Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton compromised, network down.


  • This topic is locked This topic is locked
15 replies to this topic

#1 Turn

Turn

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 04 February 2013 - 09:51 PM

I'm not 100% sure where the virus came from, but here's what happened before. A computer game was being played in fullscreen (Sacred Gold) and then was exited. Norton Internet security then asked for an update out of the blue, no action should have caused it to ask as Norton is supposed to automatically update. The update was taken and afterwards it said some free trial of the program had been installed, we already have the full version. After the Norton update Norton won't work anymore- it won't start. I downloaded Video DownloadHelper ( at https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/ ) and then the Internet stopped working, no programs can access the network. I tried to start Norton about 5 more times and it finally brought up an error code 8504, 104. I'm guessing the Norton thing compromised the computer and then it was helpless to a virus attached in what I downloaded.

I've posted this before but found I didn't have time to work on the computer, the topic was closed. I'm posting it again now that I can commit to the problem.

PS I'm posting this from another computer, using a flash drive to run dds and other programs you may have me run do to the network being broken on the infected machine.

Here's the DDS log.

DDS (Ver_2012-11-20.01) - NTFS_AMD64  
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.9.2 
Run by Brad at 19:39:08 on 2013-02-04 
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4085.2790 [GMT -7:00] 
. 
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF} 
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} 
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202} 
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} 
. 
============== Running Processes =============== 
. 
C:\Windows\system32\lsm.exe 
C:\Windows\system32\svchost.exe -k DcomLaunch 
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe 
C:\Windows\system32\svchost.exe -k RPCSS 
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted 
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted 
C:\Windows\system32\svchost.exe -k netsvcs 
C:\Windows\system32\svchost.exe -k LocalService 
C:\Program Files\Sandboxie\SbieSvc.exe 
C:\Windows\system32\svchost.exe -k NetworkService 
C:\Windows\System32\spoolsv.exe 
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork 
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe 
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe 
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe 
C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe 
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation 
C:\Windows\system32\svchost.exe -k imgsvc 
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted 
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe 
C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe 
C:\Windows\system32\taskhost.exe 
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe 
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted 
C:\Windows\system32\Dwm.exe 
C:\Windows\Explorer.EXE 
C:\Windows\system32\igfxsrvc.exe 
C:\Windows\System32\hkcmd.exe 
C:\Windows\System32\igfxpers.exe 
C:\Program Files\Logitech\Gaming Software\LWEMon.exe 
C:\Program Files\Sandboxie\SbieCtrl.exe 
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe 
C:\Windows\system32\taskeng.exe 
C:\Program Files (x86)\Joystick 2 Mouse 3\Joystick 2 Mouse.exe 
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 
C:\Windows\system32\SearchIndexer.exe 
C:\Program Files (x86)\Ascaron Entertainment\Sacred Underworld\Sacred.exe 
C:\Windows\SysWOW64\rundll32.exe 
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe 
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe 
C:\Windows\System32\WUDFHost.exe 
C:\Windows\system32\wbem\wmiprvse.exe 
C:\Windows\System32\cscript.exe 
. 
============== Pseudo HJT Report =============== 
. 
uStart Page = hxxp://www.google.com 
dURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll 
