Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 SP1 Won't Install, but Everything Looks Normal


  • This topic is locked This topic is locked
41 replies to this topic

#1 chipmonger

chipmonger

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 16 February 2013 - 11:54 AM

As the extended family's computer guy, I have a cousin's laptop that was originally having problems with shutting down.  They thought it was overheating (and there's a history to this make/model doing so), but after checking it out and cleaning up some things, it seems to be running fine.  I wanted to make sure it was up to date with the latest patches, but am running into problems getting SP1 installed successfully.  Malwarebytes, Microsoft Security Essentials and Eset's Online Scanner all come back clean, but I still have a suspicision there's something they're missing.

 

I've tried the Microsoft Security Update Readiness tool, and that was fine.  I've downloaded the entire SP1 installation to run locally, and that didn't work.  The system keeps getting a 8024200D error and aborts the install.  I've run Disk Cleanup, sfc /scannow, etc as well.

 

Thanks,

 

Chip

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.9.2
Run by Rhea at 11:35:38 on 2013-02-16
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3836.2529 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\system32\sppsvc.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\System32\WUDFHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: <No Name>: {01425784-C92E-4F86-88A3-073D8AE08727} -
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
uRun: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [p9pl3574061301716317255] \\?\globalroot\Device\HarddiskVolume2\Users\Rhea\AppData\Local\Temp\p9pl3574061301716317255.tmp
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{579CB73E-CD67-4E27-A41E-ECF54C156175} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{579CB73E-CD67-4E27-A41E-ECF54C156175}\15571676C69616279656C6C6F6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{579CB73E-CD67-4E27-A41E-ECF54C156175}\84F4D454D243539323 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{579CB73E-CD67-4E27-A41E-ECF54C156175}\84F4D454D263644383 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{579CB73E-CD67-4E27-A41E-ECF54C156175}\C696E6B6379737 : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2010-10-11 202752]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2010-10-11 35008]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2010-10-11 325152]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2010-10-11 932384]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-10-11 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2010-10-11 232992]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-1-6 1255736]
.
=============== Created Last 30 ================
.
2013-02-16 16:14:59    --------    d-----w-    C:\windows\System32\SPReview
2013-02-16 16:08:21    --------    d-----w-    C:\windows\System32\catroot2
2013-02-16 02:52:36    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-16 02:52:36    768000    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-16 00:52:40    --------    d-----w-    C:\ProgramData\Kaspersky Lab
2013-02-16 00:24:25    9161176    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D3B66944-510A-426C-AAFC-BF3374C9C8D6}\mpengine.dll
2013-02-11 11:30:03    9161176    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-02-10 15:53:36    --------    d-----w-    C:\windows\CheckSur
2013-02-10 04:52:44    --------    d-----w-    C:\windows\en
2013-02-10 04:48:08    69464    ----a-w-    C:\windows\SysWow64\XAPOFX1_3.dll
2013-02-10 04:48:08    515416    ----a-w-    C:\windows\SysWow64\XAudio2_5.dll
2013-02-10 04:48:06    523088    ----a-w-    C:\windows\System32\d3dx10_42.dll
2013-02-10 04:48:06    453456    ----a-w-    C:\windows\SysWow64\d3dx10_42.dll
2013-02-10 04:47:36    94040    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\DSETUP.dll
2013-02-10 04:47:36    525656    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\DXSETUP.exe
2013-02-10 04:47:36    1691480    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\dsetup32.dll
2013-02-10 04:47:33    94040    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\DSETUP.dll
2013-02-10 04:47:33    525656    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\DXSETUP.exe
2013-02-10 04:47:33    1691480    ----a-w-    C:\Program Files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\dsetup32.dll
2013-02-10 04:47:16    --------    d-----w-    C:\Users\Rhea\AppData\Local\Windows Live
2013-02-10 03:54:26    --------    d-----w-    C:\windows\System32\EventProviders
2013-02-10 02:52:22    374664    ----a-w-    C:\windows\System32\drivers\netio.sys
2013-02-09 19:50:03    --------    d-----w-    C:\Users\Rhea\AppData\Roaming\Malwarebytes
2013-02-09 19:49:47    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-02-09 19:49:31    --------    d-----w-    C:\Users\Rhea\AppData\Local\Programs
2013-02-02 21:09:47    --------    d-----w-    C:\96f2dac4bd8a18cde7993842c65168
.
==================== Find3M  ====================
.
2013-02-10 05:04:30    74096    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-10 05:04:30    697712    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2013-01-17 06:28:58    273840    ------w-    C:\windows\System32\MpSigStub.exe
2013-01-09 01:19:09    2312704    ----a-w-    C:\windows\System32\jscript9.dll
2013-01-09 01:12:03    1392128    ----a-w-    C:\windows\System32\wininet.dll
