Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: German authorities identify REvil and GangCrab ransomware bosses

Featured Deal: Protect up to 9 devices from ads and tracking for just $16 in this AdGuard deal

Latest Buyer's Guide: Best VPNs in 2025

All searches get Hijacked.

Started by Happyjoe , Dec 15 2012 05:47 PM

Next

This topic is locked

21 replies to this topic

#1 Happyjoe

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 15 December 2012 - 05:47 PM

Every search I do gets hijacked Following instructions from robocop321, I have done the following;

Downloaded Security Check and ran it and posted results.

Downloaded Farbar Service Scanner and ran it and posted results.

Downloaded MiniToolBox and posted results.

Ran Malwarebytes'Pro and posted resultd.

Tried to run TFC and AwCleaner but they both totally locked the computer. Locked the computer when I hit run on both programs. I tried several times

with same results.

Hoping this correct way to post prig post. "I have picked up a redirect virus on searches. All searches get redirected XP pro:

Before today I ran Spybot search and destroy.

Next is the log from following "This Guide".

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Jim at 16:39:43 on 2012-12-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.996 [GMT -6:00]
.
AV: BitDefender Antivirus *Disabled/Outdated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Link\AirPremier AG DWL-AG530 Utility\AirPMCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k LocalServic

Instructions were to Zip the 2nd log. I sorry but I don't know how to do that.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 15 December 2012 - 06:02 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

Download Security Check by screen317 from here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller or from here
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+

Gringo

Proud Graduate Of Malware Removal University

Back to top

#3 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 16 December 2012 - 10:02 AM

Thanks very much for your help. It is greatly appreciated.

I've never done backups before. Do I need to copy email...using MSN paid, and Pcasa? I don't know anything else to backup.

Back to top

#4 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 16 December 2012 - 10:25 AM

checkup.txt
Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
BitDefender Antivirus
Microsoft Security Essentials
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
ThreatFire
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 34
Java 7 Update 7
Java version out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader XI
Mozilla Firefox (17.0.1)
Google Chrome 22.0.1229.96
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
ThreatFire TFTray.exe
ThreatFire TFService.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````
Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
BitDefender Antivirus
Microsoft Security Essentials
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
ThreatFire
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 34
Java 7 Update 7
Java version out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader XI
Mozilla Firefox (17.0.1)
Google Chrome 22.0.1229.96
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
ThreatFire TFTray.exe
ThreatFire TFService.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````

cannot locate Watch Topic.....

Back to top

#5 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 16 December 2012 - 12:52 PM

Hello

the watch topic is right above your first post on the right hand side

there is two other tools i asked you to run - did you get to run them?

Proud Graduate Of Malware Removal University

Back to top

#6 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 16 December 2012 - 01:21 PM

OK on watch

As posted ran Ckup with no problems.

After downloading when I tried to run AdwCleaner the computer locked up and required a manual reboot/start.

Will try RogueKiller now.

RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Jim [Admin rights]
Mode : Remove -- Date : 12/16/2012 12:26:28

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x806240F6 -> HOOKED (TfSysMon.sys @ 0xB9E91A1C)
SSDT[63] : NtDeleteKey @ 0x80624592 -> HOOKED (TfSysMon.sys @ 0xB9E91C10)
SSDT[65] : NtDeleteValueKey @ 0x80624762 -> HOOKED (TfSysMon.sys @ 0xB9E91CB6)
SSDT[119] : NtOpenKey @ 0x806254D4 -> HOOKED (TfSysMon.sys @ 0xB9E9190C)
SSDT[247] : NtSetValueKey @ 0x80622668 -> HOOKED (TfSysMon.sys @ 0xB9E91E52)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (TfSysMon.sys @ 0xB9E93B30)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500AAJS-00L7A0 +++++
--- User ---
[MBR] fab57ed85026b5b8bff02a9e6f7b2d00
[BSP] f23b7f272c430cb950a1c7cac7b730fe : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 14 | Size: 238474 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Canon MX860 series USB Device +++++
--- User ---
[MBR] b1c908c2b3de691f5367731115b80f5a
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 245 | Size: 976 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_12162012_02d1226.txt >>
RKreport[1]_S_12162012_02d1225.txt ; RKreport[2]_D_12162012_02d1226.txt

Back to top

#7 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 16 December 2012 - 02:05 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

Proud Graduate Of Malware Removal University

Back to top

#8 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 16 December 2012 - 04:06 PM

Searches still rerouted. Starting Combofix next few min.

