Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed System Repair, Certified Toolbar & Protected Search, now have 0 kb fil


  • This topic is locked This topic is locked
46 replies to this topic

#1 CuriousT

CuriousT

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 16 March 2013 - 06:19 PM

Hi,

 

I've tried to document as best as I can what has occurred and the actions I've taken.

 

Thank you so much for your help,

CuriousT

 

 

Chronology & ‘Titles’ Legend:

 

Activity taken: Bold and underlined starting with date

 

Virus/malware log: Italicized and underlined

 

 

 

2013-03-11 Downloaded and updated to SugarSync 2.0

Previously had SugarSync 1.0. No noticable problems but seems relevant to mention.

 

 

2013-03-11 Java Update kept repeatedly asking to update

I kept refusing, went to the bathroom then heard my laptop beep away only to come back to see hard drive failure messages with System Repair messages/suggestions. (Note: I previously experienced Auto Select behavior in which I thought I had gotten rid of it by changing mouse settings. In hindsight I’m thinking that the Auto Select probably clicked install.)  (Note: previously I have updated Java but it kept asking so frequently, like once a week. I seem to recall trying to stop auto update check with no success. So I ended up ignoring it as an issue and just cancelling when it would come up.) I Googled for System Repair malware and found your site.

 

 

2013-03-11 Followed your Remove System Repair ( Uninstall Guide ) instructions.

All went well except TDSSKiller did not appear to run > saw hour glass then nothing. Tried several times, using different file/program names. Btw, cannot rename TDSSKiller file type to .com as instructed, the file type is set as .exe. The logs from running are:

 

RKill

No longer have log since it writes over previous.

 

 

Malware Bytes – from mbam-log-2013-03-12 (20-33-45):

 

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.03.13.02

 

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Tony :: TPG_LAPTOP-HP [administrator]

 

Protection: Disabled

 

3/12/2013 8:33:45 PM

mbam-log-2013-03-12 (20-33-45).txt

 

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 436468

Time elapsed: 57 minute(s), 9 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sASAjCWuus.exe (Trojan.FakeAlert.VRE) -> Data: C:\ProgramData\sASAjCWuus.exe -> Quarantined and deleted successfully.

 

Registry Data Items Detected: 14

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com/) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com/) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://search.certified-toolbar.com?si=41460&home=true&tid=2937) Good: (http://www.google.com) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1

C:\ProgramData\sASAjCWuus.exe (Trojan.FakeAlert.VRE) -> Quarantined and deleted successfully.

 

(end)

 

 

Unhide

No longer have since it writes over previous. Upon inspecting shortcuts and menu items, everything was back to normal. Pretty cool utility!

 

 

Secunia

Ran and updated as many programs as I could. Note: Microsoft updates had not occurred since Nov 2011 so there are over 0.5 GB of files to download. Haven’t done them yet.

 

 

2013-03-13  0 kb files

The Remove System Repair steps on 3/12 seemed to fix everything until on 3/13 when I was using SyncToy to update my USB sticks I noticed that A LOT more files were being updated than I thought should. I immediately stopped SyncToy and noticed many of my files were 0 kb on both laptop and stick. I also noticed that SugarSync had moved the ‘new’ 0 kb up to it’s cloud. Not sure what to do about it – while I have a backup as well as previous versions on SugarSync, I would need to go through 100’s to 1000’s of files to pick which ones to restore, which I think I will do only as needed.  

 

I noticed also that I was getting ‘SSL search is off’ message in IE:

 

‘This network has turned off SSL search, so you cannot see personalized results.

 The security features of SSL search are not available. Content filtering may be in place.

 Learn More | Dismiss”

 

I ran through the Remove System Repair steps again, this time in Normal mode, not Safe Mode with Network:

 

RKill

No longer have since it writes over previous.

 

 

Malware Bytes – from mbam-log-2013-03-13 (17-25-35):

 

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.03.13.12

 

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Tony :: TPG_LAPTOP-HP [administrator]

 

Protection: Disabled

 

3/13/2013 5:25:35 PM

mbam-log-2013-03-13 (17-25-35).txt

 

Scan type: Full scan (C:\|D:\|F:\|H:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 442684

Time elapsed: 1 hour(s), 10 minute(s), 22 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Protected Search (PUP.ProtectedSearch) -> Quarantined and deleted successfully.

 

Files Detected: 1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Protected Search\Protected Search Settings.lnk (PUP.ProtectedSearch) -> Quarantined and deleted successfully.

