Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore Error, Windows Firewall Error and a bunch of viruses


  • Please log in to reply
65 replies to this topic

#1 seethis

seethis

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 18 December 2012 - 09:28 PM

So my laptop has a bunch of problems. It started out as a virus infection then I found out more problems.

First of all, thank you to Broni for directing me to the thread that tells me to run DSS.

I can't run a systems restore. I get the 0x800700B7 error. As well, Systems Restore says that I've never had a Systems Restore done before, which I think is odd, because I recall seeing Systems Restores created last time I checked (maybe a year ago?)

I also can't turn on Windows Firewall. I get the "Windows can't start the Mpssvc" message.

Here's my AVIRA log:



Avira Free Antivirus
Report file date: December-17-12 18:09


The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows ™ Vista Home Premium
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : me
Computer name : ME

Version information:
BUILD.DAT : 13.0.0.2890 Bytes 05/12/2012 17:18:00
AVSCAN.EXE : 13.6.0.402 639264 Bytes 11/12/2012 14:42:33
AVSCANRC.DLL : 13.4.0.360 54560 Bytes 11/12/2012 14:42:33
LUKE.DLL : 13.6.0.400 67360 Bytes 11/12/2012 14:43:12
AVSCPLR.DLL : 13.6.0.402 93984 Bytes 10/12/2012 14:41:39
AVREG.DLL : 13.6.0.406 248096 Bytes 10/12/2012 14:41:32
avlode.dll : 13.6.1.402 428832 Bytes 10/12/2012 14:41:41
avlode.rdf : 13.0.0.26 7958 Bytes 10/12/2012 14:41:40
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 22:50:29
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 22:50:31
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 22:50:34
VBASE003.VDF : 7.11.21.238 4472832 Bytes 01/02/2012 22:50:36
VBASE004.VDF : 7.11.26.44 4329472 Bytes 28/03/2012 22:50:37
VBASE005.VDF : 7.11.34.116 4034048 Bytes 29/06/2012 22:42:40
VBASE006.VDF : 7.11.41.250 4902400 Bytes 06/09/2012 22:42:40
VBASE007.VDF : 7.11.50.230 3904512 Bytes 22/11/2012 16:22:27
VBASE008.VDF : 7.11.50.231 2048 Bytes 22/11/2012 16:22:28
VBASE009.VDF : 7.11.50.232 2048 Bytes 22/11/2012 16:22:28
VBASE010.VDF : 7.11.50.233 2048 Bytes 22/11/2012 16:22:28
VBASE011.VDF : 7.11.50.234 2048 Bytes 22/11/2012 16:22:29
VBASE012.VDF : 7.11.50.235 2048 Bytes 22/11/2012 16:22:30
VBASE013.VDF : 7.11.50.236 2048 Bytes 22/11/2012 16:22:31
VBASE014.VDF : 7.11.51.27 133632 Bytes 23/11/2012 05:13:50
VBASE015.VDF : 7.11.51.95 140288 Bytes 26/11/2012 17:12:11
VBASE016.VDF : 7.11.51.221 164352 Bytes 29/11/2012 15:48:18
VBASE017.VDF : 7.11.52.29 158208 Bytes 01/12/2012 16:02:20
VBASE018.VDF : 7.11.52.91 116736 Bytes 03/12/2012 22:20:46
VBASE019.VDF : 7.11.52.151 137728 Bytes 05/12/2012 07:36:25
VBASE020.VDF : 7.11.52.225 157696 Bytes 06/12/2012 20:52:11
VBASE021.VDF : 7.11.53.35 126976 Bytes 08/12/2012 20:40:45
VBASE022.VDF : 7.11.53.55 225792 Bytes 09/12/2012 20:41:17
VBASE023.VDF : 7.11.53.93 157184 Bytes 10/12/2012 20:44:33
VBASE024.VDF : 7.11.53.169 153088 Bytes 12/12/2012 21:08:40
VBASE025.VDF : 7.11.53.237 152064 Bytes 14/12/2012 06:59:41
VBASE026.VDF : 7.11.54.23 149504 Bytes 17/12/2012 16:04:28
VBASE027.VDF : 7.11.54.24 2048 Bytes 17/12/2012 16:04:28
VBASE028.VDF : 7.11.54.25 2048 Bytes 17/12/2012 16:04:28
VBASE029.VDF : 7.11.54.26 2048 Bytes 17/12/2012 16:04:28
VBASE030.VDF : 7.11.54.27 2048 Bytes 17/12/2012 16:04:28
VBASE031.VDF : 7.11.54.40 15360 Bytes 17/12/2012 22:03:37
Engine version : 8.2.10.222
AEVDF.DLL : 8.1.2.10 102772 Bytes 19/09/2012 22:42:55
AESCRIPT.DLL : 8.1.4.76 467324 Bytes 13/12/2012 14:59:53
AESCN.DLL : 8.1.10.0 131445 Bytes 13/12/2012 14:59:51
AESBX.DLL : 8.2.5.12 606578 Bytes 29/08/2012 00:58:06
AERDL.DLL : 8.2.0.74 643445 Bytes 07/11/2012 16:31:21
AEPACK.DLL : 8.3.1.0 819574 Bytes 13/12/2012 14:59:51
AEOFFICE.DLL : 8.1.2.50 201084 Bytes 06/11/2012 03:01:43
AEHEUR.DLL : 8.1.4.160 5624184 Bytes 06/12/2012 20:52:23
AEHELP.DLL : 8.1.25.2 258423 Bytes 17/10/2012 03:31:46
AEGEN.DLL : 8.1.6.12 434549 Bytes 13/12/2012 14:59:48
AEEXP.DLL : 8.3.0.0 184692 Bytes 13/12/2012 14:59:53
AEEMU.DLL : 8.1.3.2 393587 Bytes 19/09/2012 22:42:55
AECORE.DLL : 8.1.30.0 201079 Bytes 13/12/2012 14:59:47
AEBB.DLL : 8.1.1.4 53619 Bytes 06/11/2012 03:01:10
AVWINLL.DLL : 13.4.0.163 25888 Bytes 20/09/2012 02:09:30
AVPREF.DLL : 13.4.0.360 50464 Bytes 11/12/2012 14:42:31
AVREP.DLL : 13.4.0.360 177952 Bytes 10/12/2012 14:41:38
AVARKT.DLL : 13.6.0.402 260384 Bytes 11/12/2012 14:42:22
AVEVTLOG.DLL : 13.6.0.400 167200 Bytes 11/12/2012 14:42:27
SQLITE3.DLL : 3.7.0.1 397088 Bytes 20/09/2012 02:17:40
AVSMTP.DLL : 13.4.0.163 62240 Bytes 20/09/2012 02:08:55
NETNT.DLL : 13.4.0.360 15648 Bytes 11/12/2012 14:43:13
RCIMAGE.DLL : 13.4.0.360 4782880 Bytes 11/12/2012 14:42:19
RCTEXT.DLL : 13.4.0.360 66336 Bytes 11/12/2012 14:42:19

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\program files (x86)\avira\antivir desktop\sysscan.avp
Reporting...........................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Limit recursion depth...............: 20
Smart extensions....................: on
Macrovirus heuristic................: on
File heuristic......................: extended
Deviating risk categories...........: +APPL,

Start of the scan: December-17-12 18:09

Starting master boot sector scan:

Start scanning boot sectors:

Starting search for hidden objects.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Apple Computer, Inc.
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\CloneAD
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\CyberLink
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\FGUpdate
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Hewlett-Packard
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication\Name
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetDriver
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Microsoft\RAS AutoDial
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\ODBC
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\PopCap
[NOTE] The registry entry is invisible.
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\TrendMicro
[NOTE] The registry entry is invisible.