Back to top

#9 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 16 December 2012 - 05:23 PM

Proud Graduate Of Malware Removal University

Back to top

#10 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 16 December 2012 - 06:02 PM

ComboFix 12-12-14.01 - Jim 12/16/2012 15:43:52.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1156 [GMT -6:00]
Running from: c:\documents and settings\Jim\My Documents\Downloads\ComboFix.exe
AV: BitDefender Antivirus *Disabled/Outdated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000006_.tmp.dll
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-11-16 to 2012-12-16 )))))))))))))))))))))))))))))))
.
.
2012-12-16 18:08 . 2012-12-16 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2012-12-16 18:08 . 2012-12-16 18:08 -------- d-----w- c:\program files\McAfee Security Scan
2012-12-16 18:07 . 2012-09-25 05:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-15 14:43 . 2012-12-15 14:43 -------- d-----w- c:\program files\ESET
2012-12-15 14:08 . 2012-12-15 14:08 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-27 13:10 . 2012-11-27 13:10 -------- d-----w- c:\documents and settings\Jim\Application Data\PC Utility Kit
2012-11-27 13:10 . 2012-11-27 13:10 -------- d-----w- c:\program files\Common Files\PC Utility Kit
2012-11-27 13:09 . 2012-11-27 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Utility Kit
2012-11-27 13:09 . 2012-11-27 13:09 -------- d-----w- c:\program files\PC Utility Kit
2012-11-23 17:48 . 2012-12-12 13:31 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-11-22 18:35 . 2012-11-22 18:35 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Flickr
2012-11-22 18:35 . 2012-11-22 18:35 -------- d-----w- c:\documents and settings\Jim\Application Data\Flickr
2012-11-21 15:37 . 2012-11-25 14:33 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\AskToolbar
2012-11-21 15:35 . 2012-11-21 15:35 -------- d-----w- c:\program files\Ask.com
2012-11-19 14:32 . 2012-11-19 14:36 -------- d-----w- c:\program files\Inbox Toolbar
2012-11-19 14:16 . 2012-11-19 14:17 -------- d-----w- c:\program files\Common Files\Adobe
2012-11-19 13:15 . 2012-11-19 13:15 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 20:45 . 2012-08-18 12:06 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 20:45 . 2011-07-23 17:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-11 20:45 . 2012-09-21 07:45 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-11-13 01:25 . 2008-04-14 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2008-04-14 11:39 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2008-04-14 11:41 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 11:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 12:17 . 2008-04-14 11:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 11:41 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 00:35 . 2008-04-14 06:07 385024 ------w- c:\windows\system32\html.iec
2012-10-28 05:01 . 2012-10-28 05:02 4588344 ----a-w- c:\windows\uninst.exe
2012-10-18 23:24 . 2012-10-18 23:22 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-10-02 18:04 . 2008-04-14 11:42 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 01:54 . 2012-05-02 09:28 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-20 10:43 . 2012-08-18 11:27 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-20 10:43 . 2010-09-21 00:07 746984 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-29 23:40 . 2010-03-29 23:40 100256 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2012-12-05 01:44 . 2012-12-05 01:44 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-08-09 00:15 1527496 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-08-09 1527496]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-08-09 1527496]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-11-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-20 19523616]
"D-Link AirPremier AG DWL-AG530 Utility"="c:\program files\D-Link\AirPremier AG DWL-AG530 Utility\AirPMCFG.exe" [2007-07-13 1720320]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-09-20 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-09-20 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-09-20 142360]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-06-22 296056]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-08-09 1644744]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/20/2010 5:36 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/20/2010 5:36 PM 59664]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [9/20/2010 4:44 PM 11448]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/14/2012 5:19 PM 399432]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/20/2010 5:36 PM 33552]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [1/21/2012 11:55 AM 497496]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/2/2012 3:28 AM 676936]
S2 RadioRage_4jService;RadioRageService;c:\progra~1\RADIOR~2\bar\1.bin\4jbarsvc.exe --> c:\progra~1\RADIOR~2\bar\1.bin\4jbarsvc.exe [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [9/20/2010 5:22 PM 547744]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/20/2010 4:24 PM 1691480]
S3 jswimd;jswimd Service;c:\windows\system32\DRIVERS\jswimd.sys --> c:\windows\system32\DRIVERS\jswimd.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/18/2012 5:22 PM 32072]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/2/2012 3:28 AM 22856]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [9/3/2010 12:45 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 20:45]
.
2012-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-06 14:15]
.
2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-06 14:15]
.
2012-12-16 c:\windows\Tasks\PC Utility Kit Registration3.job
- c:\program files\Common Files\PC Utility Kit\UUS3\UUS3.dll [2012-03-27 19:30]
.
2012-12-14 c:\windows\Tasks\PC Utility Kit Update3.job
- c:\program files\Common Files\PC Utility Kit\UUS3\Update3.exe [2012-03-27 19:30]
.
2012-12-16 c:\windows\Tasks\PC Utility Kit.job
- c:\program files\PC Utility Kit\PC Utility Kit\pcutilitykit.exe [2012-11-29 21:15]
.
2012-12-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-527237240-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-12-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-527237240-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-12-16 c:\windows\Tasks\User_Feed_Synchronization-{3F21ED5A-86A3-46A6-BBC9-B7635D4981C9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
2012-12-16 c:\windows\Tasks\Zblyc.job
- c:\windows\system32\rsvpspc.dll [2012-10-27 21:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 64.71.219.3 64.71.208.7
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\gof2v5bh.default\
FF - ExtSQL: 2012-10-30 10:55; ffxtlbr@babylon.com; c:\program files\Mozilla Firefox\extensions\ffxtlbr@babylon.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-16 15:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
.
- - - - - - - > 'lsass.exe'(724)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2012-12-16 16:02:26
ComboFix-quarantined-files.txt 2012-12-16 22:02
ComboFix2.txt 2012-11-16 12:56
ComboFix3.txt 2012-11-09 14:07
ComboFix4.txt 2012-11-06 23:17
ComboFix5.txt 2012-12-16 21:40
.
Pre-Run: 214,762,541,056 bytes free
Post-Run: 214,852,759,552 bytes free
.
- - End Of File - - 4DE3CD9AB642E0EEA940F9F7878B444C