2013-01-09 01:11:06    1494528    ----a-w-    C:\windows\System32\inetcpl.cpl
2013-01-09 01:07:51    173056    ----a-w-    C:\windows\System32\ieUnatt.exe
2013-01-09 01:07:47    599040    ----a-w-    C:\windows\System32\vbscript.dll
2013-01-09 01:04:42    2382848    ----a-w-    C:\windows\System32\mshtml.tlb
2013-01-08 22:11:21    1800704    ----a-w-    C:\windows\SysWow64\jscript9.dll
2013-01-08 22:03:20    1129472    ----a-w-    C:\windows\SysWow64\wininet.dll
2013-01-08 22:03:12    1427968    ----a-w-    C:\windows\SysWow64\inetcpl.cpl
2013-01-08 21:59:02    142848    ----a-w-    C:\windows\SysWow64\ieUnatt.exe
2013-01-08 21:58:29    420864    ----a-w-    C:\windows\SysWow64\vbscript.dll
2013-01-08 21:56:23    2382848    ----a-w-    C:\windows\SysWow64\mshtml.tlb
2013-01-05 05:57:43    5500776    ----a-w-    C:\windows\System32\ntoskrnl.exe
2013-01-05 05:02:17    3957608    ----a-w-    C:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:02:17    3902312    ----a-w-    C:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:41:01    1893224    ----a-w-    C:\windows\System32\drivers\tcpip.sys
2013-01-04 05:40:54    287576    ----a-w-    C:\windows\System32\drivers\FWPKCLNT.SYS
2013-01-04 05:37:01    362496    ----a-w-    C:\windows\System32\wow64win.dll
2013-01-04 05:37:00    243200    ----a-w-    C:\windows\System32\wow64.dll
2013-01-04 05:37:00    13312    ----a-w-    C:\windows\System32\wow64cpu.dll
2013-01-04 05:36:33    215040    ----a-w-    C:\windows\System32\winsrv.dll
2013-01-04 05:33:49    16384    ----a-w-    C:\windows\System32\ntvdm64.dll
2013-01-04 05:30:34    424960    ----a-w-    C:\windows\System32\KernelBase.dll
2013-01-04 05:27:03    6144    ---ha-w-    C:\windows\System32\api-ms-win-security-base-l1-1-0.dll
2013-01-04 05:27:03    3072    ---ha-w-    C:\windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 05:27:03    3072    ---ha-w-    C:\windows\System32\api-ms-win-core-util-l1-1-0.dll
2013-01-04 05:27:02    4608    ---ha-w-    C:\windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 05:27:02    4096    ---ha-w-    C:\windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-01-04 05:27:02    4096    ---ha-w-    C:\windows\System32\api-ms-win-core-synch-l1-1-0.dll
2013-01-04 05:27:01    3584    ---ha-w-    C:\windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-01-04 05:27:01    3072    ---ha-w-    C:\windows\System32\api-ms-win-core-string-l1-1-0.dll
2013-01-04 05:27:00    4608    ---ha-w-    C:\windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2013-01-04 05:27:00    3584    ---ha-w-    C:\windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-01-04 05:27:00    3072    ---ha-w-    C:\windows\System32\api-ms-win-core-profile-l1-1-0.dll
2013-01-04 04:51:09    5120    ----a-w-    C:\windows\SysWow64\wow32.dll
2013-01-04 04:51:08    274944    ----a-w-    C:\windows\SysWow64\KernelBase.dll
2013-01-04 03:22:49    3150848    ----a-w-    C:\windows\System32\win32k.sys
2013-01-04 03:19:55    338432    ----a-w-    C:\windows\System32\conhost.exe
2013-01-04 02:48:37    25600    ----a-w-    C:\windows\SysWow64\setup16.exe
2013-01-04 02:48:34    7680    ----a-w-    C:\windows\SysWow64\instnm.exe
2013-01-04 02:48:34    14336    ----a-w-    C:\windows\SysWow64\ntvdm64.dll
2013-01-04 02:48:33    2048    ----a-w-    C:\windows\SysWow64\user.exe
2013-01-04 02:43:35    3584    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 02:43:34    6144    ---ha-w-    C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-01-04 02:43:34    4608    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 02:43:34    3072    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-12-16 16:52:02    46080    ----a-w-    C:\windows\System32\atmlib.dll
2012-12-16 14:40:45    367616    ----a-w-    C:\windows\System32\atmfd.dll
2012-12-16 14:25:27    295424    ----a-w-    C:\windows\SysWow64\atmfd.dll
2012-12-16 14:25:19    34304    ----a-w-    C:\windows\SysWow64\atmlib.dll
2012-12-11 21:26:53    95208    ----a-w-    C:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-11 21:26:49    821736    ----a-w-    C:\windows\SysWow64\npDeployJava1.dll
2012-12-11 21:26:49    746984    ----a-w-    C:\windows\SysWow64\deployJava1.dll
2012-12-07 05:41:16    441856    ----a-w-    C:\windows\System32\Wpc.dll
2012-12-07 05:35:34    2745856    ----a-w-    C:\windows\System32\gameux.dll
2012-12-07 05:04:20    308736    ----a-w-    C:\windows\SysWow64\Wpc.dll
2012-12-07 04:57:38    2576384    ----a-w-    C:\windows\SysWow64\gameux.dll
2012-12-07 03:21:08    45568    ----a-w-    C:\windows\SysWow64\oflc-nz.rs
2012-11-22 10:32:45    801280    ----a-w-    C:\windows\System32\usp10.dll
2012-11-22 09:33:26    627712    ----a-w-    C:\windows\SysWow64\usp10.dll
2012-11-20 05:55:59    307200    ----a-w-    C:\windows\System32\ncrypt.dll
2012-11-20 05:10:07    219136    ----a-w-    C:\windows\SysWow64\ncrypt.dll
.
============= FINISH: 11:37:38.77 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 16 February 2013 - 07:36 PM

Greetings Chip and welcome.gif to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. thumbup2.gif

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. smile.png
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started thumbup2.gif
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 16 February 2013 - 08:11 PM

Hi Chip,

There is a suspicious entry in the log you posted. Let's deal with that and a couple other things before we try to address the Windows Update issue.