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\coieplg.dll 
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\IPS\ipsbho.dll 
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll 
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL 
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll 
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll 
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\coieplg.dll 
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" 
uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart 
mRun: [VirtualDrive] "C:\Program Files (x86)\FarStone\VirtualDrive\VDTask.exe" /AutoRestore 
mRun: [Joystick 2 Mouse] C:\Program Files (x86)\Joystick 2 Mouse 3\Joystick 2 Mouse.exe /NoConfigure 
uPolicies-Explorer: NoDrives = dword:0 
mPolicies-Explorer: NoDrives = dword:0 
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 
mPolicies-System: ConsentPromptBehaviorUser = dword:3 
mPolicies-System: EnableUIADesktopToggle = dword:0 
mPolicies-System: PromptOnSecureDesktop = dword:0 
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll 
. 
INFO: HKCU has more than 50 listed domains. 
If you wish to scan all of them, select the 'Force scan all domains' option. 
. 
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab 
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab 
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab 
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll 
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab 
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab 
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab 
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB 
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab 
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab 
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/popinsaniquarium/popcaploader_v10.cab 
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab 
TCP: Interfaces\{017952C8-C92A-4A3A-8754-97EB3A4995AA} : DHCPNameServer = 192.168.1.1 
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL 
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome 
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt 
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL 
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe 
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe 
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe 
x64-Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui 
x64-DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab 
x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab 
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL 
x64-Notify: igfxcui - igfxdev.dll 
. 
================= FIREFOX =================== 
. 
FF - ProfilePath - C:\Users\Brad\AppData\Roaming\Mozilla\Firefox\Profiles\ric7c93o.default-1348374649677\ 
FF - prefs.js: network.proxy.type - 0 
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL 
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL 
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll 
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll 
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll 
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll 
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll 
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\7\NP_wtapp.dll 
FF - plugin: C:\Users\Brad\AppData\Local\Roblox\Versions\version-3ebe0cca16b6421c\NPRobloxProxy.dll 
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll 
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll 
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll 
FF - ExtSQL: 2012-12-06 07:41; {7E7165E2-0767-448c-852F-5FA8714F2C37}; C:\Users\Brad\AppData\Roaming\Mozilla\Firefox\Profiles\ric7c93o.default-1348374649677\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37} 
. 
============= SERVICES / DRIVERS =============== 
. 
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1402000.013\SymDS64.sys [2013-1-11 493216] 
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1402000.013\SymEFA64.sys [2013-1-11 1133216] 
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20130107.001\BHDrvx64.sys [2012-11-29 1384608] 