It appears to be corrected!!!!!! Yea! Ran searches on the 4 browsers I use and the all searched with NO redirects. IE, Opera, Firefox, and Google C.

What do I need to do next, if anything? Will open what security I have now, and will certainly add some programs.

Edited by Happyjoe, 16 December 2012 - 06:05 PM.

Back to top

#11 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 16 December 2012 - 08:46 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\documents and settings\Jim\Application Data\PC Utility Kit
c:\program files\Common Files\PC Utility Kit
c:\documents and settings\All Users\Application Data\PC Utility Kit
c:\program files\PC Utility Kit
c:\documents and settings\Jim\Local Settings\Application Data\AskToolbar
c:\program files\Ask.com
c:\program files\Inbox Toolbar

File::
c:\windows\Tasks\PC Utility Kit Registration3.job
c:\windows\Tasks\PC Utility Kit Update3.job
c:\windows\Tasks\PC Utility Kit.job
c:\windows\Tasks\Zblyc.job
c:\windows\system32\rsvpspc.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

Proud Graduate Of Malware Removal University

Back to top

#12 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 17 December 2012 - 01:16 PM

ComboFix 12-12-17.02 - Jim 12/17/2012 11:37:18.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1141 [GMT -6:00]
Running from: c:\documents and settings\Jim\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\CFScript.txt
AV: BitDefender Antivirus *Disabled/Outdated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
FILE ::
"c:\windows\system32\rsvpspc.dll"
"c:\windows\Tasks\PC Utility Kit Registration3.job"
"c:\windows\Tasks\PC Utility Kit Update3.job"
"c:\windows\Tasks\PC Utility Kit.job"
"c:\windows\Tasks\Zblyc.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PC Utility Kit
c:\documents and settings\All Users\Application Data\PC Utility Kit\PC Utility Kit\dc_db.db
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\Master.xml
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\Patch.xml
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\pcutilitykit\Database.xml
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\pcutilitykit\Master.xml
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\pcutilitykit\Patch.xml
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\pcutilitykit\Update.xml
c:\documents and settings\All Users\Application Data\PC Utility Kit\UUS3\Update.xml
c:\documents and settings\Jim\Application Data\PC Utility Kit
c:\documents and settings\Jim\Local Settings\Application Data\AskToolbar
c:\documents and settings\Jim\Local Settings\Application Data\AskToolbar\APNU\config.xml
c:\documents and settings\Jim\Local Settings\Application Data\AskToolbar\cache.dat
c:\documents and settings\Jim\Local Settings\Application Data\AskToolbar\config.xml
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cb_1d1.ico
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_1ce.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\precache.exe
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\Updater\config.xml
c:\program files\Ask.com\Updater\Updater.exe
c:\program files\Ask.com\UpdateTask.exe
c:\program files\Common Files\PC Utility Kit
c:\program files\Common Files\PC Utility Kit\UUS3\Images\close.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\close_md.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\close_mo.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\close_pu.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\close_pu_md.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\close_pu_mo.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\Logo.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\min.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\min_md.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\min_mo.png
c:\program files\Common Files\PC Utility Kit\UUS3\Images\topbar_gradient.png
c:\program files\Common Files\PC Utility Kit\UUS3\LiteUnzip.dll
c:\program files\Common Files\PC Utility Kit\UUS3\settings.xml
c:\program files\Common Files\PC Utility Kit\UUS3\Update3.exe
c:\program files\Common Files\PC Utility Kit\UUS3\UUS3.dll
c:\program files\Inbox Toolbar
c:\program files\PC Utility Kit
c:\program files\PC Utility Kit\PC Utility Kit\7ZipDLL.dll
c:\program files\PC Utility Kit\PC Utility Kit\colors.xml
c:\program files\PC Utility Kit\PC Utility Kit\CommonLoggingExtension.pxt
c:\program files\PC Utility Kit\PC Utility Kit\CommonSpecialist.pxt
c:\program files\PC Utility Kit\PC Utility Kit\ExtensionManager.dll
c:\program files\PC Utility Kit\PC Utility Kit\filecachedb.xml
c:\program files\PC Utility Kit\PC Utility Kit\HandleUpdate.dll
c:\program files\PC Utility Kit\PC Utility Kit\HTML\0_days.htm
c:\program files\PC Utility Kit\PC Utility Kit\HTML\1_days.htm
c:\program files\PC Utility Kit\PC Utility Kit\HTML\15_days.htm
c:\program files\PC Utility Kit\PC Utility Kit\HTML\2_days.htm
c:\program files\PC Utility Kit\PC Utility Kit\HTML\30_days.htm
c:\program files\PC Utility Kit\PC Utility Kit\HTML\5_days.htm
c:\program files\PC Utility Kit\PC Utility Kit\HTML\container_content_bkimg.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\container_content_leftimg.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\container_content_rightimg.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\error_connect.html
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\10x10.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\10x10tile.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\background.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\contentwrapper.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\error_internet.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\footerbarfill.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\info_bubble.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\tile_footerbarbase.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\tile_subheadbarbase.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\images\tile_titlebarbase.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\main.css
