllUrl.htm"
"contexts"=dword:000000f3
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\SecuROM\License information*]
"datasecu"=hex:47,55,a9,ca,37,80,fe,4d,6f,88,52,f4,a3,31,ca,86,64,87,00,2a,9a,
31,9f,8d,b5,56,e7,fc,fd,a5,9c,d9,ba,3c,71,66,59,57,ca,4a,8e,c8,68,fc,4e,32,\
"rkeysecu"=hex:01,76,38,c2,22,b9,c4,63,b2,f2,9c,8e,5d,af,6c,4b
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-27 04:20:19
ComboFix-quarantined-files.txt 2012-11-27 02:20
.
Pre-Run: 7,100,231,680 bytes free
Post-Run: 7,383,764,992 bytes free
.
- - End Of File - - C16C218E43A3A03204E589EFCAE8F296

Edited by topeira, 27 November 2012 - 03:26 AM.


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 27 November 2012 - 10:25 AM

Hi topeira,


what is the big risk to me due to the backdoor breach if there is little , if any, important information on my HDD?

Your computer could become a bot. You also need to be careful you do not cross-contaminate another computer by sharing files which are possibly infected.

----------

what da heck did combofix do that gave me an extra 5GB of free HDD space?

I can't answer that, I don't know what Combofix did the first time around.

----------

I would like to get a listing of Adware type entries on your computer. This will just create a report for us to review. We are also going to delete some registry keys after we back up your registry.


===================================================


AdwCleaner by Xplode - Search for Adware

-------------------

  • Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Search
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well

===================================================


ERUNT Registry Backup

--------------------

  • Please download ERUNT (Emergency Recovery Utility for NT) and save it to your desktop
  • Double click the icon
  • Select Run
  • Click OK, then click Next 3 times until you receive the Select Additional Tasks screen
  • Uncheck Create NTREGOPT desktop icon box
  • Select Next, then Install, then No
  • Uncheck Show documentation then Finish
  • Click OK, the OK again, then Yes
  • ERUNT will now back up your registry
  • Once completed click OK

===================================================


Deleting Registry Keys

-------------------

  • Go to Start > Run (or if no "Run", enter in the search bar) and type in Notepad
  • Copy/paste the following text inside the code box into a new notepad document.

    @echo off
    swreg acl HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N} /p /oa /eg:f
    swreg null delete HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}
    swreg acl HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}hQט‏”¥c /p /oa /eg:f
    swreg null delete HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}hQט‏”¥c
    swreg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v FlashGet 3
    cls
    Reg Query "HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt" > C:\query.txt
    Notepad C:\query
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat.
  • Click Save.
  • Double click fix.bat and answer Yes to the prompts. You should receive the message that the entries have been successfully merged. If not, post back with the error message.
  • A query.txt should open on your desktop (it is also in your C:\ directory). Copy and paste the contents in your reply
  • Reboot your computer

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • AdwCleaner log
  • Did fix.bat run properly?
  • query.txt
  • How is your computer running?

Edited by Oh My, 27 November 2012 - 11:29 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 topeira

topeira
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 28 November 2012 - 03:13 AM

thanks again, and again :)

the fix.bat didnt run properly. i clicked the bat file i got from turning a filled txt file into a bat file.
the black CMD window shoed error "access is denied".
also, i got a message telling me the program couldnt find the querry.txt file and asked if i wish to create a new file. i pressed YES but that did nothing. i got a notepad window open but it was empty and named "untitled". on top of that - the bat file i created was deleted automatically right after.

here is the awcleaner file:

# AdwCleaner v2.009 - Logfile created 11/28/2012 at 10:00:24
# Updated 24/11/2012 by Xplode
# Operating system : Windows 7 Ultimate (64 bits)
# User : adar - ADAR-PC
# Boot Mode : Normal
# Running from : C:\Users\adar\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\searchplugins\Conduit.xml
File Found : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\searchplugins\daemon-search.xml
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\DAEMON Tools Toolbar
Folder Found : C:\Program Files (x86)\uTorrentControl_v2
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\Users\adar\AppData\LocalLow\Conduit
Folder Found : C:\Users\adar\AppData\LocalLow\uTorrentControl_v2
Folder Found : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\CT3220468
Folder Found : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
Folder Found : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\DTToolbar@toolbarnet.com
Folder Found : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\Smartbar
Folder Found : D:\temp\from local\Local\Conduit
Folder Found : D:\temp\from local\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\AppDataLow\Software\uTorrentControl_v2
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{537F4F0B-3542-4C7D-A3E5-CF121482696C}
Key Found : HKLM\Software\uTorrentControl_v2
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{537F4F0B-3542-4C7D-A3E5-CF121482696C}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D13C38F-A1DC-4D68-A6C8-5944CD574C72}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DF3959A9-4585-446B-857C-A55419BCC4C8}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl_v2 Toolbar
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\prefs.js

Found : user_pref("CT3220468.129571859753082121.isToggled_item0_12", "true");
Found : user_pref("CT3220468.BT_Stats", "{\"last_log\":1349776330,\"uuid\":971364932827341,\"seq_id\":1,\"ss[...]
Found : user_pref("CT3220468.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"false\"}");
Found : user_pref("CT3220468.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Found : user_pref("CT3220468.FirstTime", "true");
Found : user_pref("CT3220468.FirstTimeFF3", "true");
Found : user_pref("CT3220468.LoginRevertSettingsEnabled", false);
Found : user_pref("CT3220468.RevertSettingsEnabled", true);
Found : user_pref("CT3220468.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]
Found : user_pref("CT3220468.UserID", "UN07222373146433579");
Found : user_pref("CT3220468.addressBarTakeOverEnabledInHidden", "true");
Found : user_pref("CT3220468.autoDisableScopes", -1);
Found : user_pref("CT3220468.browser.search.defaultthis.engineName", true);
Found : user_pref("CT3220468.embeddedsData", "[{\"appId\":\"129813684258939747\",\"apiPermissions\":{\"cross[...]
Found : user_pref("CT3220468.enableAlerts", "always");
Found : user_pref("CT3220468.enableSearchFromAddressBar", "true");
Found : user_pref("CT3220468.firstTimeDialogOpened", "true");
Found : user_pref("CT3220468.fixPageNotFoundError", "true");
Found : user_pref("CT3220468.fixPageNotFoundErrorInHidden", "true");
Found : user_pref("CT3220468.fixUrls", true);
Found : user_pref("CT3220468.installId", "fft573E.tmp.exe");
Found : user_pref("CT3220468.installType", "XPE");
Found : user_pref("CT3220468.isCheckedStartAsHidden", true);
Found : user_pref("CT3220468.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.isFirstTimeToolbarLoading", "false");
Found : user_pref("CT3220468.isNewTabEnabled", true);
Found : user_pref("CT3220468.isPerformedSmartBarTransition", "true");
Found : user_pref("CT3220468.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Found : user_pref("CT3220468.keyword", true);
Found : user_pref("CT3220468.migrateAppsAndComponents", true);
Found : user_pref("CT3220468.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"about[...]
Found : user_pref("CT3220468.newSettings", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Found : user_pref("CT3220468.openThankYouPage", "true");
Found : user_pref("CT3220468.openUninstallPage", "FALSE");
Found : user_pref("CT3220468.search.searchAppId", "129813684258939747");
Found : user_pref("CT3220468.search.searchCount", "0");
Found : user_pref("CT3220468.searchInNewTabEnabledInHidden", "true");
Found : user_pref("CT3220468.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");
Found : user_pref("CT3220468.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"false\"}");
Found : user_pref("CT3220468.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Found : user_pref("CT3220468.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Found : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Found : user_pref("CT3220468.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data[...]
Found : user_pref("CT3220468.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1353614740488");
Found : user_pref("CT3220468.serviceLayer_services_appTracking_lastUpdate", "1353623839908");
Found : user_pref("CT3220468.serviceLayer_services_appsMetadata_lastUpdate", "1353974490123");
Found : user_pref("CT3220468.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1353429675511");
Found : user_pref("CT3220468.serviceLayer_services_login_10.10.27.6_lastUpdate", "1353229432189");
Found : user_pref("CT3220468.serviceLayer_services_login_10.13.40.15_lastUpdate", "1353974490546");
Found : user_pref("CT3220468.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1353429675450");
Found : user_pref("CT3220468.serviceLayer_services_searchAPI_lastUpdate", "1353974490664");
Found : user_pref("CT3220468.serviceLayer_services_serviceMap_lastUpdate", "1353974489604");
Found : user_pref("CT3220468.serviceLayer_services_toolbarContextMenu_lastUpdate", "1353429675404");
Found : user_pref("CT3220468.serviceLayer_services_toolbarSettings_lastUpdate", "1353974490131");
Found : user_pref("CT3220468.serviceLayer_services_translation_lastUpdate", "1353974489694");
Found : user_pref("CT3220468.settingsINI", true);
Found : user_pref("CT3220468.shouldFirstTimeDialog", "false");
Found : user_pref("CT3220468.smartbar.CTID", "CT3220468");
Found : user_pref("CT3220468.smartbar.Uninstall", "0");
Found : user_pref("CT3220468.smartbar.homepage", true);
Found : user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");
Found : user_pref("CT3220468.startPage", "TRUE");
Found : user_pref("CT3220468.toolbarBornServerTime", "9-10-2012");
Found : user_pref("CT3220468.toolbarCurrentServerTime", "27-11-2012");
Found : user_pref("CT3220468.upgradeFromClearSBVersion", true);
Found : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]
Found : user_pref("Smartbar.ConduitSearchEngineList", "");
Found : user_pref("Smartbar.ConduitSearchUrlList", "");
Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");
Found : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13");
Found : user_pref("gm-notifier.ui.counter.showInbox", true);
Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=[...]
Found : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Found : user_pref("smartbar.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]