R1 CbFs;CbFs;C:\Windows\System32\drivers\cbfs64.sys [2012-5-8 191960] 
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1402000.013\ccSetx64.sys [2013-1-11 168096] 
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20130111.002\IDSviA64.sys [2013-1-11 513184] 
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1402000.013\Ironx64.sys [2013-1-11 224416] 
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1402000.013\symnets.sys [2013-1-11 432800] 
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-5-29 913752] 
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-12 399432] 
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-12 676936] 
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe [2013-1-11 143928] 
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-11-21 138912] 
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-5-30 25928] 
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-12-9 239616] 
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632] 
R3 wod0205;WeOnlyDo Network Adapter 2.5;C:\Windows\System32\drivers\wod0205.sys [2011-8-11 33160] 
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] 
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] 
S3 ampa;ampa;C:\Windows\System32\ampa.sys [2012-11-3 15288] 
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072] 
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2012-9-22 31800] 
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-20 59392] 
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-6 1255736] 
. 
=============== File Associations =============== 
. 
FileExt: .inf: Applications\cmd.exe="C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\cmd.exe" "%1" [UserChoice] 
. 
=============== Created Last 30 ================ 
. 
2013-01-29 22:28:29	0	---ha-w-	C:\Users\Brad\BITC2CB.tmp 
2013-01-16 05:22:51	112640	----a-w-	C:\Windows\lsb_un20.exe 
2013-01-16 05:22:51	--------	d-----w-	C:\Program Files (x86)\Joystick 2 Mouse 3 
2013-01-15 23:47:29	--------	d-----w-	C:\Program Files (x86)\ControlMK 
2013-01-12 00:25:58	432800	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\symnets.sys 
2013-01-12 00:25:57	776864	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\srtsp64.sys 
2013-01-12 00:25:57	493216	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\SymDS64.sys 
2013-01-12 00:25:57	37496	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\srtspx64.sys 
2013-01-12 00:25:57	23448	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\SymELAM.sys 
2013-01-12 00:25:57	224416	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\Ironx64.sys 
2013-01-12 00:25:57	168096	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\ccSetx64.sys 
2013-01-12 00:25:57	1133216	----a-r-	C:\Windows\System32\drivers\NISx64\1402000.013\SymEFA64.sys 
2013-01-12 00:25:50	--------	d-----w-	C:\Windows\System32\drivers\NISx64\1402000.013 
2013-01-11 10:09:48	9125352	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A2CAC776-6B56-46D4-8A78-00A8F816CE2C}\mpengine.dll 
2013-01-09 04:31:19	750592	----a-w-	C:\Windows\System32\win32spl.dll 
2013-01-09 04:31:19	492032	----a-w-	C:\Windows\SysWow64\win32spl.dll 
2013-01-09 04:31:08	2002432	----a-w-	C:\Windows\System32\msxml6.dll 
2013-01-09 04:31:08	1882624	----a-w-	C:\Windows\System32\msxml3.dll 
2013-01-09 04:31:07	1389568	----a-w-	C:\Windows\SysWow64\msxml6.dll 
2013-01-09 04:31:07	1236992	----a-w-	C:\Windows\SysWow64\msxml3.dll 
2013-01-09 04:31:06	307200	----a-w-	C:\Windows\System32\ncrypt.dll 
2013-01-09 04:31:06	220160	----a-w-	C:\Windows\SysWow64\ncrypt.dll 
2013-01-09 04:31:05	800768	----a-w-	C:\Windows\System32\usp10.dll 
2013-01-09 04:31:05	626688	----a-w-	C:\Windows\SysWow64\usp10.dll 
2013-01-09 04:29:48	68608	----a-w-	C:\Windows\System32\taskhost.exe 
2013-01-09 04:29:47	3149824	----a-w-	C:\Windows\System32\win32k.sys 
2013-01-07 04:45:01	--------	d-----w-	C:\Program Files\BreakPoint Software 
. 
==================== Find3M  ==================== 
. 
2013-01-31 18:49:35	119296	----a-w-	C:\Windows\SysWow64\zlib.dll 
2013-01-12 00:27:16	177312	----a-w-	C:\Windows\System32\drivers\SYMEVENT64x86.SYS 
2013-01-09 01:44:52	74248	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 