c:\program files\PC Utility Kit\PC Utility Kit\HTML\main_error.css
c:\program files\PC Utility Kit\PC Utility Kit\HTML\package_titlebar_bkimg.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\uninstall\box_screen.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\uninstall\default_button.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\uninstall\default_button_over.gif
c:\program files\PC Utility Kit\PC Utility Kit\HTML\uninstall\header_background.jpg
c:\program files\PC Utility Kit\PC Utility Kit\HTML\uninstall\index.html
c:\program files\PC Utility Kit\PC Utility Kit\Images\Audio\cancel.wav
c:\program files\PC Utility Kit\PC Utility Kit\Images\Audio\complete.wav
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\btn.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\btn_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_bho.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_defrag.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_file.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_generalsettings.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_ignore.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_junk.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_privacy.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_process.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_registry.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_schedule.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\button_startup.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\register.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\register_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\register_over_small.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\register_small.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\renew.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\renew_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\settings_button.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\settings_button_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\start.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\buttons\start_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\defrag\c_empty.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\defrag\c_frag.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\defrag\c_unfrag.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\defrag\c_unknown.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\defrag\c_unmove.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\close.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\dlg_title.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\logo.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\max.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\min.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\register.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\register_close.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\register_close_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\register_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\renew.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\renew_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\restore.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\tab_bg.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\tabactive_bg.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\tabover_bg.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\tfn_bg.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\tfn_logo.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\title_bar.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Frame\upper_divider.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\general\collapse.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\general\delete.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\general\expand.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\general\progress_glow.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\bho.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\dup_audio.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\dup_doc.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\dup_image.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\dup_other.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\dup_video.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\ig_drivers.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\ig_proc.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\ig_reg.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\junk.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_3rd.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_browser.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_email.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_fs.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_im.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_multi.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_office.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_other.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\priv_windows.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_apppath.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_com.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_dll.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_empty.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_extensions.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_filepath.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_font.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_help.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_shortcut.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_startup.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\reg_uninstall.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\group\startup.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_about.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_bho.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_clean.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_defrag.