Please do this.

===================================================

RogueKiller by Tigzy

--------------------

  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • A report should open and a copy of the report will be placed on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------

  • Close all open programs and internet browser
  • Double click on adwcleaner.exe
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt

===================================================

Junkware Removal Tool by thisisu

-------------------

  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply

===================================================

Farbar's Service Scanner

--------------------

  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Windows Update
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • RogueKiller log
  • AdwCleaner log
  • Junkware log
  • FSS log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 chipmonger

chipmonger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 February 2013 - 12:02 AM

Here we go...

 

 

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Rhea [Admin rights]
Mode : Scan -- Date : 02/16/2013 23:33:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : DW6 ("C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe") [x] -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : p9pl3574061301716317255 (\\?\globalroot\Device\HarddiskVolume2\Users\Rhea\AppData\Local\Temp\p9pl3574061301716317255.tmp) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2614821735-3572002910-3720709648-1000[...]\Run : DW6 ("C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe") [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2614821735-3572002910-3720709648-1000[...]\Run : p9pl3574061301716317255 (\\?\globalroot\Device\HarddiskVolume2\Users\Rhea\AppData\Local\Temp\p9pl3574061301716317255.tmp) [x] -> FOUND
[TASK][SUSP PATH] p9pl3574061301716317255 : \\?\globalroot\Device\HarddiskVolume2\Users\Rhea\AppData\Local\Temp\p9pl3574061301716317255.tmp  [x] -> FOUND
[TASK][SUSP PATH] winupd : C:\Users\Rhea\AppData\Local\Temp:winupd.exe  [x] -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe [-] -> FOUND
[STARTUP][SUSP PATH] Best Buy pc app.lnk @Default User : C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe [-] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK5055GSXN SATA Disk Device +++++
--- User ---
[MBR] 964ef7db021089beb1514c07b3b62af2
[BSP] e0d069291f2697f7042eb996de2503f9 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464305 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 953970688 | Size: 11134 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
--- User ---
[MBR] e5f6bb8c108499a3bd0a3eeca5e520b3
[BSP] e1d8dd7b421da488bb351340b0b91907 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 7579 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_02162013_02d2333.txt >>
RKreport[1]_S_02162013_02d2333.txt

 

 

 

 

 

 

# AdwCleaner v2.112 - Logfile created 02/16/2013 at 23:46:54
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium  (64 bits)
# User : Rhea - FIELDHOCKEY
# Boot Mode : Normal
# Running from : C:\Users\Rhea\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\ProgramData\Trymedia

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Users\Rhea\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

 

AdwCleaner[S1].txt - [1577 octets] - [16/02/2013 23:46:54]