2013-01-09 01:44:52	697864	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe 
2013-01-02 04:29:21	43520	----a-w-	C:\Windows\SysWow64\CmdLineExt03.dll 
2012-12-28 17:01:29	14468	----a-w-	C:\Windows\SysWow64\drivers\FIDE.SYS 
2012-12-16 17:11:22	46080	----a-w-	C:\Windows\System32\atmlib.dll 
2012-12-16 14:45:03	367616	----a-w-	C:\Windows\System32\atmfd.dll 
2012-12-16 14:13:28	295424	----a-w-	C:\Windows\SysWow64\atmfd.dll 
2012-12-16 14:13:20	34304	----a-w-	C:\Windows\SysWow64\atmlib.dll 
2012-12-07 13:20:16	441856	----a-w-	C:\Windows\System32\Wpc.dll 
2012-12-07 13:15:31	2746368	----a-w-	C:\Windows\System32\gameux.dll 
2012-12-07 12:26:17	308736	----a-w-	C:\Windows\SysWow64\Wpc.dll 
2012-12-07 12:20:43	2576384	----a-w-	C:\Windows\SysWow64\gameux.dll 
2012-12-07 11:20:04	30720	----a-w-	C:\Windows\System32\usk.rs 
2012-12-07 11:20:03	43520	----a-w-	C:\Windows\System32\csrr.rs 
2012-12-07 11:20:03	23552	----a-w-	C:\Windows\System32\oflc.rs 
2012-12-07 11:20:01	45568	----a-w-	C:\Windows\System32\oflc-nz.rs 
2012-12-07 11:20:01	44544	----a-w-	C:\Windows\System32\pegibbfc.rs 
2012-12-07 11:20:01	20480	----a-w-	C:\Windows\System32\pegi-fi.rs 
2012-12-07 11:20:00	20480	----a-w-	C:\Windows\System32\pegi-pt.rs 
2012-12-07 11:19:59	20480	----a-w-	C:\Windows\System32\pegi.rs 
2012-12-07 11:19:58	46592	----a-w-	C:\Windows\System32\fpb.rs 
2012-12-07 11:19:57	40960	----a-w-	C:\Windows\System32\cob-au.rs 
2012-12-07 11:19:57	21504	----a-w-	C:\Windows\System32\grb.rs 
2012-12-07 11:19:57	15360	----a-w-	C:\Windows\System32\djctq.rs 
2012-12-07 11:19:56	55296	----a-w-	C:\Windows\System32\cero.rs 
2012-12-07 11:19:55	51712	----a-w-	C:\Windows\System32\esrb.rs 
2012-11-30 05:45:35	362496	----a-w-	C:\Windows\System32\wow64win.dll 
2012-11-30 05:45:35	243200	----a-w-	C:\Windows\System32\wow64.dll 
2012-11-30 05:45:35	13312	----a-w-	C:\Windows\System32\wow64cpu.dll 
2012-11-30 05:45:14	215040	----a-w-	C:\Windows\System32\winsrv.dll 
2012-11-30 05:43:12	16384	----a-w-	C:\Windows\System32\ntvdm64.dll 
2012-11-30 05:41:07	424448	----a-w-	C:\Windows\System32\KernelBase.dll 
2012-11-30 04:54:00	5120	----a-w-	C:\Windows\SysWow64\wow32.dll 
2012-11-30 04:53:59	274944	----a-w-	C:\Windows\SysWow64\KernelBase.dll 
2012-11-30 03:23:48	338432	----a-w-	C:\Windows\System32\conhost.exe 
2012-11-30 02:44:06	25600	----a-w-	C:\Windows\SysWow64\setup16.exe 
2012-11-30 02:44:04	7680	----a-w-	C:\Windows\SysWow64\instnm.exe 
2012-11-30 02:44:04	14336	----a-w-	C:\Windows\SysWow64\ntvdm64.dll 
2012-11-30 02:44:03	2048	----a-w-	C:\Windows\SysWow64\user.exe 
2012-11-30 02:38:59	6144	---ha-w-	C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 
2012-11-30 02:38:59	4608	---ha-w-	C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 
2012-11-30 02:38:59	3584	---ha-w-	C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 
2012-11-30 02:38:59	3072	---ha-w-	C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 
2012-11-14 06:11:44	2312704	----a-w-	C:\Windows\System32\jscript9.dll 
2012-11-14 06:04:11	1392128	----a-w-	C:\Windows\System32\wininet.dll 
2012-11-14 06:02:49	1494528	----a-w-	C:\Windows\System32\inetcpl.cpl 
2012-11-14 05:57:46	599040	----a-w-	C:\Windows\System32\vbscript.dll 
2012-11-14 05:57:35	173056	----a-w-	C:\Windows\System32\ieUnatt.exe 
2012-11-14 05:52:40	2382848	----a-w-	C:\Windows\System32\mshtml.tlb 
2012-11-14 02:09:22	1800704	----a-w-	C:\Windows\SysWow64\jscript9.dll 
2012-11-14 01:58:15	1427968	----a-w-	C:\Windows\SysWow64\inetcpl.cpl 
2012-11-14 01:57:37	1129472	----a-w-	C:\Windows\SysWow64\wininet.dll 
2012-11-14 01:49:25	142848	----a-w-	C:\Windows\SysWow64\ieUnatt.exe 
2012-11-14 01:48:27	420864	----a-w-	C:\Windows\SysWow64\vbscript.dll 
2012-11-14 01:44:42	2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb 
2012-11-10 00:27:56	95208	----a-w-	C:\Windows\SysWow64\WindowsAccessBridge-32.dll 
2012-11-10 00:27:53	821736	----a-w-	C:\Windows\SysWow64\npDeployJava1.dll 
2012-11-10 00:27:53	746984	----a-w-	C:\Windows\SysWow64\deployJava1.dll 
2012-11-09 05:45:09	2048	----a-w-	C:\Windows\System32\tzres.dll 
2012-11-09 04:42:49	2048	----a-w-	C:\Windows\SysWow64\tzres.dll 
. 
============= FINISH: 19:39:56.32 ===============