The scan of running processes will be started:
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '64' Module(s) have been scanned
Scan process 'svchost.exe' - '119' Module(s) have been scanned
Scan process 'svchost.exe' - '151' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'SLsvc.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '95' Module(s) have been scanned
Scan process 'vpnagent.exe' - '67' Module(s) have been scanned
Scan process 'spoolsv.exe' - '96' Module(s) have been scanned
Scan process 'sched.exe' - '53' Module(s) have been scanned
Scan process 'Dwm.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '165' Module(s) have been scanned
Scan process 'HPKBDAPP.exe' - '33' Module(s) have been scanned
Scan process 'igfxtray.exe' - '23' Module(s) have been scanned
Scan process 'Apoint.exe' - '41' Module(s) have been scanned
Scan process 'BJMYPRT.EXE' - '23' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '47' Module(s) have been scanned
Scan process 'sidebar.exe' - '113' Module(s) have been scanned
Scan process 'Rainlendar2.exe' - '46' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '36' Module(s) have been scanned
Scan process 'WiFiMsg.exe' - '40' Module(s) have been scanned
Scan process 'QPService.exe' - '108' Module(s) have been scanned
Scan process 'HPWAMain.exe' - '33' Module(s) have been scanned
Scan process 'HpqSRmon.exe' - '31' Module(s) have been scanned
Scan process 'concentr.exe' - '33' Module(s) have been scanned
Scan process 'avgtray.exe' - '44' Module(s) have been scanned
Scan process 'PlusService.exe' - '33' Module(s) have been scanned
Scan process 'vprot.exe' - '47' Module(s) have been scanned
Scan process 'avgnt.exe' - '81' Module(s) have been scanned
Scan process 'wfcrun32.exe' - '53' Module(s) have been scanned
Scan process 'ouc.exe' - '7' Module(s) have been scanned
Scan process 'WsftpCOMHelper.exe' - '58' Module(s) have been scanned
Scan process 'avguard.exe' - '75' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '69' Module(s) have been scanned
Scan process 'avgwdsvc.exe' - '49' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'HWDeviceService64.exe' - '34' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '27' Module(s) have been scanned
Scan process 'lxbvcoms.exe' - '40' Module(s) have been scanned
Scan process 'DCSHelper.exe' - '28' Module(s) have been scanned
Scan process 'avgnsa.exe' - '31' Module(s) have been scanned
Scan process 'avgchsva.exe' - '17' Module(s) have been scanned
Scan process 'avgrsa.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'NlsSrv32.exe' - '24' Module(s) have been scanned
Scan process 'NMSAccessU.exe' - '20' Module(s) have been scanned
Scan process 'pcpl.exe' - '21' Module(s) have been scanned
Scan process 'avgcsrva.exe' - '11' Module(s) have been scanned
Scan process 'PMBDeviceInfoProvider.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '22' Module(s) have been scanned
Scan process 'QPCapSvc.exe' - '82' Module(s) have been scanned
Scan process 'RichVideo.exe' - '26' Module(s) have been scanned
Scan process 'SeaPort.EXE' - '59' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'ToolbarUpdater.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '7' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '71' Module(s) have been scanned
Scan process 'avshadow.exe' - '31' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '65' Module(s) have been scanned
Scan process 'xaudio64.exe' - '14' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '36' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
Scan process 'QPSched.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '21' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '29' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '21' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '94' Module(s) have been scanned
Scan process 'Apntex.exe' - '22' Module(s) have been scanned
Scan process 'HpqToaster.exe' - '30' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '38' Module(s) have been scanned
Scan process 'hphc_service.exe' - '27' Module(s) have been scanned
Scan process 'unsecapp.exe' - '28' Module(s) have been scanned
Scan process 'avcenter.exe' - '109' Module(s) have been scanned
Scan process 'avscan.exe' - '104' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'opera.exe' - '124' Module(s) have been scanned
Scan process 'WINWORD.EXE' - '122' Module(s) have been scanned
Scan process 'splwow64.exe' - '32' Module(s) have been scanned
Scan process 'MSPUB.EXE' - '65' Module(s) have been scanned
Scan process 'DllHost.exe' - '25' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'winlogon.exe' - '30' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned

Starting to scan executable files (registry):
The registry was scanned ( '9089' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\00000004.@.vir
[DETECTION] Is the TR/ZAccess.H Trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\00000008.@.vir
[DETECTION] Is the TR/Cutwail.jhg Trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\000000cb.@.vir
[DETECTION] Is the TR/Sirefef.abx Trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\80000032.@.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\80000064.@.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Qoobox\Quarantine\C\Users\me\AppData\Roaming\qmdu.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[0] Archive type: RSRC
--> C:\Program Files (x86)\AVG\AVG9\Notification\AvgSE.exe
[1] Archive type: 7-Zip SFX (self extracting)
--> avg.exe
[2] Archive type: RSRC
--> C:\Program Files (x86)\Common Files\DVDVideoSoft\TB\CondPlug.exe
[3] Archive type: RSRC
--> C:\Program Files (x86)\Drivers\Zune\WUDFUpdate_01009.dll
[4] Archive type: RSRC
--> C:\Users\me\AppData\Local\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[5] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[WARNING] Infected files in archives cannot be repaired
C:\Users\me\AppData\Local\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
--> C:\Users\me\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[5] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[WARNING] Infected files in archives cannot be repaired
C:\Users\me\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
--> C:\Users\me\AppData\Local\Google\Chrome\Application\22.0.1229.79\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[5] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[WARNING] Infected files in archives cannot be repaired
C:\Users\me\AppData\Local\Google\Chrome\Application\22.0.1229.79\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
--> C:\Users\me\AppData\Local\Google\Chrome\Application\23.0.1271.64\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[5] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[WARNING] Infected files in archives cannot be repaired
C:\Users\me\AppData\Local\Google\Chrome\Application\23.0.1271.64\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\Users\me\AppData\Local\Google\Chrome\Application\23.0.1271.64\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '562d2e13.qua'!
C:\Users\me\AppData\Local\Google\Chrome\Application\22.0.1229.79\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '4eba01b4.qua'!
C:\Users\me\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '1ce55b5c.qua'!
C:\Users\me\AppData\Local\43dc5db0-de22-4c41-a13d-0479c9b0a973.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '7ad2149e.qua'!
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_64\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '3f213952.qua'!
C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '403a0b33.qua'!
C:\Qoobox\Quarantine\C\Users\me\AppData\Roaming\qmdu.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0cf52771.qua'!
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\80000064.@.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '70d967d2.qua'!
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\80000032.@.vir
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5d83489f.qua'!
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '44eb7305.qua'!
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\000000cb.@.vir
[DETECTION] Is the TR/Sirefef.abx Trojan
[NOTE] The file was moved to the quarantine directory under the name '28b75f35.qua'!
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\00000008.@.vir
[DETECTION] Is the TR/Cutwail.jhg Trojan
[NOTE] The file was moved to the quarantine directory under the name '590e66a0.qua'!
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U\00000004.@.vir
[DETECTION] Is the TR/ZAccess.H Trojan
[NOTE] The file was moved to the quarantine directory under the name '57145667.qua'!