########## EOF - C:\AdwCleaner[S1].txt - [1637 octets] ##########

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.4 (02.16.2013:1)
OS: Windows 7 Home Premium x64
Ran by Rhea on Sat 02/16/2013 at 23:50:16.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\users\default user\start menu\programs\startup\best buy pc app.lnk"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Rhea\appdata\local\best buy pc app"



~~~ Chrome

Dumping contents of C:\Users\Rhea\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Rhea\appdata\local\Google\Chrome\User Data\Default\Default\aadjgcgfgbgcdcdigdgcgddhdedjdhgd
C:\Users\Rhea\appdata\local\Google\Chrome\User Data\Default\Default\gbgnafkbjilpkbjdlgldohkddlgakcak
C:\Users\Rhea\appdata\local\Google\Chrome\User Data\Default\Default\aadjgcgfgbgcdcdigdgcgddhdedjdhgd\manifest.json
C:\Users\Rhea\appdata\local\Google\Chrome\User Data\Default\Default\gbgnafkbjilpkbjdlgldohkddlgakcak\manifest.json

Successfully deleted: [Folder] C:\Users\Rhea\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 02/16/2013 at 23:57:21.22
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

 

Farbar Service Scanner Version: 15-02-2013
Ran by Rhea (administrator) on 16-02-2013 at 23:59:13
Running from "C:\Users\Rhea\Desktop"
Windows 7 Home Premium  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-02-15 19:28] - [2013-01-04 00:41] - 1893224 ____A (Microsoft Corporation) 5CFB7AB8F9524D1A1E14369DE63B83CC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 17 February 2013 - 09:11 AM

Hi Chip,

Please follow up with this to remove the entries I was concerned about.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

ListParts by Farbar for 64 bit Systems

--------------------
  • Please download ListParts.exe (for 64 bit systems) and save it to your desktop
  • Double click the icon to launch the program
  • Select Run
  • Select Scan
  • Select OK and wait for a Result - Notepad document to open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif
  • Combofix log
  • ListParts log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 chipmonger

chipmonger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 February 2013 - 09:45 AM

Thanks again for your help.  Here is the output from the logs:

 

 

ComboFix 13-02-15.01 - Rhea 02/17/2013   9:34.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3836.2305 [GMT -5:00]
Running from: c:\users\Rhea\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-17 to 2013-02-17  )))))))))))))))))))))))))))))))
.
.
2013-02-17 14:39 . 2013-02-17 14:39    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-17 05:00 . 2013-02-17 05:00    76232    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D3B66944-510A-426C-AAFC-BF3374C9C8D6}\offreg.dll
2013-02-17 04:50 . 2013-02-17 04:50    --------    d-----w-    c:\windows\ERUNT
2013-02-17 04:50 . 2013-02-17 04:50    --------    d-----w-    C:\JRT
2013-02-16 16:53 . 2013-02-16 16:53    --------    d-----w-    c:\windows\system32\SPReview
2013-02-16 16:08 . 2013-02-16 16:14    --------    d-----w-    c:\windows\system32\catroot2
2013-02-16 02:52 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-16 02:52 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-16 00:52 . 2013-02-16 00:52    --------    d-----w-    c:\programdata\Kaspersky Lab
2013-02-16 00:24 . 2013-01-18 17:15    9161176    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D3B66944-510A-426C-AAFC-BF3374C9C8D6}\mpengine.dll
2013-02-10 15:53 . 2013-02-10 15:53    --------    d-----w-    c:\windows\CheckSur
2013-02-10 04:52 . 2013-02-10 04:52    --------    d-----w-    c:\windows\en
2013-02-10 04:49 . 2013-02-10 04:49    --------    d-----w-    c:\program files\Windows Live
2013-02-10 04:48 . 2009-09-04 22:44    69464    ----a-w-    c:\windows\SysWow64\XAPOFX1_3.dll
2013-02-10 04:48 . 2009-09-04 22:44    515416    ----a-w-    c:\windows\SysWow64\XAudio2_5.dll
2013-02-10 04:48 . 2009-09-04 22:29    453456    ----a-w-    c:\windows\SysWow64\d3dx10_42.dll
2013-02-10 04:48 . 2009-09-04 22:29    523088    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-02-10 04:47 . 2013-02-10 04:47    94040    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\DSETUP.dll
2013-02-10 04:47 . 2013-02-10 04:47    525656    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\DXSETUP.exe
2013-02-10 04:47 . 2013-02-10 04:47    1691480    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\dsetup32.dll
2013-02-10 04:47 . 2013-02-10 04:47    94040    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\DSETUP.dll
2013-02-10 04:47 . 2013-02-10 04:47    525656    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\DXSETUP.exe
2013-02-10 04:47 . 2013-02-10 04:47    1691480    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\dsetup32.dll
2013-02-10 04:47 . 2013-02-17 04:50    --------    d-----w-    c:\users\Rhea\AppData\Local\Windows Live
2013-02-10 03:54 . 2013-02-10 03:54    --------    d-----w-    c:\windows\system32\EventProviders
2013-02-10 02:52 . 2010-04-09 11:06    374664    ----a-w-    c:\windows\system32\drivers\netio.sys
2013-02-09 19:50 . 2013-02-09 19:50    --------    d-----w-    c:\users\Rhea\AppData\Roaming\Malwarebytes
2013-02-09 19:49 . 2013-02-09 19:49    --------    d-----w-    c:\programdata\Malwarebytes
2013-02-09 19:49 . 2013-02-09 19:49    --------    d-----w-    c:\users\Rhea\AppData\Local\Programs
2013-02-02 21:09 . 2013-02-02 21:09    --------    d-----w-    C:\96f2dac4bd8a18cde7993842c65168
2013-02-02 18:59 . 2013-02-02 18:59    --------    d-----w-    c:\users\Default\AppData\Local\Microsoft Help