Edited by Turn, 04 February 2013 - 09:54 PM.


BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 07 February 2013 - 12:54 AM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

Please download to the Desktop RogueKiller (by tigzy).
  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

=====

Also, please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

=====

In your reply please provide the following contents (no need to quote them):
  • RogueKiller log.
  • AdwCleaner[R1].txt.

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 08 February 2013 - 06:35 PM

RogueKiller V8.5.0 _x64_ [Feb  8 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Brad [Admin rights]
Mode : Scan -- Date : 02/08/2013 16:32:39
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 7 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD5000AAKS-65V0A0 ATA Device +++++
--- User ---
[MBR] c2d71900e1a8ca165494f5ccd4645946
[BSP] 96cafa08bcb716e34e00476e2f1543a5 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 531966960 | Size: 103 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 532178640 | Size: 204813 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 951636032 | Size: 12272 Mo
3 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 2048 | Size: 153600 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] cd2024a7f3df38c5cdc656747374e6a0
[BSP] 12e7a578ac213c01ab294d58403ba9ba : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7633 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[1]_S_02082013_02d1632.txt >>
RKreport[1]_S_02082013_02d1632.txt
 
 
# AdwCleaner v2.111 - Logfile created 02/08/2013 at 16:33:29
# Updated 05/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Brad - BRAD-PC
# Boot Mode : Normal
# Running from : F:\adwcleaner.exe
# Option [Search]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Found : C:\ProgramData\GameTap Web Player
 
***** [Registry] *****
 
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_installer_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_installer_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16457
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v18.0 (en-US)
 
File : C:\Users\Brad\AppData\Roaming\Mozilla\Firefox\Profiles\ric7c93o.default-1348374649677\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v24.0.1312.52
 
File : C:\Users\Brad\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [1113 octets] - [08/02/2013 16:33:29]
AdwCleaner[S1].txt - [7216 octets] - [03/10/2012 19:35:52]
AdwCleaner[S2].txt - [4595 octets] - [07/11/2012 16:46:06]
 
########## EOF - C:\AdwCleaner[R1].txt - [1293 octets] ##########



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 08 February 2013 - 07:37 PM

Good morning Turn. :)

 

  • Please re-run RogueKiller.
  • Click on the Delete button.
  • The report has been created on the Desktop. Please post it in your reply.

 

=====

 

Next, please do the following to re-run AdwCleaner:

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
    Note: If you get a message that you must reboot the computer before starting deletion, please do. At reboot, only AdwCleaner will run and you can only click on the Delete button.
    When the deletion is done, AdwCleaner will reboot the computer again and open the logfile.

 

=====

 

Finally, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

 

=====

 

I would like to see the contents of the following please:

  • RogueKiller log.

  • AdwCleaner[S1].txt.

  • ComboFix.txt.

Is the issue still present?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 08 February 2013 - 10:24 PM

RogueKiller V8.5.0 _x64_ [Feb  8 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Brad [Admin rights]
Mode : Remove -- Date : 02/08/2013 18:32:56
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD5000AAKS-65V0A0 ATA Device +++++
--- User ---
[MBR] c2d71900e1a8ca165494f5ccd4645946
[BSP] 96cafa08bcb716e34e00476e2f1543a5 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 531966960 | Size: 103 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 532178640 | Size: 204813 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 951636032 | Size: 12272 Mo
3 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 2048 | Size: 153600 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] cd2024a7f3df38c5cdc656747374e6a0
[BSP] 12e7a578ac213c01ab294d58403ba9ba : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7633 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[3]_D_02082013_02d1832.txt >>
RKreport[1]_S_02082013_02d1632.txt ; RKreport[2]_S_02082013_02d1832.txt ; RKreport[3]_D_02082013_02d1832.txt
 
 
# AdwCleaner v2.111 - Logfile created 02/08/2013 at 18:33:48
# Updated 05/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Brad - BRAD-PC
# Boot Mode : Normal
# Running from : F:\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\ProgramData\GameTap Web Player
 
***** [Registry] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_installer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_installer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16457
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v18.0 (en-US)
 
File : C:\Users\Brad\AppData\Roaming\Mozilla\Firefox\Profiles\ric7c93o.default-1348374649677\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v24.0.1312.52
 
File : C:\Users\Brad\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [1362 octets] - [08/02/2013 16:33:29]
AdwCleaner[S1].txt - [7216 octets] - [03/10/2012 19:35:52]
AdwCleaner[S2].txt - [4595 octets] - [07/11/2012 16:46:06]
AdwCleaner[S3].txt - [1301 octets] - [08/02/2013 18:33:48]
 