 

(end)

 

 

Unhide – 20130313:

 

Unhide by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Unhide.exe can be found at this link:

  http://www.bleepingcomputer.com/forums/topic405109.html

 

Program started at: 03/13/2013 06:58:00 PM

Windows Version: Windows 7

 

Please be patient while your files are made visible again.

 

Processing the C:\ drive

Finished processing the C:\ drive. 247455 files processed.

 

Processing the D:\ drive

Finished processing the D:\ drive. 164 files processed.

 

Processing the F:\ drive

Finished processing the F:\ drive. 4100 files processed.

 

Processing the H:\ drive

Finished processing the H:\ drive. 12868 files processed.

 

Restoring the Start Menu.

 * 242 Shortcuts and Desktop items were restored.

 

 

Searching for Windows Registry changes made by FakeHDD rogues.

 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

No registry changes detected.

 

Program finished at: 03/13/2013 07:18:15 PM

Execution time: 0 hours(s), 20 minute(s), and 14 seconds(s)

 

 

Secunia

No programs to update other than Microsoft per 3/12 run

 

 

2013-03-14 Google Redirects

Were occurring but didn’t have time to address. Very slow Google search, often with opaque white on screen within IE window. Very slow load times.

 

 

2013-03-15 Google Redirects and Auto Select

Didn’t seem to redirect until later in day.  Very slow Google search, often with opaque white on screen within IE window. Very slow load times. Researched more on Bleeping Computer, discovered Protected Search 1.1. Followed “Remove the Search.cerfified-toolbar.com Browser Hijacker” guide.

 

 

RKill – 20130315

Rkill 2.4.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

 http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 03/15/2013 02:47:57 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * C:\Windows\SysWOW64\ezSharedSvcHost.exe (PID: 1820) [SFI]

 * C:\Windows\SysWOW64\ezSharedSvcHost.exe (PID: 1820) [WD-HEUR]

 

2 proccesses terminated!

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * Windows Defender Disabled

 

   [HKLM\SOFTWARE\Microsoft\Windows Defender]

   "DisableAntiSpyware" = dword:00000001

 

 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

 

Checking Windows Service Integrity:

 

 * Windows Defender (WinDefend) is not Running.

   Startup Type set to: Manual

 

Searching for Missing Digital Signatures:

 

 * No issues found.

 

Checking HOSTS File:

 

 * No issues found.

 

Program finished at: 03/15/2013 02:48:36 PM

Execution time: 0 hours(s), 0 minute(s), and 38 seconds(s)

 

 

Add/Remove Programs

Removed Protected Search 1.1

Did not see Certified Toolbar 2.1

 

 

Malware Bytes – from mbam-log-2013-03-15 (14-20-22)

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.03.14.09

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tony :: TPG_LAPTOP-HP [administrator]

 

Protection: Disabled

 

3/15/2013 2:20:22 PM

mbam-log-2013-03-15 (14-20-22).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 191649

Time elapsed: 1 minute(s), 27 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Protected Search (PUP.ProtectedSearch) -> Quarantined and deleted successfully.

 

Files Detected: 1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Protected Search\Protected Search Settings.lnk (PUP.ProtectedSearch) -> Quarantined and deleted successfully.

 

(end)

 

 

Sc-Cleaner – 20130315

Shortcut Cleaner 1.2.1 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Shortcut Cleaner can be found at this link:

 http://www.bleepingcomputer.com/download/shortcut-cleaner/

 

Program started at: 03/15/2013 05:26:53 PM.

 

Searching C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\

 

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

 

Searching C:\Users\Tony\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

 

Searching C:\Users\Public\Desktop\

 

Searching C:\Users\Tony\Desktop\

 

 

0 bad shortcuts found.

 

Program finished at: 03/15/2013 05:26:59 PM

Execution time: 0 hours(s), 0 minute(s), and 5 seconds(s)

 

 

Secunia

No programs to update other than Microsoft per 3/12 run

 

 

2013-03-15 Google Redirects and Auto Select

Kept on getting redirects and auto select so I ran MalwareBytes again

 

Malware Bytes – from mbam-log-2013-03-15 (14-57-29)

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.03.15.07

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tony :: TPG_LAPTOP-HP [administrator]

 

Protection: Disabled

 

3/15/2013 2:57:29 PM

mbam-log-2013-03-15 (14-57-29).txt

 