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-16 02:56 . 2011-02-03 00:56    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-02-10 05:04 . 2012-07-11 14:41    697712    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-10 05:04 . 2011-06-16 18:36    74096    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-10 04:49 . 2010-06-24 16:33    19696    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-01-17 06:28 . 2011-01-04 23:34    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-16 00:28    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-16 16:52 . 2012-12-23 20:17    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:40 . 2012-12-23 20:17    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:25 . 2012-12-23 20:17    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:25 . 2012-12-23 20:17    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-11 21:26 . 2012-12-11 21:27    95208    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-11 21:26 . 2012-12-11 21:27    821736    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2012-12-11 21:26 . 2011-01-05 19:52    746984    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2012-12-07 05:41 . 2013-01-09 22:49    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 05:35 . 2013-01-09 22:49    2745856    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 05:04 . 2013-01-09 22:49    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 04:57 . 2013-01-09 22:49    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 03:45 . 2013-01-09 22:49    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 03:45 . 2013-01-09 22:49    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 03:45 . 2013-01-09 22:49    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 03:45 . 2013-01-09 22:49    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 03:45 . 2013-01-09 22:49    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 03:45 . 2013-01-09 22:49    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 03:45 . 2013-01-09 22:49    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 03:45 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 03:45 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 03:45 . 2013-01-09 22:49    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 03:45 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 03:45 . 2013-01-09 22:49    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 03:45 . 2013-01-09 22:49    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 03:45 . 2013-01-09 22:49    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 03:21 . 2013-01-09 22:49    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 03:21 . 2013-01-09 22:49    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 03:21 . 2013-01-09 22:49    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 03:21 . 2013-01-09 22:49    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 03:21 . 2013-01-09 22:49    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 03:21 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 03:21 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 03:21 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 03:21 . 2013-01-09 22:49    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 03:21 . 2013-01-09 22:49    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 03:21 . 2013-01-09 22:49    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-12-07 03:21 . 2013-01-09 22:49    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-12-07 03:21 . 2013-01-09 22:49    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 03:21 . 2013-01-09 22:49    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-11-22 10:32 . 2013-01-09 22:51    801280    ----a-w-    c:\windows\system32\usp10.dll
2012-11-22 09:33 . 2013-01-09 22:51    627712    ----a-w-    c:\windows\SysWow64\usp10.dll
2012-11-20 05:55 . 2013-01-09 22:50    307200    ----a-w-    c:\windows\system32\ncrypt.dll
2012-11-20 05:10 . 2013-01-09 22:50    219136    ----a-w-    c:\windows\SysWow64\ncrypt.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"p9pl3574061301716317255"="\\?\globalroot\Device\HarddiskVolume2\Users\Rhea\AppData\Local\Temp\p9pl3574061301716317255.tmp" [?]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-07 232992]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-06 1255736]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-15 202752]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-04-28 932384]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-10 03:40    1607120    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 05:04]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 00:58]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 00:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://yahoo.com/
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{01425784-C92E-4F86-88A3-073D8AE08727} - c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-032.dll
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
Wow6432Node-HKCU-Run-DW6 - c:\program files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bc,08,50,82,72,ca,05,4f,ab,ee,1f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bc,08,50,82,72,ca,05,4f,ab,ee,1f,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.URL"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-17  09:41:06
ComboFix-quarantined-files.txt  2013-02-17 14:41
.
Pre-Run: 392,844,480,512 bytes free
Post-Run: 392,957,952,000 bytes free
.
- - End Of File - - 2E8331FFE2617B8140741FE793783685
 

 

 

 

 

 

ListParts by Farbar Version: 16-01-2013
Ran by Rhea (administrator) on 17-02-2013 at 09:42:55
Windows 7 (X64)
Running From: C:\Users\Rhea\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 40%
Total physical RAM: 3835.68 MB
Available physical RAM: 2280.36 MB
Total Pagefile: 7669.5 MB
Available Pagefile: 6158.06 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (TI105955W0C) (Fixed) (Total:453.42 GB) (Free:366.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (Sims3EP08) (CDROM) (Total:3.9 GB) (Free:0 GB) UDF

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         

Partitions of Disk 0:
===============

Disk ID: FF592F49

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery          1500 MB  1024 KB
  Partition 2    Primary            453 GB  1501 MB
  Partition 3    Primary             10 GB   454 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2         System       NTFS   Partition   1500 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   TI105955W0C  NTFS   Partition    453 GB  Healthy    Boot    

======================================================================================================

Disk: 0
Partition 3
Type  : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 17 February 2013 - 03:15 PM

Hi Chip,

Please run this for me.

===================================================

Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text below into the Notepad document
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"p9pl3574061301716317255"=-
DirLook::
C:\4192
  • Save this on your desktop as CFScript.txt

CFScriptB-4.gif

  • Referring to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================

Running a ListParts Fix

--------------

  • Download ListParts (32 bit) or Listparts64 (64 bit) and save it to your USB device
  • Insert the USB device into the infected computer
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type Notepad and press Enter