########## EOF - C:\AdwCleaner[S3].txt - [1361 octets] ##########

 

 

ComboFix 13-02-07.02 - Brad 02/08/2013  19:02:21.6.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4085.3001 [GMT -7:00]
Running from: F:\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brad\BITA9B7.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-09 to 2013-02-09  )))))))))))))))))))))))))))))))
.
.
2013-01-16 05:22 . 2013-01-16 05:22    --------    d-----w-    c:\program files (x86)\Joystick 2 Mouse 3
2013-01-16 05:22 . 2001-07-02 00:30    112640    ----a-w-    c:\windows\lsb_un20.exe
2013-01-15 23:47 . 2013-01-15 23:47    --------    d-----w-    c:\program files (x86)\ControlMK
2013-01-11 10:09 . 2012-11-08 17:24    9125352    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{A2CAC776-6B56-46D4-8A78-00A8F816CE2C}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-08 18:54 . 2012-12-25 07:15    119296    ----a-w-    c:\windows\SysWow64\zlib.dll
2013-01-09 10:07 . 2010-01-23 02:56    67599240    ----a-w-    c:\windows\system32\MRT.exe
2013-01-09 01:44 . 2012-05-12 00:46    697864    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 01:44 . 2011-05-18 01:05    74248    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-02 04:29 . 2013-01-01 03:05    43520    ----a-w-    c:\windows\SysWow64\CmdLineExt03.dll
2012-12-28 17:01 . 2012-12-27 21:44    14468    ----a-w-    c:\windows\SysWow64\drivers\FIDE.SYS
2012-12-16 17:11 . 2012-12-22 10:00    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-22 10:00    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-22 10:00    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-22 10:00    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-07 13:20 . 2013-01-09 04:30    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 04:30    2746368    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 04:30    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 04:30    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 04:30    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 04:30    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 04:30    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 04:30    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 04:30    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 04:30    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 04:30    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 04:30    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 04:30    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 04:30    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 04:30    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 04:30    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 04:30    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 04:30    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 04:30    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 04:30    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 04:30    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 04:30    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 04:30    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 04:30    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 04:30    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 04:30    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 04:30    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 04:30    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 04:30    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 04:30    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 04:30    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-12-07 10:46 . 2013-01-09 04:30    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-11-30 05:45 . 2013-01-09 04:30    362496    ----a-w-    c:\windows\system32\wow64win.dll
2012-11-30 05:45 . 2013-01-09 04:30    243200    ----a-w-    c:\windows\system32\wow64.dll
2012-11-30 05:45 . 2013-01-09 04:30    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2012-11-30 05:45 . 2013-01-09 04:30    215040    ----a-w-    c:\windows\system32\winsrv.dll
2012-11-30 05:43 . 2013-01-09 04:30    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2012-11-30 05:41 . 2013-01-09 04:30    424448    ----a-w-    c:\windows\system32\KernelBase.dll
2012-11-30 05:41 . 2013-01-09 04:30    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    5120    ---ha-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 05:38 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2012-11-30 04:54 . 2013-01-09 04:30    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2012-11-30 04:53 . 2013-01-09 04:30    274944    ----a-w-    c:\windows\SysWow64\KernelBase.dll