End of the scan: December-18-12 07:39
Used time: 8:34:56 Hour(s)

The scan has been done completely.

71362 Scanned directories
1805615 Files were scanned
17 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
13 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1805598 Files not concerned
30584 Archives were scanned
4 Warnings
28 Notes
1637097 Objects were scanned with rootkit scan
15 Hidden objects were found


As well, here's my DDS log:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 1.6.0_24
Run by me at 10:42:36 on 2012-12-18
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.2.1033.18.4085.1011 [GMT -8:00]
.
SP: AVG Anti-Virus Free *Enabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files (x86)\HP\QuickPlay\QPService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Users\me\AppData\Roaming\Internet Movil\ouc.exe
C:\Program Files (x86)\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbvcoms.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\NlsSrv32.exe
C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
C:\Program Files (x86)\PaperCut Print Logger\pcpl.exe
C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\program files (x86)\avira\antivir desktop\avcenter.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
uSearchAssistant = hxxp://www.bing.com/search?q={searchTerms}
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files (x86)\FlashGet\jccatch.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: QUICKfind BHO Object: {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Program Files (x86)\IDM\QUICKfind\PlugIns\IEHelp.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files (x86)\FlashGet\getflash.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Veoh Web Player Video Finder: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Rainlendar2] C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [HW_OPENEYE_OUC_Internet Movil] "C:\Program Files (x86)\Internet Movil\UpdateDog\ouc.exe"
mRun: [WAWifiMessage] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
mRun: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Download All with FlashGet - C:\Program Files (x86)\FlashGet\jc_all.htm
IE: &Download with FlashGet - C:\Program Files (x86)\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video - C:\Program Files (x86)\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - C:\Program Files (x86)\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: ʹÿ쳵3 - C:\Users\me\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: ʹÿ쳵3ȫ - C:\Users\me\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - C:\Program Files (x86)\WinHTTrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{9EB23349-350E-4D24-8441-D78D9A5A0EDD} : DHCPNameServer = 64.59.144.90 64.59.144.91 64.59.150.134
TCP: Interfaces\{9EC97684-2A29-4D20-A670-B3FE30B54653} : DHCPNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
x64-Run: [CanonSolutionMenu] "C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" /logon
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-Explorer: NoDrives = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?rls=org.mozilla:en-US:official&client=firefox-a&q=
FF - ExtSQL: !HIDDEN! 2009-08-09 10:37; {20a82645-c095-46ed-80e3-08825760534b}; c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2011-08-09 11:25; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - ExtSQL: !HIDDEN! 2012-12-16 15:38; {43dc5db0-de22-4c41-a13d-0479c9b0a973}; C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\extensions\{43dc5db0-de22-4c41-a13d-0479c9b0a973}.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx64;AVG Free AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2008-9-26 269904]
R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2008-9-26 35664]
R1 AvgTdiA;AVG Free Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2009-3-22 317520]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-4 30568]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-10-16 27800]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2009-9-8 87600]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-10-16 99912]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2007-11-1 293376]
.
=============== File Associations ===============
.
FileExt: .js: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-12-16 04:32:36 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-16 04:32:36 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-11 14:43:28 129216 ----a-w- C:\Windows\System32\drivers\avipbb.sys
2012-12-11 14:43:27 99912 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-12-08 00:36:04 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2012-12-08 00:35:56 289768 ----a-w- C:\Windows\System32\javaws.exe
2012-12-08 00:35:56 189416 ----a-w- C:\Windows\System32\javaw.exe
2012-12-08 00:35:56 188904 ----a-w- C:\Windows\System32\java.exe
2012-12-08 00:35:55 916456 ----a-w- C:\Windows\System32\deployJava1.dll
2012-12-08 00:35:55 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-11-28 23:58:30 67413224 ----a-w- C:\Windows\System32\mrt.exe
2012-11-14 07:06:18 17811968 ----a-w- C:\Windows\System32\mshtml.dll
2012-11-14 06:32:33 10925568 ----a-w- C:\Windows\System32\ieframe.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:44 1346048 ----a-w- C:\Windows\System32\urlmon.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 06:02:04 237056 ----a-w- C:\Windows\System32\url.dll
2012-11-14 05:59:52 85504 ----a-w- C:\Windows\System32\jsproxy.dll
2012-11-14 05:58:36 816640 ----a-w- C:\Windows\System32\jscript.dll
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:55:45 2144768 ----a-w- C:\Windows\System32\iertutil.dll
2012-11-14 05:55:26 729088 ----a-w- C:\Windows\System32\msfeeds.dll
2012-11-14 05:53:22 96768 ----a-w- C:\Windows\System32\mshtmled.dll
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 05:46:25 248320 ----a-w- C:\Windows\System32\ieui.dll
2012-11-14 02:48:26 12320256 ----a-w- C:\Windows\SysWow64\mshtml.dll
2012-11-14 02:14:59 9738240 ----a-w- C:\Windows\SysWow64\ieframe.dll
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:44 1103872 ----a-w- C:\Windows\SysWow64\urlmon.dll
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:55:46 231936 ----a-w- C:\Windows\SysWow64\url.dll
2012-11-14 01:51:44 65024 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:49:19 717824 ----a-w- C:\Windows\SysWow64\jscript.dll
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:47:20 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2012-11-14 01:46:38 1793024 ----a-w- C:\Windows\SysWow64\iertutil.dll
2012-11-14 01:45:01 73216 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-14 01:41:30 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
2012-11-13 01:55:22 2770432 ----a-w- C:\Windows\System32\win32k.sys
2012-11-13 01:45:48 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-13 01:29:51 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-08 15:43:00 30568 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2012-11-08 04:24:01 48128 ----a-w- C:\Windows\System32\atmlib.dll
2012-11-08 03:46:35 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-08 02:00:56 368128 ----a-w- C:\Windows\System32\atmfd.dll
2012-11-08 01:36:08 293376 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-11-02 10:45:52 477696 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 10:45:51 68096 ----a-w- C:\Windows\System32\dpnathlp.dll
2012-11-02 10:18:17 376320 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-11-02 08:59:56 26112 ----a-w- C:\Windows\System32\dpnsvr.exe
2012-11-02 08:26:06 23040 ----a-w- C:\Windows\SysWow64\dpnsvr.exe
2012-09-28 16:34:50 1210368 ----a-w- C:\Windows\System32\kernel32.dll
2012-09-28 16:13:29 860160 ----a-w- C:\Windows\SysWow64\kernel32.dll
2012-09-25 16:31:19 91648 ----a-w- C:\Windows\System32\synceng.dll
2012-09-25 16:19:41 75776 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-09-24 16:58:11 27800 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2010-09-24 20:21:50 645872 ----a-w- C:\Program Files (x86)\UIX.renderapi.dll
2010-09-24 20:21:50 1526512 ----a-w- C:\Program Files (x86)\UIX.dll
2010-09-24 20:21:50 1284848 ----a-w- C:\Program Files (x86)\UIXcontrols.dll
2010-09-24 20:21:50 1243888 ----a-w- C:\Program Files (x86)\ZuneShell.dll
2010-09-24 20:21:50 1151728 ----a-w- C:\Program Files (x86)\ZuneDBApi.dll
2010-09-24 19:19:24 182784 ----a-w- C:\Program Files (x86)\l3codecp.acm
2010-09-24 18:49:20 856576 ----a-w- C:\Program Files (x86)\msvcp90.dll
2010-09-24 18:49:20 626688 ----a-w- C:\Program Files (x86)\msvcr90.dll
2010-09-24 18:49:20 245760 ----a-w- C:\Program Files (x86)\msvcm90.dll
2010-05-07 01:13:57 338 ----a-w- C:\Program Files (x86)\temp995.bat
2007-10-02 21:12:44 1642568 ----a-w- C:\Program Files (x86)\msidcrl40.dll
.
============= FINISH: 10:46:41.89 ===============

Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 21 December 2012 - 01:47 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Please post the logs for my review.