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_file.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_junk.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_junk_settings.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_malware.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_performance.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_privacy.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_process.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_registry.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_restore.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_settings.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_startup.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\header_tools.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\settings_general.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\settings_ignore.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\settings_privacy.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\settings_registry.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\headers\settings_schedule.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Icons\info.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Icons\warning.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\other.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\process\bho.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\process\process.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\process\startup.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_malware16.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_malware24.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_malware32.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_system16.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_system24.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_system32.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_unknown16.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_unknown24.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_unknown32.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_unwanted16.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_unwanted24.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_unwanted32.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_userapp16.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_userapp24.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\list\recommendations\rec_userapp32.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\011.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\012.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\01.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\02.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\03.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\04.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\05.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\06.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\07.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\08.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\animation\09.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\check.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\damage1.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\damage2.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\damage3.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\damage4.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\damage5.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\damage6.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\error.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\error_large.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\Fix.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\Fix_over.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\junk.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\malware.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\md5.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\privacy.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\process-animation copy.gif
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\process-animation.gif
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_h.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_h_scan.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_l.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_l_scan.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_m.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_m_scan.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_mh.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_mh_scan.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_ml.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\rating_ml_scan.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\registry.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\security_high.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\security_low.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Scan\warning.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Tabs\overview.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Tabs\restore.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Tabs\scan.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Tabs\settings.png
c:\program files\PC Utility Kit\PC Utility Kit\Images\Tabs\tools.png
c:\program files\PC Utility Kit\PC Utility Kit\LiteUnzip.dll
c:\program files\PC Utility Kit\PC Utility Kit\LiteZip.dll
c:\program files\PC Utility Kit\PC Utility Kit\LogSettings.xml
c:\program files\PC Utility Kit\PC Utility Kit\MyResources.dll
c:\program files\PC Utility Kit\PC Utility Kit\pcutilitykit.exe
c:\program files\PC Utility Kit\PC Utility Kit\privacy.db
c:\program files\PC Utility Kit\PC Utility Kit\RegHookSpecialist.pxt
c:\program files\PC Utility Kit\PC Utility Kit\SandBoxer.dll
c:\program files\PC Utility Kit\PC Utility Kit\settings.xml
c:\program files\PC Utility Kit\PC Utility Kit\sqlite3.dll
c:\program files\PC Utility Kit\PC Utility Kit\tfn.xml