2012-11-30 04:45 . 2013-01-09 04:30    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    5120    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-11-30 04:45 . 2013-01-09 04:30    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-12-16 765200]
"Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-07 574296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualDrive"="c:\program files (x86)\FarStone\VirtualDrive\VDTask.exe" [2012-11-30 677752]
"Joystick 2 Mouse"="c:\program files (x86)\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-28 176128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ampa;ampa;c:\windows\system32\ampa.sys [2011-12-26 15288]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\fide.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-06 1255736]
S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs64.sys [2010-12-18 191960]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-03-14 913752]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-21 239616]
S3 wod0205;WeOnlyDo Network Adapter 2.5;c:\windows\system32\DRIVERS\wod0205.sys [2011-04-24 33160]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-12 15:38    1606760    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-23 01:44]
.
2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-10 23:36]
.
2013-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-10 23:36]
.
2013-02-08 c:\windows\Tasks\HPCeeScheduleForBrad.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-12-18 01:40    2210304    ----a-w-    c:\program files (x86)\Zecter\ZumoDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-12-18 01:40    2210304    ----a-w-    c:\program files (x86)\Zecter\ZumoDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-12-18 01:40    2210304    ----a-w-    c:\program files (x86)\Zecter\ZumoDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-12-18 01:40    2210304    ----a-w-    c:\program files (x86)\Zecter\ZumoDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-12-18 01:40    2210304    ----a-w-    c:\program files (x86)\Zecter\ZumoDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-11 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-11 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-11 363544]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 190536]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
FF - ProfilePath - c:\users\Brad\AppData\Roaming\Mozilla\Firefox\Profiles\ric7c93o.default-1348374649677\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,
   7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
   eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
   06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
   34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,
   64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,
   69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18
"{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}"=hex:51,66,7a,6c,4c,1d,38,12,5a,50,79,
   6b,db,36,f5,08,fe,94,c8,01,ef,d2,7d,fb
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{ABD3B5E1-B268-407B-A150-2641DAB8D898}"=hex:51,66,7a,6c,4c,1d,38,12,8f,b6,c0,
   af,5a,fc,15,05,de,46,65,01,df,e6,9c,8c
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
   b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
   f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{336D0C35-8A85-403a-B9D2-65C292C39087}"=hex:51,66,7a,6c,4c,1d,3b,1b,08,85,6e,
   1a,82,e9,65,3d,9d,e9,17,af,a2,b0,e5,ab
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:b3,d4,00,1c,2b,89,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,84,03,1f,99,9a,21,44,89,db,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,84,03,1f,99,9a,21,44,89,db,6c,\
.
[HKEY_USERS\S-1-5-21-2351098840-3145211657-2135698929-1000\Software\SecuROM\License information*]
"datasecu"=hex:7c,84,13,b0,bb,94,10,91,51,cc,3b,23,11,3c,ec,14,35,62,98,1e,e6,
   60,8b,36,20,43,2d,ab,49,d3,ab,27,29,2e,6b,91,62,f3,31,fa,36,98,ee,52,a0,d8,\
"rkeysecu"=hex:f1,db,6e,ef,2c,e4,5e,3b,33,51,d5,e0,67,8b,e6,b5
.
[HKEY_USERS\S-1-5-21-2351098840-3145211657-2135698929-1000_Classes\Wow6432Node\CLSID\{399c5539-8d34-4a06-a80d-2aabab2aa02d}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000a7
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,c3,4d,9e,47,61,a7,8f,c3,ae,42,c3,eb,f3,33,76,f3,89,89,89,c3,36,52,\
.
[HKEY_USERS\S-1-5-21-2351098840-3145211657-2135698929-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):2a,f9,12,4a,e1,a2,0b,8c,9b,06,62,3c,32,17,22,2e,62,f3,48,26,7a,
   10,d7,e8,ba,a8,aa,77,27,68,70,56,bb,5b,73,b2,28,bd,3a,7c,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-08  19:13:00
ComboFix-quarantined-files.txt  2013-02-09 02:12
.
Pre-Run: 31,012,012,032 bytes free
Post-Run: 31,024,095,232 bytes free
.
- - End Of File - - 3F171A466C0AA55BF05205C63FCB2E68