-\\ Google Chrome v21.0.1180.89

File : D:\temp\from local\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : D:\temp\from local\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [10851 octets] - [28/11/2012 10:00:24]

########## EOF - C:\AdwCleaner[R1].txt - [10912 octets] ##########

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 28 November 2012 - 09:42 AM

Hi topeira,

You are welcome welcome! :)


Can you tell me if you ran ERUNT?

It does not come as a total surprise the batch file was unsuccessful. Those malicious files are locked and are fighting against any attempts to unlock them. We will use a different tool to attempt to unlock them, then if successful follow up with steps to delete them.

AdwCleaner has reported quite a few entries which should be removed. This program is an all or nothing proposition, meaning if we want anything deleted then everything has to be deleted. I routinely delete all entries, including Peer 2 Peer, because it gives us a cleaner shot at getting a computer back to normal. Since you want to keep Peer 2 Peer here is my recommendation. We should run AdwCleaner and once we have determined your computer is healthy you can reinstall only those things you really want. The list you posted gives you the names of all the programs/toolbars that will be affected.

Please do this, including AdwCleaner (which I am requesting but) if you choose to do so.


===================================================


AdwCleaner by Xplode - Delete Adware

-------------------

  • Close all open programs and internet browser
  • Double click on adwcleaner.exe
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt

===================================================


Farbar's MiniRegTool

--------------------

  • Please download MiniRegTool64.zip and unzip it
  • When you run the tool this is what you will see


    Posted Image
  • Copy and paste the following into the edit box:

    HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3* N}
    HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3* N}hQט‏c

  • Check the Unlock Keys radio button.
  • Press the Go button and post the result.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Did ERUNT run successfully?
  • AdwCleaner log
  • MiniRegTool results

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 topeira

topeira
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 28 November 2012 - 10:19 AM

1) ERUNT went smoothly when i ran it.

2) miniregtool also presented me with a successful message when i pressed GO.