c:\program files\PC Utility Kit\PC Utility Kit\uninstall.exe
c:\program files\PC Utility Kit\PC Utility Kit\UNS.xml
c:\program files\PC Utility Kit\PC Utility Kit\Utility.pxt
c:\program files\PC Utility Kit\PC Utility Kit\whitelist.dat
c:\windows\system32\rsvpspc.dll
c:\windows\Tasks\PC Utility Kit Registration3.job
c:\windows\Tasks\PC Utility Kit Update3.job
c:\windows\Tasks\PC Utility Kit.job
c:\windows\Tasks\Zblyc.job
.
.
((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
.
.
2012-12-17 17:15 . 2012-12-17 17:34 -------- d-----w- C:\32788R22FWJFW
2012-12-16 23:25 . 2012-12-16 23:25 -------- d-----w- c:\windows\LastGood
2012-12-16 18:08 . 2012-12-16 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2012-12-16 18:08 . 2012-12-16 18:08 -------- d-----w- c:\program files\McAfee Security Scan
2012-12-16 18:07 . 2012-09-25 05:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-15 14:43 . 2012-12-15 14:43 -------- d-----w- c:\program files\ESET
2012-11-23 17:48 . 2012-12-12 13:31 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-11-22 18:35 . 2012-11-22 18:35 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Flickr
2012-11-22 18:35 . 2012-11-22 18:35 -------- d-----w- c:\documents and settings\Jim\Application Data\Flickr
2012-11-19 14:16 . 2012-11-19 14:17 -------- d-----w- c:\program files\Common Files\Adobe
2012-11-19 13:15 . 2012-11-19 13:15 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 20:45 . 2012-08-18 12:06 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 20:45 . 2011-07-23 17:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-11 20:45 . 2012-09-21 07:45 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-11-13 01:25 . 2008-04-14 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2008-04-14 11:39 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2008-04-14 11:41 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 11:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 12:17 . 2008-04-14 11:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 11:41 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 00:35 . 2008-04-14 06:07 385024 ------w- c:\windows\system32\html.iec
2012-10-28 05:01 . 2012-10-28 05:02 4588344 ----a-w- c:\windows\uninst.exe
2012-10-18 23:24 . 2012-10-18 23:22 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-10-02 18:04 . 2008-04-14 11:42 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 01:54 . 2012-05-02 09:28 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-20 10:43 . 2012-08-18 11:27 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-20 10:43 . 2010-09-21 00:07 746984 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-29 23:40 . 2010-03-29 23:40 100256 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2012-12-05 01:44 . 2012-12-05 01:44 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-11-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-20 19523616]
"D-Link AirPremier AG DWL-AG530 Utility"="c:\program files\D-Link\AirPremier AG DWL-AG530 Utility\AirPMCFG.exe" [2007-07-13 1720320]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-09-20 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-09-20 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-09-20 142360]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-06-22 296056]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/20/2010 5:36 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/20/2010 5:36 PM 59664]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [9/20/2010 4:44 PM 11448]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/14/2012 5:19 PM 399432]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/20/2010 5:36 PM 33552]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [1/21/2012 11:55 AM 497496]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/2/2012 3:28 AM 676936]
S2 RadioRage_4jService;RadioRageService;c:\progra~1\RADIOR~2\bar\1.bin\4jbarsvc.exe --> c:\progra~1\RADIOR~2\bar\1.bin\4jbarsvc.exe [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [9/20/2010 5:22 PM 547744]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/20/2010 4:24 PM 1691480]
S3 jswimd;jswimd Service;c:\windows\system32\DRIVERS\jswimd.sys --> c:\windows\system32\DRIVERS\jswimd.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [10/18/2012 5:22 PM 32072]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/2/2012 3:28 AM 22856]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [9/3/2010 12:45 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HTTPFILTER
*NewlyCreated* - MPKSLDB60BF7D
*Deregistered* - MpKsldb60bf7d
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 20:45]
.
2012-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-06 14:15]
.
2012-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-06 14:15]
.
2012-12-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-527237240-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-12-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-527237240-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-12-17 c:\windows\Tasks\User_Feed_Synchronization-{3F21ED5A-86A3-46A6-BBC9-B7635D4981C9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 64.71.219.3 64.71.208.7
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\gof2v5bh.default\
FF - ExtSQL: 2012-10-30 10:55; ffxtlbr@babylon.com; c:\program files\Mozilla Firefox\extensions\ffxtlbr@babylon.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
AddRemove-{106DADAD-B062-4de5-8D1F-3FD2AD195E49} - c:\program files\PC Utility Kit\PC Utility Kit\uninstall.exe
AddRemove-{79A765E1-C399-405B-85AF-466F52E918B0} - c:\program files\Ask.com\Updater\Updater.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-17 11:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
.
- - - - - - - > 'lsass.exe'(724)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2012-12-17 12:03:15
ComboFix-quarantined-files.txt 2012-12-17 18:03
ComboFix2.txt 2012-12-16 22:02
ComboFix3.txt 2012-11-16 12:56
ComboFix4.txt 2012-11-09 14:07
ComboFix5.txt 2012-12-17 17:34
.
Pre-Run: 214,611,525,632 bytes free
Post-Run: 214,679,851,008 bytes free
.
- - End Of File - - CC3EA2D8531801B41846845C9EBE8F33