 

The network is back up, I've uninstalled Norton. ComboFix still said the real time scanner was on, even though I had turned off every protection I could find including the real time scanner. The Norton product couldn't be trusted anyway, as one day a norton "update" appeared which my dad clicked on. It claimed we had some free trial of Norton after that, even though our full version still has quite some time to expiration.

 

I'd prefer to redownload Norton after all the scans have been completed, just as a general precaution to avoid the install being infected. I shouldn't need antivirus at the moment anyway as I won't be using internet except for this site and will unplug the ethernet cord when not in use.  Though if necessary I will go though the steps to redownload it.



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 08 February 2013 - 11:22 PM

Hello Turn,

 

So do any issues remain?

 

I recommend keeping an antivirus program because even if you are not offline you could get infected via a USB, etc.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 08 February 2013 - 11:45 PM

No issues remain, everythings working as far as I can see. I'll get an antivirus soon.



#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 09 February 2013 - 01:20 AM

Hey Turn,

 

Please run a free online scan with the ESET Online Scanner.
Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 09 February 2013 - 01:38 AM

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=ce2de08f08e0fb49ab2c7a5babf2794c
# engine=13109
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-02-09 06:32:26
# local_time=2013-02-08 11:32:26 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 1574558 111934996 0 0
# scanned=261162
# found=6
# cleaned=6
# scan_time=5341
sh=CA16074471717A59B89027B2BFF7AB309DA7C916 ft=1 fh=29a15d6658e7ef8c vn="a variant of Win32/HackTool.CheatEngine.AB application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\Cheat Engine 6\cheatengine-i386.exe"
sh=1E23475F101FC37965A455948DB18E823010A5B9 ft=1 fh=a8f2a133d9eaf55a vn="probably a variant of Win32/HackTool.CheatEngine.AA application (cleaned by deleting - quarantined)" ac=C fn="C:\Program Files (x86)\Cheat Engine 6\dbk32.sys"
sh=E90684A7D9D2D3AB8428AEBCCA964E077F34DF44 ft=1 fh=a9cc839b9994eecc vn="Win32/DownloadAdmin.G application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Brad\Downloads\cbsidlm-tr1_6-Action_Script_Viewer-10065868.exe"
sh=E90684A7D9D2D3AB8428AEBCCA964E077F34DF44 ft=1 fh=a9cc839b9994eecc vn="Win32/DownloadAdmin.G application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Brad\Downloads\cbsidlm-tr1_6-AutoMe-10623188.exe"
sh=600A0295369F89C300038D770E5E114F2E25A3AF ft=1 fh=df0838ff15738a3a vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Brad\Downloads\cbsidlm-tr1_9-DOSonUSB-SEO2-10795476.exe"
sh=13DDFA1862B74BDBBC06FC8766B36B9B73B25760 ft=1 fh=891ef6f01345cc13 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Brad\Downloads\SetupImgBurn_2.5.7.0.exe"

 

I accidentaly checked remove found threats, but I still have the scan results up and it appears I can recover the files; they were put into a quarantine. Would you like me to?



#10 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 09 February 2013 - 04:22 AM

Hello Turn. :)

 

If yoiu wish to recover the files go ahead.

 

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 09 February 2013 - 09:53 PM

Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Immunet 3.0
Bitdefender Antivirus Free Edition
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 9
Java version out of Date!
Adobe Flash Player 11.5.502.149
Adobe Reader XI
Mozilla Firefox (18.0)
Google Chrome 24.0.1312.52
Google Chrome 24.0.1312.57
````````Process Check: objlist.exe by Laurent````````
Bitdefender Antivirus Free Edition gzserv.exe
Bitdefender Antivirus Free Edition gziface.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````


#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 10 February 2013 - 12:12 AM

Good afternoon Turn,

 

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

  • Please go to the below link and download the latest Windows 7 version:

http://www.java.com/en/download/manual.jsp
    
  • Save it to your Desktop.
  •     Please go to Start>Control Panel >Programs and Features>Programs.
  •     Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them:
  •      Select Remove.
  •     Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

 

=====

 

Please let me know how that update goes.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 10 February 2013 - 01:03 AM

The update went fine.



#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:05:28 AM

Posted 10 February 2013 - 04:08 AM

Good evening Turn :).

 

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


And AdwCleaner:

  • Please double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with Yes.

 

Right-click the Recycle Bin and please select Empty Recycle Bin.


=====

 

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.   :thumbup:


IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.


As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.


Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster, can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware."  Scareware programs are active infections that will pop-up on your computer and tell you that you are infected.  If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed.  It tells you to click and install it right away.  If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further.  Keeping protection updated and running resident protection can help prevent these infections.  If it happens anyway, get offline as quickly as you can.  Pull the internet connection cable or shut down the computer if you have to.  Contact someone to help by using another computer if possible.  These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.


Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.  :)


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 Turn

Turn
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 10 February 2013 - 10:24 AM

Thank you for your help, the computer is back to normal.

 

I'll be doing the updating from here on so hopefully this won't happen again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users