#3 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 22 December 2012 - 08:29 PM

Hi nasdaq!

Here is my ComboFix log. I got a "Failed to get data for EnableLUA" message when ComboFix was running.

ComboFix 12-12-22.02 - me 22/12/2012 16:02:16.1.2 - x64
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.2.1033.18.4085.2249 [GMT -8:00]
Running from: c:\users\me\Desktop\ComboFix.exe
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-23 to 2012-12-23 )))))))))))))))))))))))))))))))
.
.
2012-12-23 00:35 . 2012-12-23 00:45 -------- d-----w- c:\users\me\AppData\Local\temp
2012-12-23 00:35 . 2012-12-23 00:35 -------- d-----w- c:\users\guest\AppData\Local\temp
2012-12-23 00:35 . 2012-12-23 00:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-22 07:47 . 2012-12-16 13:31 48128 ----a-w- c:\windows\system32\atmlib.dll
2012-12-22 07:47 . 2012-12-16 13:12 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-22 07:47 . 2012-12-16 11:08 368128 ----a-w- c:\windows\system32\atmfd.dll
2012-12-22 07:47 . 2012-12-16 10:50 293376 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-17 16:55 . 2012-12-17 16:55 -------- d-----w- c:\program files (x86)\ESET
2012-12-13 00:17 . 2012-11-14 05:53 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-12-12 02:55 . 2012-08-21 11:50 267648 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-12-12 02:55 . 2012-11-13 01:55 2770432 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 02:54 . 2012-09-28 16:34 1210368 ----a-w- c:\windows\system32\kernel32.dll
2012-12-12 02:54 . 2012-11-02 10:45 477696 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 02:54 . 2012-11-02 10:45 68096 ----a-w- c:\windows\system32\dpnathlp.dll
2012-12-12 02:54 . 2012-11-02 10:18 376320 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-12 02:54 . 2012-11-02 08:59 26112 ----a-w- c:\windows\system32\dpnsvr.exe
2012-12-12 02:54 . 2012-11-02 08:26 23040 ----a-w- c:\windows\SysWow64\dpnsvr.exe
2012-12-12 02:53 . 2012-11-13 01:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-12 02:53 . 2012-11-13 01:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-08 00:38 . 2012-12-08 00:35 289768 ----a-w- c:\windows\system32\javaws.exe
2012-12-08 00:37 . 2012-12-08 00:36 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-12-08 00:37 . 2012-12-08 00:35 189416 ----a-w- c:\windows\system32\javaw.exe
2012-12-08 00:37 . 2012-12-08 00:35 188904 ----a-w- c:\windows\system32\java.exe
2012-12-08 00:35 . 2012-12-08 00:35 -------- d-----w- c:\program files\Java
2012-12-01 04:09 . 2012-12-01 04:09 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-12-01 04:09 . 2012-12-01 04:09 -------- d-----r- c:\program files (x86)\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-18 19:44 . 2006-11-02 12:21 5120 ----a-w- c:\windows\SysWow64\security.dll
2012-12-18 19:44 . 2006-11-02 09:37 6656 ----a-w- c:\windows\system32\drivers\mspqm.sys
2012-12-16 04:32 . 2012-04-09 00:50 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-16 04:32 . 2011-05-24 13:03 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-11 14:43 . 2012-10-17 03:29 129216 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-12-11 14:43 . 2012-10-17 03:29 99912 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-12-08 00:35 . 2012-10-08 21:27 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-08 00:35 . 2012-10-08 21:27 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-28 23:58 . 2006-11-02 12:35 67413224 ----a-w- c:\windows\system32\mrt.exe
2012-11-08 15:43 . 2012-09-04 14:47 30568 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-09-25 16:31 . 2012-11-15 07:02 91648 ----a-w- c:\windows\system32\synceng.dll
2012-09-25 16:19 . 2012-11-15 07:02 75776 ----a-w- c:\windows\SysWow64\synceng.dll
2012-09-24 16:58 . 2012-10-17 03:29 27800 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2010-09-24 20:21 . 2010-09-24 20:21 645872 ----a-w- c:\program files (x86)\UIX.renderapi.dll
2010-09-24 20:21 . 2010-09-24 20:21 1526512 ----a-w- c:\program files (x86)\UIX.dll
2010-09-24 20:21 . 2010-09-24 20:21 1284848 ----a-w- c:\program files (x86)\UIXcontrols.dll
2010-09-24 20:21 . 2010-09-24 20:21 1243888 ----a-w- c:\program files (x86)\ZuneShell.dll
2010-09-24 20:21 . 2010-09-24 20:21 1151728 ----a-w- c:\program files (x86)\ZuneDBApi.dll
2010-09-24 20:17 . 2010-09-24 20:17 27888 ----a-w- c:\program files (x86)\WMZuneTCP2UDP.dll
2010-09-24 20:17 . 2010-09-24 20:17 21232 ----a-w- c:\program files (x86)\WMZuneDTPTDNS.dll
2010-09-24 20:17 . 2010-09-24 20:17 18672 ----a-w- c:\program files (x86)\WMZuneCommProxyStub.dll
2010-09-24 20:17 . 2010-09-24 20:17 916208 ----a-w- c:\program files (x86)\ZuneQP.dll
2010-09-24 20:17 . 2010-09-24 20:17 74480 ----a-w- c:\program files (x86)\ZuneShellExt.dll
2010-09-24 20:17 . 2010-09-24 20:17 683760 ----a-w- c:\program files (x86)\ZuneSH.dll
2010-09-24 20:17 . 2010-09-24 20:17 514288 ----a-w- c:\program files (x86)\ZuneSE.dll
2010-09-24 20:17 . 2010-09-24 20:17 507120 ----a-w- c:\program files (x86)\ZuneSP.dll
2010-09-24 20:17 . 2010-09-24 20:17 366320 ----a-w- c:\program files (x86)\ZuneSrcWrp.dll
2010-09-24 20:17 . 2010-09-24 20:17 306416 ----a-w- c:\program files (x86)\WMZuneComm.exe
2010-09-24 20:17 . 2010-09-24 20:17 195312 ----a-w- c:\program files (x86)\ZuneZMDB.Mobile.dll
2010-09-24 20:17 . 2010-09-24 20:17 17648 ----a-w- c:\program files (x86)\ZuneShare.exe
2010-09-24 20:17 . 2010-09-24 20:17 16873712 ----a-w- c:\program files (x86)\ZuneShellResources.dll
2010-09-24 20:17 . 2010-09-24 20:17 157936 ----a-w- c:\program files (x86)\ZuneZMDB.Library.dll
2010-09-24 20:17 . 2010-09-24 20:17 156912 ----a-w- c:\program files (x86)\ZuneZMDB.ZuneHD.dll
2010-09-24 20:17 . 2010-09-24 20:17 155888 ----a-w- c:\program files (x86)\ZuneSA.dll
2010-09-24 20:17 . 2010-09-24 20:17 152304 ----a-w- c:\program files (x86)\ZuneZMDB.Classic.dll
2010-09-24 20:17 . 2010-09-24 20:17 1404144 ----a-w- c:\program files (x86)\ZuneResources.dll
2010-09-24 20:17 . 2010-09-24 20:17 1388272 ----a-w- c:\program files (x86)\ZuneSetup.exe
2010-09-24 20:17 . 2010-09-24 20:17 1240304 ----a-w- c:\program files (x86)\ZuneService.dll
2010-09-24 20:17 . 2010-09-24 20:17 100080 ----a-w- c:\program files (x86)\ZuneTaskbar.dll
2010-09-24 20:17 . 2010-09-24 20:17 9971440 ----a-w- c:\program files (x86)\ZuneNativeLib.dll
2010-09-24 20:17 . 2010-09-24 20:17 855280 ----a-w- c:\program files (x86)\ZuneMBR.dll
2010-09-24 20:17 . 2010-09-24 20:17 8251120 ----a-w- c:\program files (x86)\ZuneNss.exe
2010-09-24 20:17 . 2010-09-24 20:17 72944 ----a-w- c:\program files (x86)\ZuneDXVA2.dll
2010-09-24 20:17 . 2010-09-24 20:17 707824 ----a-w- c:\program files (x86)\ZUNEMP4SDECD.dll
2010-09-24 20:17 . 2010-09-24 20:17 61680 ----a-w- c:\program files (x86)\ZuneCfg.dll