  • Copy and paste the contents of the code box below into Notepad.
Disk=0 Partition=3 type=07
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fix.txt to the flash drive where ListParts is located.
  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

W7InstallDisk2.png

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
  • Type e:/listparts.exe or e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Fix button.
  • ListParts will process the script in Fix.txt
  • When finished please press the Scan button.
  • A log Result.txt will be saved to the flash drive.
  • Boot back into normal mode and post me the Result.txt log please.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • Combofix log
  • Listparts log
  • How is your computer running?

Edited by Oh My, 17 February 2013 - 03:15 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 chipmonger

chipmonger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 February 2013 - 04:49 PM

Here are the results:

 

 

 

ComboFix 13-02-15.01 - Rhea 02/17/2013  16:12:14.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3836.2000 [GMT -5:00]
Running from: c:\users\Rhea\Desktop\ComboFix.exe
Command switches used :: c:\users\Rhea\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-17 to 2013-02-17  )))))))))))))))))))))))))))))))
.
.
2013-02-17 21:41 . 2013-02-17 21:41    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-17 21:41 . 2013-02-17 21:41    --------    d-----w-    c:\users\Administrator\AppData\Local\temp
2013-02-17 14:53 . 2013-02-17 14:53    --------    d-----w-    c:\windows\system32\SPReview
2013-02-17 04:50 . 2013-02-17 04:50    --------    d-----w-    c:\windows\ERUNT
2013-02-17 04:50 . 2013-02-17 04:50    --------    d-----w-    C:\JRT
2013-02-16 16:08 . 2013-02-16 16:14    --------    d-----w-    c:\windows\system32\catroot2
2013-02-16 02:52 . 2013-01-09 01:10    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-16 02:52 . 2013-01-08 22:01    768000    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-16 00:52 . 2013-02-16 00:52    --------    d-----w-    c:\programdata\Kaspersky Lab
2013-02-16 00:24 . 2013-01-18 17:15    9161176    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{D3B66944-510A-426C-AAFC-BF3374C9C8D6}\mpengine.dll
2013-02-10 15:53 . 2013-02-10 15:53    --------    d-----w-    c:\windows\CheckSur
2013-02-10 04:52 . 2013-02-10 04:52    --------    d-----w-    c:\windows\en
2013-02-10 04:49 . 2013-02-10 04:49    --------    d-----w-    c:\program files\Windows Live
2013-02-10 04:48 . 2009-09-04 22:44    69464    ----a-w-    c:\windows\SysWow64\XAPOFX1_3.dll
2013-02-10 04:48 . 2009-09-04 22:44    515416    ----a-w-    c:\windows\SysWow64\XAudio2_5.dll
2013-02-10 04:48 . 2009-09-04 22:29    453456    ----a-w-    c:\windows\SysWow64\d3dx10_42.dll
2013-02-10 04:48 . 2009-09-04 22:29    523088    ----a-w-    c:\windows\system32\d3dx10_42.dll
2013-02-10 04:47 . 2013-02-10 04:47    94040    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\DSETUP.dll
2013-02-10 04:47 . 2013-02-10 04:47    525656    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\DXSETUP.exe
2013-02-10 04:47 . 2013-02-10 04:47    1691480    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\be8bf8d71ce074905\dsetup32.dll
2013-02-10 04:47 . 2013-02-10 04:47    94040    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\DSETUP.dll
2013-02-10 04:47 . 2013-02-10 04:47    525656    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\DXSETUP.exe
2013-02-10 04:47 . 2013-02-10 04:47    1691480    ----a-w-    c:\program files (x86)\Common Files\Windows Live\.cache\bc8e925c1ce074904\dsetup32.dll
2013-02-10 04:47 . 2013-02-17 04:50    --------    d-----w-    c:\users\Rhea\AppData\Local\Windows Live
2013-02-10 03:54 . 2013-02-10 03:54    --------    d-----w-    c:\windows\system32\EventProviders
2013-02-10 02:52 . 2010-04-09 11:06    374664    ----a-w-    c:\windows\system32\drivers\netio.sys
2013-02-09 19:50 . 2013-02-09 19:50    --------    d-----w-    c:\users\Rhea\AppData\Roaming\Malwarebytes
2013-02-09 19:49 . 2013-02-09 19:49    --------    d-----w-    c:\programdata\Malwarebytes
2013-02-09 19:49 . 2013-02-09 19:49    --------    d-----w-    c:\users\Rhea\AppData\Local\Programs
2013-02-02 21:09 . 2013-02-02 21:09    --------    d-----w-    C:\96f2dac4bd8a18cde7993842c65168
2013-02-02 18:59 . 2013-02-02 18:59    --------    d-----w-    c:\users\Default\AppData\Local\Microsoft Help
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-16 02:56 . 2011-02-03 00:56    70004024    ----a-w-    c:\windows\system32\MRT.exe
2013-02-10 05:04 . 2012-07-11 14:41    697712    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-10 05:04 . 2011-06-16 18:36    74096    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-10 04:49 . 2010-06-24 16:33    19696    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-01-17 06:28 . 2011-01-04 23:34    273840    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-04 04:43 . 2013-02-16 00:28    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2012-12-16 16:52 . 2012-12-23 20:17    46080    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-16 14:40 . 2012-12-23 20:17    367616    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:25 . 2012-12-23 20:17    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-16 14:25 . 2012-12-23 20:17    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2012-12-11 21:26 . 2012-12-11 21:27    95208    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-11 21:26 . 2012-12-11 21:27    821736    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2012-12-11 21:26 . 2011-01-05 19:52    746984    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2012-12-07 05:41 . 2013-01-09 22:49    441856    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 05:35 . 2013-01-09 22:49    2745856    ----a-w-    c:\windows\system32\gameux.dll
2012-12-07 05:04 . 2013-01-09 22:49    308736    ----a-w-    c:\windows\SysWow64\Wpc.dll
2012-12-07 04:57 . 2013-01-09 22:49    2576384    ----a-w-    c:\windows\SysWow64\gameux.dll
2012-12-07 03:45 . 2013-01-09 22:49    43520    ----a-w-    c:\windows\system32\csrr.rs
2012-12-07 03:45 . 2013-01-09 22:49    45568    ----a-w-    c:\windows\system32\oflc-nz.rs
2012-12-07 03:45 . 2013-01-09 22:49    30720    ----a-w-    c:\windows\system32\usk.rs
2012-12-07 03:45 . 2013-01-09 22:49    23552    ----a-w-    c:\windows\system32\oflc.rs
2012-12-07 03:45 . 2013-01-09 22:49    44544    ----a-w-    c:\windows\system32\pegibbfc.rs
2012-12-07 03:45 . 2013-01-09 22:49    40960    ----a-w-    c:\windows\system32\cob-au.rs