3) here is the adwcleaner log:

# AdwCleaner v2.009 - Logfile created 11/28/2012 at 17:07:51
# Updated 24/11/2012 by Xplode
# Operating system : Windows 7 Ultimate (64 bits)
# User : adar - ADAR-PC
# Boot Mode : Normal
# Running from : C:\Users\adar\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\searchplugins\Conduit.xml
File Deleted : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\searchplugins\daemon-search.xml
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\DAEMON Tools Toolbar
Folder Deleted : C:\Program Files (x86)\uTorrentControl_v2
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\adar\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\adar\AppData\LocalLow\uTorrentControl_v2
Folder Deleted : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\CT3220468
Folder Deleted : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
Folder Deleted : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\extensions\DTToolbar@toolbarnet.com
Folder Deleted : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\Smartbar
Folder Deleted : D:\temp\from local\Local\Conduit
Folder Deleted : D:\temp\from local\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\uTorrentControl_v2
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{537F4F0B-3542-4C7D-A3E5-CF121482696C}
Key Deleted : HKLM\Software\uTorrentControl_v2
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{537F4F0B-3542-4C7D-A3E5-CF121482696C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D13C38F-A1DC-4D68-A6C8-5944CD574C72}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DF3959A9-4585-446B-857C-A55419BCC4C8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473B6BD-4691-4744-A82B-7854EB3D70B6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentControl_v2 Toolbar
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7473B6BD-4691-4744-A82B-7854EB3D70B6}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468 --> hxxp://www.google.com

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default
File : C:\Users\adar\AppData\Roaming\Mozilla\Firefox\Profiles\jg0pcbks.default\prefs.js

Deleted : user_pref("CT3220468.129571859753082121.isToggled_item0_12", "true");
Deleted : user_pref("CT3220468.BT_Stats", "{\"last_log\":1349776330,\"uuid\":971364932827341,\"seq_id\":1,\"ss[...]
Deleted : user_pref("CT3220468.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3220468.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Deleted : user_pref("CT3220468.FirstTime", "true");
Deleted : user_pref("CT3220468.FirstTimeFF3", "true");
Deleted : user_pref("CT3220468.LoginRevertSettingsEnabled", false);
Deleted : user_pref("CT3220468.RevertSettingsEnabled", true);
Deleted : user_pref("CT3220468.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]
Deleted : user_pref("CT3220468.UserID", "UN07222373146433579");
Deleted : user_pref("CT3220468.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT3220468.autoDisableScopes", -1);
Deleted : user_pref("CT3220468.browser.search.defaultthis.engineName", true);
Deleted : user_pref("CT3220468.embeddedsData", "[{\"appId\":\"129813684258939747\",\"apiPermissions\":{\"cross[...]
Deleted : user_pref("CT3220468.enableAlerts", "always");
Deleted : user_pref("CT3220468.enableSearchFromAddressBar", "true");
Deleted : user_pref("CT3220468.firstTimeDialogOpened", "true");
Deleted : user_pref("CT3220468.fixPageNotFoundError", "true");
Deleted : user_pref("CT3220468.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT3220468.fixUrls", true);
Deleted : user_pref("CT3220468.installId", "fft573E.tmp.exe");
Deleted : user_pref("CT3220468.installType", "XPE");
Deleted : user_pref("CT3220468.isCheckedStartAsHidden", true);
Deleted : user_pref("CT3220468.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.isFirstTimeToolbarLoading", "false");
Deleted : user_pref("CT3220468.isNewTabEnabled", true);
Deleted : user_pref("CT3220468.isPerformedSmartBarTransition", "true");
Deleted : user_pref("CT3220468.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.keyword", true);
Deleted : user_pref("CT3220468.migrateAppsAndComponents", true);
Deleted : user_pref("CT3220468.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxps[...]
Deleted : user_pref("CT3220468.newSettings", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.openThankYouPage", "true");
Deleted : user_pref("CT3220468.openUninstallPage", "FALSE");
Deleted : user_pref("CT3220468.search.searchAppId", "129813684258939747");
Deleted : user_pref("CT3220468.search.searchCount", "0");
Deleted : user_pref("CT3220468.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT3220468.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3220468.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3220468.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT3220468.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3220468.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT3220468.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data[...]
Deleted : user_pref("CT3220468.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1353614740488");
Deleted : user_pref("CT3220468.serviceLayer_services_appTracking_lastUpdate", "1353623839908");
Deleted : user_pref("CT3220468.serviceLayer_services_appsMetadata_lastUpdate", "1354105165394");
Deleted : user_pref("CT3220468.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1353429675511");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.10.27.6_lastUpdate", "1353229432189");
Deleted : user_pref("CT3220468.serviceLayer_services_login_10.13.40.15_lastUpdate", "1354105165681");
Deleted : user_pref("CT3220468.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1353429675450");
Deleted : user_pref("CT3220468.serviceLayer_services_searchAPI_lastUpdate", "1354105165747");
Deleted : user_pref("CT3220468.serviceLayer_services_serviceMap_lastUpdate", "1354105165110");
Deleted : user_pref("CT3220468.serviceLayer_services_toolbarContextMenu_lastUpdate", "1353429675404");
Deleted : user_pref("CT3220468.serviceLayer_services_toolbarSettings_lastUpdate", "1354112359973");
Deleted : user_pref("CT3220468.serviceLayer_services_translation_lastUpdate", "1354105165380");
Deleted : user_pref("CT3220468.settingsINI", true);
Deleted : user_pref("CT3220468.shouldFirstTimeDialog", "false");
Deleted : user_pref("CT3220468.smartbar.CTID", "CT3220468");
Deleted : user_pref("CT3220468.smartbar.Uninstall", "0");
Deleted : user_pref("CT3220468.smartbar.homepage", true);
Deleted : user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");
Deleted : user_pref("CT3220468.startPage", "TRUE");
Deleted : user_pref("CT3220468.toolbarBornServerTime", "9-10-2012");
Deleted : user_pref("CT3220468.toolbarCurrentServerTime", "28-11-2012");
Deleted : user_pref("CT3220468.upgradeFromClearSBVersion", true);
Deleted : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13");
Deleted : user_pref("gm-notifier.ui.counter.showInbox", true);
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&q=[...]
Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Deleted : user_pref("smartbar.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]