2010-09-24 20:17 . 2010-09-24 20:17 56560 ----a-w- c:\program files (x86)\ZuneConfig.exe
2010-09-24 20:17 . 2010-09-24 20:17 38640 ----a-w- c:\program files (x86)\ZuneEnc.exe
2010-09-24 20:17 . 2010-09-24 20:17 376560 ----a-w- c:\program files (x86)\ZuneEvr.dll
2010-09-24 20:17 . 2010-09-24 20:17 35568 ----a-w- c:\program files (x86)\UIXsup.dll
2010-09-24 20:17 . 2010-09-24 20:17 347888 ----a-w- c:\program files (x86)\ZuneNssci.dll
2010-09-24 20:17 . 2010-09-24 20:17 223472 ----a-w- c:\program files (x86)\Zune.exe
2010-09-24 20:17 . 2010-09-24 20:17 218864 ----a-w- c:\program files (x86)\ZuneHost.exe
2010-09-24 20:17 . 2010-09-24 20:17 212208 ----a-w- c:\program files (x86)\ZuneDB.dll
2010-09-24 20:17 . 2010-09-24 20:17 2109680 ----a-w- c:\program files (x86)\ZuneEncEng.dll
2010-09-24 20:17 . 2010-09-24 20:17 20720 ----a-w- c:\program files (x86)\ZunePS.dll
2010-09-24 20:17 . 2010-09-24 20:17 1744624 ----a-w- c:\program files (x86)\UIXrender.dll
2010-09-24 20:17 . 2010-09-24 20:17 163568 ----a-w- c:\program files (x86)\ZuneLauncher.exe
2010-09-24 20:17 . 2010-09-24 20:17 1464560 ----a-w- c:\program files (x86)\ZuneCore.dll
2010-09-24 20:17 . 2010-09-24 20:17 130800 ----a-w- c:\program files (x86)\ZunePresenter.dll
2010-09-24 20:17 . 2010-09-24 20:17 129264 ----a-w- c:\program files (x86)\ZuneEffects.dll
2010-09-24 20:17 . 2010-09-24 20:17 121072 ----a-w- c:\program files (x86)\ZuneAACDec.dll
2010-09-24 20:17 . 2010-09-24 20:17 1184496 ----a-w- c:\program files (x86)\ZuneH264Dec.dll
2010-09-24 20:17 . 2010-09-24 20:17 1161456 ----a-w- c:\program files (x86)\ZuneMde.dll
2010-09-24 20:17 . 2010-09-24 20:17 1084144 ----a-w- c:\program files (x86)\ZuneMarketplaceResources.dll
2010-09-24 19:19 . 2010-09-24 19:19 182784 ----a-w- c:\program files (x86)\l3codecp.acm
2010-09-24 18:49 . 2010-09-24 18:49 856576 ----a-w- c:\program files (x86)\msvcp90.dll
2010-09-24 18:49 . 2010-09-24 18:49 626688 ----a-w- c:\program files (x86)\msvcr90.dll
2010-09-24 18:49 . 2010-09-24 18:49 245760 ----a-w- c:\program files (x86)\msvcm90.dll
2010-05-07 01:13 . 2010-05-07 01:13 338 ----a-w- c:\program files (x86)\temp995.bat
2007-10-02 21:12 . 2007-10-02 21:12 1642568 ----a-w- c:\program files (x86)\msidcrl40.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-08 15:42 1796552 ----a-w- c:\program files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"Rainlendar2"="c:\program files (x86)\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"HW_OPENEYE_OUC_Internet Movil"="c:\program files (x86)\Internet Movil\UpdateDog\ouc.exe" [2009-07-27 110592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"AVG9_TRAY"="c:\progra~2\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-07 801792]
"QuickTime Task"="c:\program files (x86)\QuickTime Alternative\QTTask.exe" [2011-10-24 421888]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-11-08 997320]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-18 928096]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"ROC_ROC_JULY_P1"="c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-09-04 1022048]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-12-11 384800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"ALUAlert"="c:\program files (x86)\Symantec\LiveUpdate\ALuNotify.exe" "/LOWDISKSPACE C"
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 04:32]
.
2012-08-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2009-03-14 15:46]
.
2012-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-24 15:06]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd68f98e1998c9.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-12 19:46]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cd68f9925c99a9.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-12 19:46]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-679880683-153750638-2589842705-1000Core1cd62f6b3eddec0.job
- c:\users\me\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-18 00:01]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-679880683-153750638-2589842705-1000UA1cd62f6b57e90e0.job
- c:\users\me\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-18 00:01]
.
2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{81C3EC42-D423-4395-87EE-8E1DAF790A19}.job
- c:\windows\system32\msfeedssync.exe [2011-05-24 08:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 202264]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 701440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 154648]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 227352]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 216576]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 2114376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\avgrssta.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.bing.com/search?q={searchTerms}
IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files (x86)\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files (x86)\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: ʹÿ쳵3 - c:\users\me\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: ʹÿ쳵3ȫ - c:\users\me\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?rls=org.mozilla:en-US:official&client=firefox-a&q=
FF - ExtSQL: 2012-12-16 15:38; {43dc5db0-de22-4c41-a13d-0479c9b0a973}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\extensions\{43dc5db0-de22-4c41-a13d-0479c9b0a973}.xpi
FF - ExtSQL: !HIDDEN! 2009-08-09 10:37; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2011-08-09 11:25; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-{6304587B-3C05-4031-A8E7-7938CB9162E7}_is1 - c:\program files (x86)\meta-iPod
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG9\avgwdsvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\NlsSrv32.exe
c:\program files (x86)\CDBurnerXP\NMSAccessU.exe
c:\program files (x86)\PaperCut Print Logger\pcpl.exe
c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files (x86)\AVG\AVG9\avgtray.exe
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
c:\program files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
c:\users\me\AppData\Roaming\Internet Movil\ouc.exe
c:\program files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SysWOW64\conime.exe
c:\program files (x86)\Windows Media Player\wmplayer.exe
c:\program files (x86)\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
.
**************************************************************************
.
Completion time: 2012-12-22 17:03:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-23 01:03
ComboFix2.txt 2012-12-18 01:03
.
Pre-Run: 51,138,560 bytes free
Post-Run: 3,121,393,664 bytes free
.
- - End Of File - - 6BA10DCB8F87443B0322601971ECB02F