Scan type: Full scan (C:\|D:\|F:\|H:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 454638

Time elapsed: 2 hour(s), 24 minute(s), 14 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

 

Malware Bytes – from  mbam-log-2013-03-15 (17-22-22)

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.03.15.07

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tony :: TPG_LAPTOP-HP [administrator]

 

Protection: Disabled

 

3/15/2013 5:22:22 PM

mbam-log-2013-03-15 (17-22-22).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 191290

Time elapsed: 44 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

 

2013-03-16 Redirects, Auto Select and unable to see/sync iPod

Unable to see iPod in My Computer or iTunes, can see iPhone in iTunes but not in My Computer, and unable to see external hard drive. Didn’t get redirected at first. I did search System Repair and redirects but didn’t get redirected. Then I did a search on root kit, choose the one below and got redirected:

 

Free Rootkit Detection and Removal | Sophos Anti-Rootkit Tool

www.sophos.com/en-us/products/free.../sophos-anti-rootkit.aspx

 

Rebooted and ran Malware Bytes

 

Malware Bytes – from mbam-log-2013-03-16 (15-04-35)

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.03.16.09

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Tony :: TPG_LAPTOP-HP [administrator]

 

Protection: Disabled

 

3/16/2013 3:04:35 PM

mbam-log-2013-03-16 (15-04-35).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 191843

Time elapsed: 28 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

 

 

Other Things to Note

 

Note: Auto Select behavior

is when the mouse selects whatever window, button or cursor location the mouse is hovering over for a while. I Googled and followed suggestions on mouse settings that may affect it but have not experienced any change. No documentation indicates this is a feature so I wonder if it’s a virus/malware caused behavior.

 

Note: Google Bar search field drops down

and sticks after I enter a search. Has been happening for a while. Not sure what to make of it but thought worth mentioning.

 

Note: I notice on LAN Status

that I received 40 to 60 M within 5 or 10 minutes while not clicking on a lot of sites nor downloading any files, pictures or videos. Then it stops or slows. Not sure what to make of it but thought worth mentioning.

 

 

DDS – 20130316

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_43

Run by Tony at 19:03:16 on 2013-03-16

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.1691 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\SysWOW64\ezSharedSvcHost.exe

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Windows\system32\mfevtps.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\ptumlcmsvc64.exe

C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Program Files (x86)\Secunia\PSI\PSIA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\SugarSync\SugarSync.exe

C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe

C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe

C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\iTunes\iTunes.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\Program Files\McAfee\VirusScan\mcods.exe

C:\Program Files\Common Files\McAfee\Core\mchost.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe

C:\Program Files (x86)\Secunia\PSI\sua.exe

C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Windows\splwow64.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\ATH.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileSync.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.Outlook.client.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Bar = hxxp://www.google.com

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://www.google.com

mSearch Page = hxxp://www.google.com

mDefault_Search_URL = hxxp://www.google.com

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

mWinlogon: Userinit = userinit.exe,

BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120626172927.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -

BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: DownTango Launcher: {e327b07a-0e11-4fd4-bef2-b2c5605b59c6} - C:\Users\Tony\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

TB: DownTango Launcher: {e327b07a-0e11-4fd4-bef2-b2c5605b59c6} - C:\Users\Tony\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [SugarSync] "C:\Program Files (x86)\SugarSync\SugarSync.exe" -startInTray -usedelay=true

mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe

mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: EnableShellExecuteHooks = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: HideFastUserSwitching = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2d8ee268-8d7a-4996-b80b-8999ce8c7fe2} - {e327b07a-0e11-4fd4-bef2-b2c5605b59c6}

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_43-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_43-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_43-windows-i586.cab

TCP: NameServer = 198.224.187.135 198.224.186.135

TCP: Interfaces\{4D8866C2-A3DD-44F1-A95E-42341AAFDAEB} : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{4D8866C2-A3DD-44F1-A95E-42341AAFDAEB}\14E64786F6E69702445727963702960586F6E656 : DHCPNameServer = 198.224.187.135 198.224.186.135

TCP: Interfaces\{4D8866C2-A3DD-44F1-A95E-42341AAFDAEB}\E4544574541425 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{998068EF-8CBB-49E9-97EC-35F1C97C76C4} : DHCPNameServer = 198.224.187.135 198.224.186.135

TCP: Interfaces\{AB1F5E7A-1D98-4CDB-BB29-0DE230E20564} : DHCPNameServer = 66.174.95.44 66.174.71.33