2012-12-07 03:45 . 2013-01-09 22:49    21504    ----a-w-    c:\windows\system32\grb.rs
2012-12-07 03:45 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\system32\pegi-pt.rs
2012-12-07 03:45 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\system32\pegi-fi.rs
2012-12-07 03:45 . 2013-01-09 22:49    46592    ----a-w-    c:\windows\system32\fpb.rs
2012-12-07 03:45 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\system32\pegi.rs
2012-12-07 03:45 . 2013-01-09 22:49    15360    ----a-w-    c:\windows\system32\djctq.rs
2012-12-07 03:45 . 2013-01-09 22:49    51712    ----a-w-    c:\windows\system32\esrb.rs
2012-12-07 03:45 . 2013-01-09 22:49    55296    ----a-w-    c:\windows\system32\cero.rs
2012-12-07 03:21 . 2013-01-09 22:49    45568    ----a-w-    c:\windows\SysWow64\oflc-nz.rs
2012-12-07 03:21 . 2013-01-09 22:49    44544    ----a-w-    c:\windows\SysWow64\pegibbfc.rs
2012-12-07 03:21 . 2013-01-09 22:49    43520    ----a-w-    c:\windows\SysWow64\csrr.rs
2012-12-07 03:21 . 2013-01-09 22:49    30720    ----a-w-    c:\windows\SysWow64\usk.rs
2012-12-07 03:21 . 2013-01-09 22:49    23552    ----a-w-    c:\windows\SysWow64\oflc.rs
2012-12-07 03:21 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\SysWow64\pegi-pt.rs
2012-12-07 03:21 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\SysWow64\pegi.rs
2012-12-07 03:21 . 2013-01-09 22:49    20480    ----a-w-    c:\windows\SysWow64\pegi-fi.rs
2012-12-07 03:21 . 2013-01-09 22:49    46592    ----a-w-    c:\windows\SysWow64\fpb.rs
2012-12-07 03:21 . 2013-01-09 22:49    21504    ----a-w-    c:\windows\SysWow64\grb.rs
2012-12-07 03:21 . 2013-01-09 22:49    51712    ----a-w-    c:\windows\SysWow64\esrb.rs
2012-12-07 03:21 . 2013-01-09 22:49    55296    ----a-w-    c:\windows\SysWow64\cero.rs
2012-12-07 03:21 . 2013-01-09 22:49    40960    ----a-w-    c:\windows\SysWow64\cob-au.rs
2012-12-07 03:21 . 2013-01-09 22:49    15360    ----a-w-    c:\windows\SysWow64\djctq.rs
2012-11-22 10:32 . 2013-01-09 22:51    801280    ----a-w-    c:\windows\system32\usp10.dll
2012-11-22 09:33 . 2013-01-09 22:51    627712    ----a-w-    c:\windows\SysWow64\usp10.dll
2012-11-20 05:55 . 2013-01-09 22:50    307200    ----a-w-    c:\windows\system32\ncrypt.dll
2012-11-20 05:10 . 2013-01-09 22:50    219136    ----a-w-    c:\windows\SysWow64\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\4192 ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{01425784-C92E-4F86-88A3-073D8AE08727}]
c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-032.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-23 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-02-23 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2009-12-25 34160]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-07 232992]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-06 1255736]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-15 202752]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-04-06 258928]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-04-28 932384]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-10 03:40    1607120    ----a-w-    c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 05:04]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 00:58]
.
2013-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-23 00:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-22 10134560]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-22 896032]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://yahoo.com/
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bc,08,50,82,72,ca,05,4f,ab,ee,1f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bc,08,50,82,72,ca,05,4f,ab,ee,1f,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.URL"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-17  16:42:42
ComboFix-quarantined-files.txt  2013-02-17 21:42
ComboFix2.txt  2013-02-17 14:41
.
Pre-Run: 397,819,150,336 bytes free
Post-Run: 397,752,487,936 bytes free
.
- - End Of File - - F75E6F9272B7FC7F1014C5D238DF75BC
 

 

 

 

 

ListParts by Farbar Version: 16-01-2013
Ran by SYSTEM (administrator) on 17-02-2013 at 16:47:16
Windows 7 (X64)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 3835.68 MB
Available physical RAM: 3390.65 MB
Total Pagefile: 3833.83 MB
Available Pagefile: 3365.54 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (TI105955W0C) (Fixed) (Total:453.42 GB) (Free:370.54 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Sims3EP08) (CDROM) (Total:3.9 GB) (Free:0 GB) UDF
4 Drive f: (8GB) (Removable) (Total:7.39 GB) (Free:7.38 GB) FAT32
5 Drive g: (HDDRECOVERY) (Fixed) (Total:10.87 GB) (Free:0.59 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B         
  Disk 1    Online         7580 MB      0 B         

Partitions of Disk 0:
===============

Disk ID: FF592F49

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery          1500 MB  1024 KB
  Partition 2    Primary            453 GB  1501 MB
  Partition 3    Primary             10 GB   454 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   System       NTFS   Partition   1500 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   TI105955W0C  NTFS   Partition    453 GB  Healthy            

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     G   HDDRECOVERY  NTFS   Partition     10 GB  Healthy            

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 00A1789B

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7579 MB    31 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   8GB          FAT32  Removable   7579 MB  Healthy            

======================================================================================================

****** End Of Log ******



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 17 February 2013 - 06:05 PM

Hi Chip,

We are going to take another look into one folder.

I would like you to try Windows Update and if it is not successful then please follow the instructions to obtain the Windows Update log.

Please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:dir
C:\96f2dac4bd8a18cde7993842c65168 /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===================================================

Obtaining Windows Update Log

--------------------
  • Please browse to the following location, zip the file and attach it to your reply

C:\Windows\WindowsUpdate.log

  • Please zip the file and attach it to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif
  • SystemLook log
  • Windows Update zipped log