Thanks!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 23 December 2012 - 08:42 AM

Open notepad and copy/paste the text in the quote box below into it:

File::
 c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\extensions\{43dc5db0-de22-4c41-a13d-0479c9b0a973}.xpi

ClearJavaCache::


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===

I also can't turn on Windows Firewall. I get the "Windows can't start the Mpssvc" message.


The registry key has been compromised.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."


Lets check it out.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#5 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 24 December 2012 - 02:49 PM

Hi nasdaq,

Here is my ComboFix log with the script inputed:

ComboFix 12-12-23.01 - me 24/12/2012 10:17:25.1.2 - x64
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.2.1033.18.4085.2297 [GMT -8:00]
Running from: c:\users\me\Desktop\ComboFix.exe
SP: AVG Anti-Virus Free *Disabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-24 to 2012-12-24 )))))))))))))))))))))))))))))))
.
.
2012-12-24 18:56 . 2012-12-24 18:56 -------- d-----w- c:\users\guest\AppData\Local\temp
2012-12-24 18:56 . 2012-12-24 19:22 -------- d-----w- c:\users\me\AppData\Local\temp
2012-12-24 18:56 . 2012-12-24 18:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-22 07:47 . 2012-12-16 13:31 48128 ----a-w- c:\windows\system32\atmlib.dll
2012-12-22 07:47 . 2012-12-16 13:12 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-22 07:47 . 2012-12-16 11:08 368128 ----a-w- c:\windows\system32\atmfd.dll
2012-12-22 07:47 . 2012-12-16 10:50 293376 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-17 16:55 . 2012-12-17 16:55 -------- d-----w- c:\program files (x86)\ESET
2012-12-13 00:17 . 2012-11-14 05:53 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-12-12 02:55 . 2012-08-21 11:50 267648 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-12-12 02:55 . 2012-11-13 01:55 2770432 ----a-w- c:\windows\system32\win32k.sys
2012-12-12 02:54 . 2012-09-28 16:34 1210368 ----a-w- c:\windows\system32\kernel32.dll
2012-12-12 02:54 . 2012-11-02 10:45 477696 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 02:54 . 2012-11-02 10:45 68096 ----a-w- c:\windows\system32\dpnathlp.dll
2012-12-12 02:54 . 2012-11-02 10:18 376320 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-12 02:54 . 2012-11-02 08:59 26112 ----a-w- c:\windows\system32\dpnsvr.exe
2012-12-12 02:54 . 2012-11-02 08:26 23040 ----a-w- c:\windows\SysWow64\dpnsvr.exe
2012-12-12 02:53 . 2012-11-13 01:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-12 02:53 . 2012-11-13 01:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-08 00:38 . 2012-12-08 00:35 289768 ----a-w- c:\windows\system32\javaws.exe
2012-12-08 00:37 . 2012-12-08 00:36 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-12-08 00:37 . 2012-12-08 00:35 189416 ----a-w- c:\windows\system32\javaw.exe
2012-12-08 00:37 . 2012-12-08 00:35 188904 ----a-w- c:\windows\system32\java.exe
2012-12-08 00:35 . 2012-12-08 00:35 -------- d-----w- c:\program files\Java
2012-12-01 04:09 . 2012-12-01 04:09 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-12-01 04:09 . 2012-12-01 04:09 -------- d-----r- c:\program files (x86)\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-18 19:44 . 2006-11-02 12:21 5120 ----a-w- c:\windows\SysWow64\security.dll
2012-12-18 19:44 . 2006-11-02 09:37 6656 ----a-w- c:\windows\system32\drivers\mspqm.sys
2012-12-16 04:32 . 2012-04-09 00:50 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-16 04:32 . 2011-05-24 13:03 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-11 14:43 . 2012-10-17 03:29 129216 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-12-11 14:43 . 2012-10-17 03:29 99912 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-12-08 00:35 . 2012-10-08 21:27 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-08 00:35 . 2012-10-08 21:27 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-28 23:58 . 2006-11-02 12:35 67413224 ----a-w- c:\windows\system32\mrt.exe
2012-11-08 15:43 . 2012-09-04 14:47 30568 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2010-09-24 20:21 . 2010-09-24 20:21 645872 ----a-w- c:\program files (x86)\UIX.renderapi.dll
2010-09-24 20:21 . 2010-09-24 20:21 1526512 ----a-w- c:\program files (x86)\UIX.dll
2010-09-24 20:21 . 2010-09-24 20:21 1284848 ----a-w- c:\program files (x86)\UIXcontrols.dll
2010-09-24 20:21 . 2010-09-24 20:21 1243888 ----a-w- c:\program files (x86)\ZuneShell.dll
2010-09-24 20:21 . 2010-09-24 20:21 1151728 ----a-w- c:\program files (x86)\ZuneDBApi.dll
2010-09-24 20:17 . 2010-09-24 20:17 27888 ----a-w- c:\program files (x86)\WMZuneTCP2UDP.dll
2010-09-24 20:17 . 2010-09-24 20:17 21232 ----a-w- c:\program files (x86)\WMZuneDTPTDNS.dll
2010-09-24 20:17 . 2010-09-24 20:17 18672 ----a-w- c:\program files (x86)\WMZuneCommProxyStub.dll
2010-09-24 20:17 . 2010-09-24 20:17 916208 ----a-w- c:\program files (x86)\ZuneQP.dll
2010-09-24 20:17 . 2010-09-24 20:17 74480 ----a-w- c:\program files (x86)\ZuneShellExt.dll
2010-09-24 20:17 . 2010-09-24 20:17 683760 ----a-w- c:\program files (x86)\ZuneSH.dll
2010-09-24 20:17 . 2010-09-24 20:17 514288 ----a-w- c:\program files (x86)\ZuneSE.dll
2010-09-24 20:17 . 2010-09-24 20:17 507120 ----a-w- c:\program files (x86)\ZuneSP.dll
2010-09-24 20:17 . 2010-09-24 20:17 366320 ----a-w- c:\program files (x86)\ZuneSrcWrp.dll
2010-09-24 20:17 . 2010-09-24 20:17 306416 ----a-w- c:\program files (x86)\WMZuneComm.exe
2010-09-24 20:17 . 2010-09-24 20:17 195312 ----a-w- c:\program files (x86)\ZuneZMDB.Mobile.dll
2010-09-24 20:17 . 2010-09-24 20:17 17648 ----a-w- c:\program files (x86)\ZuneShare.exe
2010-09-24 20:17 . 2010-09-24 20:17 16873712 ----a-w- c:\program files (x86)\ZuneShellResources.dll
2010-09-24 20:17 . 2010-09-24 20:17 157936 ----a-w- c:\program files (x86)\ZuneZMDB.Library.dll
2010-09-24 20:17 . 2010-09-24 20:17 156912 ----a-w- c:\program files (x86)\ZuneZMDB.ZuneHD.dll
2010-09-24 20:17 . 2010-09-24 20:17 155888 ----a-w- c:\program files (x86)\ZuneSA.dll
2010-09-24 20:17 . 2010-09-24 20:17 152304 ----a-w- c:\program files (x86)\ZuneZMDB.Classic.dll
2010-09-24 20:17 . 2010-09-24 20:17 1404144 ----a-w- c:\program files (x86)\ZuneResources.dll
2010-09-24 20:17 . 2010-09-24 20:17 1388272 ----a-w- c:\program files (x86)\ZuneSetup.exe
2010-09-24 20:17 . 2010-09-24 20:17 1240304 ----a-w- c:\program files (x86)\ZuneService.dll
2010-09-24 20:17 . 2010-09-24 20:17 100080 ----a-w- c:\program files (x86)\ZuneTaskbar.dll
2010-09-24 20:17 . 2010-09-24 20:17 9971440 ----a-w- c:\program files (x86)\ZuneNativeLib.dll
2010-09-24 20:17 . 2010-09-24 20:17 855280 ----a-w- c:\program files (x86)\ZuneMBR.dll
2010-09-24 20:17 . 2010-09-24 20:17 8251120 ----a-w- c:\program files (x86)\ZuneNss.exe
2010-09-24 20:17 . 2010-09-24 20:17 72944 ----a-w- c:\program files (x86)\ZuneDXVA2.dll
2010-09-24 20:17 . 2010-09-24 20:17 707824 ----a-w- c:\program files (x86)\ZUNEMP4SDECD.dll