-\\ Google Chrome v21.0.1180.89

File : D:\temp\from local\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : D:\temp\from local\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [11124 octets] - [28/11/2012 17:07:51]

########## EOF - C:\AdwCleaner[S1].txt - [11185 octets] ##########

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 28 November 2012 - 10:38 AM

Hi topeira,

Very nice!

Let's try to delete the registry keys now. Please do this for me.


===================================================


Deleting Registry Keys

-------------------

  • Go to Start > Run (or if no "Run", enter in the search bar) and type in Notepad
  • Copy/paste the following text inside the code box into a new notepad document.

    @echo off
    swreg null delete HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}
    swreg null delete HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt\O(uכ_f3*N}hQט‏c
    swreg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v FlashGet 3
    cls
    Reg Query "HKEY_USERS\S-1-5-21-2125334614-2051078435-2691333662-1001\Software\Microsoft\Internet Explorer\MenuExt" > C:\query.txt
    Notepad C:\query
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat.
  • Click Save.
  • Double click fix.bat and answer Yes to the prompts. You should receive the message that the entries have been successfully merged. If not, post back with the error message.
  • A query.txt should open on your desktop (it is also in your C:\ directory). Copy and paste the contents in your reply
  • Reboot your computer

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Contents of query.txt
  • Are you experiencing any issues?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 topeira

topeira
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 28 November 2012 - 10:48 AM

no luck, buddy.

i got "access denied" again.

(though i will admit that i havent restarted since the last post)

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 28 November 2012 - 10:57 AM

You need to restart first.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 topeira

topeira
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 28 November 2012 - 11:19 AM

oh bugger.
i restarted and STILL got "access is denied" :(

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:08 PM

Posted 28 November 2012 - 12:14 PM

Hi topeira,

Please return to Post #9 and rerun MiniRegTool again. However, this time don't select Unlock but instead check the Delete Keys/Values including Locked/Null embedded radio button. Press Go then post the results.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users