Combofix and CFScript merged and ran with no problems.

I had to totally remove Micro Security Essentials to turn it off. I couldn't find any other way to do it. Will reload now as well as opening what's currenyly installed.

Thanks again, I envy your knowledge.

Back to top

#13 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 17 December 2012 - 01:51 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

click ok

copy and paste the report into this topic for me to review

Gringo

Proud Graduate Of Malware Removal University

Back to top

#14 Happyjoe

Topic Starter

Members
25 posts
OFFLINE

Gender:Male
Location:South Cen Kansas
Local time:07:28 PM

Posted 17 December 2012 - 04:32 PM

C:\Qoobox\Add-Remove Programs.txt

3DVIA player 5.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI
Advanced SystemCare 5
AirPremier AG DWL-AG530 Utility
ANIO Service
ANIWZCS2 Service
Apple Application Support
Apple Software Update
Ask Toolbar
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Gadwin PrintScreen
Google Chrome
Google Chrome Frame
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
ieSpell
Intel® Graphics Media Accelerator Driver
Internet Explorer (Enable DEP)
Java 7 Update 9
Java Auto Updater
Java™ 6 Update 34
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft XML Parser
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MSN
OpenOffice.org 3.2
Opera 12.11
PC Utility Kit
Picasa 3
RadioRage
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
Silicon Laboratories USBXpress Device (Driver Removal)
Spybot - Search & Destroy
Support.com Toolbar Updater
ThreatFire
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
VPLive (remove only)
WD Diagnostics
WeatherLink 5.9.3
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
WiseFixer 3.5
Yahoo! Install Manager

Back to top

#15 gringo_pr

Bleepin Gringo

Malware Response Team
136,773 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:09:28 PM

Posted 17 December 2012 - 05:36 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Ask Toolbar
Java™ 6 Update 34
[/list]

Please download and install Revo Uninstaller Free
Double click Revo Uninstaller to run it.
From the list of programs double click on The Program to remove
When prompted if you want to uninstall click Yes.
Be sure the Moderate option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish.

.

Install Java:

Please go here to install Java

click on the Free Java Download Button
click on Agree and start Free download
click on Run
click on run again
click on install
when install is complete click on close

Clean Out Temp Files

This small application you may want to keep and use once a week to keep the computer clean.

Download CCleaner from here http://www.ccleaner.com/
Run the installer to install the application.
When it gives you the option to install Yahoo toolbar uncheck the box next to it.
Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
Click Run Cleaner.
Close CCleaner.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM
Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

Proud Graduate Of Malware Removal University