2010-09-24 20:17 . 2010-09-24 20:17 61680 ----a-w- c:\program files (x86)\ZuneCfg.dll
2010-09-24 20:17 . 2010-09-24 20:17 56560 ----a-w- c:\program files (x86)\ZuneConfig.exe
2010-09-24 20:17 . 2010-09-24 20:17 38640 ----a-w- c:\program files (x86)\ZuneEnc.exe
2010-09-24 20:17 . 2010-09-24 20:17 376560 ----a-w- c:\program files (x86)\ZuneEvr.dll
2010-09-24 20:17 . 2010-09-24 20:17 35568 ----a-w- c:\program files (x86)\UIXsup.dll
2010-09-24 20:17 . 2010-09-24 20:17 347888 ----a-w- c:\program files (x86)\ZuneNssci.dll
2010-09-24 20:17 . 2010-09-24 20:17 223472 ----a-w- c:\program files (x86)\Zune.exe
2010-09-24 20:17 . 2010-09-24 20:17 218864 ----a-w- c:\program files (x86)\ZuneHost.exe
2010-09-24 20:17 . 2010-09-24 20:17 212208 ----a-w- c:\program files (x86)\ZuneDB.dll
2010-09-24 20:17 . 2010-09-24 20:17 2109680 ----a-w- c:\program files (x86)\ZuneEncEng.dll
2010-09-24 20:17 . 2010-09-24 20:17 20720 ----a-w- c:\program files (x86)\ZunePS.dll
2010-09-24 20:17 . 2010-09-24 20:17 1744624 ----a-w- c:\program files (x86)\UIXrender.dll
2010-09-24 20:17 . 2010-09-24 20:17 163568 ----a-w- c:\program files (x86)\ZuneLauncher.exe
2010-09-24 20:17 . 2010-09-24 20:17 1464560 ----a-w- c:\program files (x86)\ZuneCore.dll
2010-09-24 20:17 . 2010-09-24 20:17 130800 ----a-w- c:\program files (x86)\ZunePresenter.dll
2010-09-24 20:17 . 2010-09-24 20:17 129264 ----a-w- c:\program files (x86)\ZuneEffects.dll
2010-09-24 20:17 . 2010-09-24 20:17 121072 ----a-w- c:\program files (x86)\ZuneAACDec.dll
2010-09-24 20:17 . 2010-09-24 20:17 1184496 ----a-w- c:\program files (x86)\ZuneH264Dec.dll
2010-09-24 20:17 . 2010-09-24 20:17 1161456 ----a-w- c:\program files (x86)\ZuneMde.dll
2010-09-24 20:17 . 2010-09-24 20:17 1084144 ----a-w- c:\program files (x86)\ZuneMarketplaceResources.dll
2010-09-24 19:19 . 2010-09-24 19:19 182784 ----a-w- c:\program files (x86)\l3codecp.acm
2010-09-24 18:49 . 2010-09-24 18:49 856576 ----a-w- c:\program files (x86)\msvcp90.dll
2010-09-24 18:49 . 2010-09-24 18:49 626688 ----a-w- c:\program files (x86)\msvcr90.dll
2010-09-24 18:49 . 2010-09-24 18:49 245760 ----a-w- c:\program files (x86)\msvcm90.dll
2010-05-07 01:13 . 2010-05-07 01:13 338 ----a-w- c:\program files (x86)\temp995.bat
2007-10-02 21:12 . 2007-10-02 21:12 1642568 ----a-w- c:\program files (x86)\msidcrl40.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-11-08 15:42 1796552 ----a-w- c:\program files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [2012-11-08 1796552]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"Rainlendar2"="c:\program files (x86)\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"HW_OPENEYE_OUC_Internet Movil"="c:\program files (x86)\Internet Movil\UpdateDog\ouc.exe" [2009-07-27 110592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"AVG9_TRAY"="c:\progra~2\AVG\AVG9\avgtray.exe" [2012-01-27 2077536]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-07 801792]
"QuickTime Task"="c:\program files (x86)\QuickTime Alternative\QTTask.exe" [2011-10-24 421888]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-11-08 997320]
"ROC_roc_dec12"="c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-18 928096]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"ROC_ROC_JULY_P1"="c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" [2012-09-04 1022048]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-12-11 384800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "c:\program files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"ALUAlert"="c:\program files (x86)\Symantec\LiveUpdate\ALuNotify.exe" "/LOWDISKSPACE C"
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 04:32]
.
2012-08-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2009-03-14 15:46]
.
2012-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-24 15:06]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd68f98e1998c9.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-12 19:46]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cd68f9925c99a9.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-05-12 19:46]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-679880683-153750638-2589842705-1000Core1cd62f6b3eddec0.job
- c:\users\me\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-18 00:01]
.
2012-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-679880683-153750638-2589842705-1000UA1cd62f6b57e90e0.job
- c:\users\me\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-18 00:01]
.
2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{81C3EC42-D423-4395-87EE-8E1DAF790A19}.job
- c:\windows\system32\msfeedssync.exe [2011-05-24 08:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 202264]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 701440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 154648]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 227352]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 216576]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 2114376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\avgrssta.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.bing.com/search?q={searchTerms}
IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files (x86)\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files (x86)\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: ʹÿ쳵3 - c:\users\me\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: ʹÿ쳵3ȫ - c:\users\me\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
TCP: DhcpNameServer = 192.168.0.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?rls=org.mozilla:en-US:official&client=firefox-a&q=
FF - ExtSQL: 2012-12-16 15:38; {43dc5db0-de22-4c41-a13d-0479c9b0a973}; c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\93ds36cv.default\extensions\{43dc5db0-de22-4c41-a13d-0479c9b0a973}.xpi
FF - ExtSQL: !HIDDEN! 2009-08-09 10:37; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2011-08-09 11:25; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-{6304587B-3C05-4031-A8E7-7938CB9162E7}_is1 - c:\program files (x86)\meta-iPod
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG9\avgwdsvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\NlsSrv32.exe
c:\program files (x86)\CDBurnerXP\NMSAccessU.exe
c:\program files (x86)\PaperCut Print Logger\pcpl.exe
c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files (x86)\AVG\AVG9\avgtray.exe
c:\program files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
c:\users\me\AppData\Roaming\Internet Movil\ouc.exe
c:\program files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\SysWOW64\conime.exe
.
**************************************************************************
.
Completion time: 2012-12-24 11:35:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-24 19:35
ComboFix2.txt 2012-12-23 01:04
ComboFix3.txt 2012-12-18 01:03
.
Pre-Run: 240,803,840 bytes free
Post-Run: 3,693,309,952 bytes free
.
- - End Of File - - 9E530208310A23B0489D25095E10B4CD