Edited by Oh My, 17 February 2013 - 06:58 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 chipmonger

chipmonger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 February 2013 - 07:29 PM

Still get a 8024200D error when attempting to update.

 

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 19:26 on 17/02/2013 by Rhea
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\96f2dac4bd8a18cde7993842c65168 - Parameters: "/s"

---Files---
$shtdwn$.req    --ah--- 788 bytes    [21:09 02/02/2013]    [21:09 02/02/2013]
eula.1028.txt    --a---- 3872 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1031.txt    --a---- 15460 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1033.txt    --a---- 10042 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1036.txt    --a---- 12278 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1040.txt    --a---- 13944 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1041.txt    --a---- 5786 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1042.txt    --a---- 5990 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.1049.txt    --a---- 13992 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.2052.txt    --a---- 3872 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
eula.3082.txt    --a---- 12968 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
globdata.ini    --a---- 1110 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
install.exe    --a---- 854352 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.ini    --a---- 841 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
install.res.1028.dll    --a---- 72032 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1031.dll    --a---- 92000 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1033.dll    --a---- 86880 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1036.dll    --a---- 93024 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1040.dll    --a---- 90976 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1041.dll    --a---- 77152 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1042.dll    --a---- 75616 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.1049.dll    --a---- 88928 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.2052.dll    --a---- 71520 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
install.res.3082.dll    --a---- 92000 bytes    [09:09 19/04/2011]    [09:09 19/04/2011]
vcredist.bmp    --a---- 5686 bytes    [09:03 19/04/2011]    [09:03 19/04/2011]
vc_red.cab    --a---- 4516273 bytes    [09:16 19/04/2011]    [09:16 19/04/2011]
vc_red.msi    --a---- 235520 bytes    [09:21 19/04/2011]    [09:21 19/04/2011]

No folders found.

-= EOF =-

 

 

 

Attached Files



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 17 February 2013 - 10:53 PM

Hi Chip,

Thank you for checking and posting the information.

I would like you to Download MicrosoftFixit50831.msi and save it to your desktop. Double click the icon and follow the prompts. Reboot your computer and attempt to download the Service Pack again.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 chipmonger

chipmonger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 February 2013 - 11:07 PM

I ran the Fix It, and received a dialog box stating "This Microsoft Fix It does not apply to your operating system or application version."  The laptop is running Windows 7 Home Premium x64.



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 17 February 2013 - 11:44 PM

Hi Chip,

OK, let's see if we can try to do it manually. Please do these things for me.

 

I will check your reply in the morning.

===================================================

--------------------

  • Click Start, then type cmd in the search box
  • Right click cmd.exe the click Run as Administrator
  • Copy and paste the following after the command prompt then select enter

dism.exe /online /remove-package /packagename:Package_for_KB976932~31bf3856ad364e35~amd64~~6.1.1.17105

  • Once completed type Exit then hit Enter
  • Reboot your computer and attempt Windows Update

===================================================

Farbar's Service Scanner

--------------------

  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • Windows Update results
  • Service Scanner log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 chipmonger

chipmonger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 18 February 2013 - 08:55 AM

Here is the output for cmd window running dism.exe:

 

dism.exe /online /remove-package /packagename:Package_for_KB976932~31bf3856ad364e35~amd64~~6.1.1.17105


Microsoft Windows [Version 6.1.7600]
Copyright © 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>dism.exe /online /remove-package /packagename:Package_for_KB
976932~31bf3856ad364e35~amd64~~6.1.1.17105

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

An error occurred trying to open - Package_for_KB976932~31bf3856ad364e35~amd64~~
6.1.1.17105 Error: 0x800f0805
The specified package is not valid Windows package.

Error: 0x800f0805

The specified package is not valid Windows package.

The DISM log file can be found at C:\windows\Logs\DISM\dism.log

C:\windows\system32>
 

 

 

 

 

 

Farbar Service Scanner Version: 15-02-2013
Ran by Rhea (administrator) on 18-02-2013 at 08:52:44
Running from "C:\Users\Rhea\Desktop"
Windows 7 Home Premium  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-02-15 19:28] - [2013-01-04 00:41] - 1893224 ____A (Microsoft Corporation) 5CFB7AB8F9524D1A1E14369DE63B83CC

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:18 AM

Posted 18 February 2013 - 09:29 AM

Hi Chip,

Windows Update issues can be a real pain because there are many potential causes. I appreciate your patience as we try to work through this.

Please do this.

===================================================

Resetting Windows Update Components Using windowsupdate.diagcab

-------------------
  • Please click windowsupdate.diagcab then select Open with Diagnostic Troubleshooting Wizard (default)
  • Select Next
  • If offered, first select Default Mode rather than Aggressive Mode
  • Once completed click the View detailed information link in the lower left hand corner
  • Scroll down and expand the Detection Details category
  • Left click on AllLogs.zip
  • Double click on OutputReport.txt
  • Copy and paste the results in your reply
  • Close the next screen then reboot your computer
  • Please check Windows Update
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif
  • Did Windows Update?
  • OutputReport log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users