And here is my FSS log:

Farbar Service Scanner Version: 10-12-2012
Ran by me (administrator) on 24-12-2012 at 11:39:06
Running from "C:\Users\me\AppData\Local\Opera\Opera\temporary_downloads"
Windows Vista ™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is set to Demand. The default start type is Auto.
The ImagePath of MpsSvc: ".".
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
The start type of bfe service is set to Demand. The default start type is Auto.
The ImagePath of bfe: ".".
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-09-23 21:53] - [2009-04-10 23:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-15 08:29] - [2012-01-03 06:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-16 13:50] - [2012-03-30 04:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E

C:\Windows\System32\dnsrslvr.dll
[2011-04-14 12:31] - [2011-03-02 08:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2009-09-23 21:52] - [2009-04-10 23:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-09-23 21:54] - [2009-04-10 23:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2009-09-23 21:52] - [2009-04-10 23:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2009-09-23 21:53] - [2009-04-10 23:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-10-11 04:12] - [2012-06-01 16:20] - 0174592 ____A (Microsoft Corporation) CA78B312C44E4D52E842C2C8BD48E452

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****


Thanks!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 25 December 2012 - 08:55 AM

Windows VISTA
Please download Vista.zip file from here: http://www.smartestc...y-network-keys/
Unzip the file to a temporary folder your desktop.

These files will be extracted with others.

bfe.reg
mpssvc.reg
legacy_bfe.reg
legacy_mpssvc.reg

start_services.bat


Double-click each one of the 4 .reg files listed, in turn and click Yes to add it to the Registry
Allow registry merge.
When the 4 file have been executed.

Restart computer.

Click Start and in "Search Box" type in:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
Right click on BFE key, click "Permissions"
Click on Add button, type Everyone and click OK.
Now click once on Everyone
Below, in "Permissions" pane checkmark "Allow" in "Full control" row.
Click "Apply" then "OK".

Close regedit and go back to your Desktop find start_services.bat Right click on it, click "Run As Administrator" to run the fix. Agree any alerts, then re-boot.

Note: Ignore this error:
"Cannot import C:\...\Desktop\Legacy_xxx.reg:
Not all data was successfully written to the registry. Some keys are open by the system or other processes."
Just continue executing the remaining .reg files.

Please let me know what problem persists.

#7 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 25 December 2012 - 12:39 PM

Hi nasdaq,

I followed your instructions, but now when I try to turn on Wndows Firewall, I get these messages:

"Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall service?"
(Yes)

"Windows cannot start the Windows Firewall service."

Also, I still can't create a System Restore Point (I have none. I remember seeing some a few months ago, but they're gone.) I get this message:

System Protection
"Could not create the scheduled task for the following reason: Cannot create a file when that file already exists. (0x800700B7)"

"There was an unexpected error in the property page:

Cannot create a file when that file already exists. (0x800700B&)

Please close the property page and try again."

I'm pretty sure that after you gave me your first piece of advice, a restore point was created for my Recovery drive, but I don't have a restore point for my Local Disk (C:) Drive. What should I do?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 26 December 2012 - 11:00 AM

Please run the fFarbar Service Scanner tool again and post the log for my review.

#9 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 26 December 2012 - 10:07 PM

Farbar Service Scanner Version: 23-12-2012
Ran by me (administrator) on 26-12-2012 at 19:02:39
Running from "C:\Users\me\AppData\Local\Opera\Opera\temporary_downloads"
Windows Vista ™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.
Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-09-23 21:53] - [2009-04-10 23:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-15 08:29] - [2012-01-03 06:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-16 13:50] - [2012-03-30 04:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E

C:\Windows\System32\dnsrslvr.dll
[2011-04-14 12:31] - [2011-03-02 08:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2009-09-23 21:52] - [2009-04-10 23:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-09-23 21:54] - [2009-04-10 23:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2009-09-23 21:52] - [2009-04-10 23:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2009-09-23 21:53] - [2009-04-10 23:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-10-11 04:12] - [2012-06-01 16:20] - 0174592 ____A (Microsoft Corporation) CA78B312C44E4D52E842C2C8BD48E452

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-09-23 21:54] - [2009-04-10 23:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 27 December 2012 - 11:04 AM

Right click on these 2 files that you downloaded previously.
Run As Administrator.

legacy_bfe.reg
legacy_mpssvc.reg


Then execute this again.

Click Start and in "Search Box" type in:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
Right click on BFE key, click "Permissions"
Click on Add button, type Everyone and click OK.
Now click once on Everyone
Below, in "Permissions" pane checkmark "Allow" in "Full control" row.
Click "Apply" then "OK".

Close regedit and go back to your Desktop find start_services.bat Right click on it, click "Run As Administrator" to run the fix. Agree any alerts, then re-boot.

Post a fresh log from Farbar Service Scanner tool.

Let me know if the problem persists.

#11 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 28 December 2012 - 11:29 PM

When I right-click on legacy_bfe.reg, I don't have the "Run as Administrator" option.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 29 December 2012 - 08:38 AM

Double click on the .reg file and hope it runs.

You may have to disable the UAC (User Account Control) before you run the file.
http://www.computerperformance.co.uk/vista/user_account_control.htm#How_to_Disable_User_Account_Control_%28UAC

#13 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 31 December 2012 - 09:43 PM

I followed the instructions but it seems like I don't have secpol.msc.

I'm sorry that I haven't been responding as fast as I like to. I've been having a lot of problems with my internet lately-specifically, connecting to the Primary DNS server.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:24 AM

Posted 01 January 2013 - 09:54 AM

That file is not used on some Vista Computer.
Somehow your User Account as been compromised.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :regfind
    EnableLUA

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===

problems with my internet lately-specifically, connecting to the Primary DNS server.



Try this.

Click the Posted Image button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/
<<<>>>

While at it run this tool.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

#15 seethis

seethis
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 January 2013 - 07:22 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 16:06 on 01/01/2013 by me
Administrator - Elevation successful

========== regfind ==========

Searching for " EnableLUA"
No data found.

-= EOF =-

When my internet can't connect to the Primary DNS again (which I'm pretty sure will happen again soon!), I'll post the logs. Or can I run OTL when my internet is working?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users