TCP: Interfaces\{FCA79476-CF35-4E8C-A23C-69096A2E948E} : DHCPNameServer = 192.168.1.254

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

SSODL: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\SysWOW64\SSCbFsMntNtf3.dll

STS: Virtual Storage Mount Notification - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\SysWOW64\SSCbFsMntNtf3.dll

SEH: EasyBits ShellExecute Hook - {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\SysWOW64\ezUPBHook.dll

x64-mWinlogon: Userinit = userinit.exe,

x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120626172926.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [SynTPEnh] H.EXE

x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_43-windows-i586.cab

x64-DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

x64-DPF: {CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_43-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_43-windows-i586.cab

x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll

x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

x64-SSODL: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\System32\SSCbFsMntNtf3.dll

x64-STS: Virtual Storage Mount Notification - {C28617FD-4FE7-4043-AD51-C8132CE90106} - C:\Windows\System32\SSCbFsMntNtf3.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\b37351gq.default\

FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMSS.dll

FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll

FF - plugin: C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - ExtSQL: 2013-03-12 23:24; {CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}

.

============= SERVICES / DRIVERS ===============

.

R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-1-28 77952]

R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-1-28 38016]

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-2-22 771536]

R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2012-4-26 340216]

R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-6-22 46136]

R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2012-4-26 70112]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-4-26 309840]

R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2012-4-26 515968]

R3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2011-5-10 22528]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2011-6-22 1353280]

R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf_amd64.sys [2013-2-7 18456]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-6-22 335464]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-22 436840]

R3 SSCBFS3;SugarSync CallBack File System driver v3;C:\Windows\System32\drivers\sscbfs3.sys [2013-3-11 347904]

R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-6-22 44672]

S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2012-10-25 196440]

S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2012-4-26 106552]

S3 PTUMLBUS;PTUML USB Composite Device Driver;C:\Windows\System32\drivers\PTUMLBUS.sys [2011-10-4 73616]

S3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;C:\Windows\System32\drivers\PTUMLCVsp.sys [2011-10-4 182672]

S3 PTUMLMdm;PANTECH UML290;C:\Windows\System32\drivers\PTUMLMdm.sys [2011-10-4 182672]

S3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);C:\Windows\System32\drivers\PTUMLNET61.sys [2011-10-4 98832]

S3 PTUMLNVsp;PANTECH UML290 NMEA Port;C:\Windows\System32\drivers\PTUMLNVsp.sys [2011-10-4 183824]

S3 PTUMLRMNET;PANTECH UML290 RMNET Service;C:\Windows\System32\drivers\PTUMLRMNET.sys [2011-10-4 69136]

S3 PTUMLVsp;PANTECH UML290 Diagnostic Port;C:\Windows\System32\drivers\PTUMLVsp.sys [2011-10-4 182672]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

.

=============== File Associations ===============

.

FileExt: .inf: inffile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]

.

=============== Created Last 30 ================

.

2013-03-14 17:30:54   --------  d-----w-           C:\Program Files (x86)\Mozilla Maintenance Service

2013-03-13 03:24:45   477616            ----a-w-            C:\Windows\SysWow64\npdeployJava1.dll

2013-03-13 03:22:21   544688            ----a-w-            C:\Windows\System32\npdeployJava1.dll

2013-03-13 02:41:01   --------  d-----w-           C:\Users\Tony\AppData\Local\Secunia PSI

2013-03-13 02:40:43   --------  d-----w-           C:\Program Files (x86)\Secunia

2013-03-13 00:26:18   --------  d-----w-           C:\Users\Tony\AppData\Roaming\Malwarebytes

2013-03-13 00:25:26   --------  d-----w-           C:\ProgramData\Malwarebytes

2013-03-13 00:25:25   --------  d-----w-           C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-03-13 00:25:06   --------  d-----w-           C:\Users\Tony\AppData\Local\Programs

2013-03-12 23:24:18   --------  d-----w-           C:\ProgramData\APN

2013-03-11 18:42:01   192256            ----a-w-            C:\Windows\System32\SSCbFsMntNtf3.dll

2013-03-11 18:42:01   159488            ----a-w-            C:\Windows\SysWow64\SSCbFsMntNtf3.dll

2013-03-11 18:42:01   143104            ----a-w-            C:\Windows\System32\SSCbFsNetRdr3.dll

2013-03-11 18:42:00   225024            ----a-w-            C:\Windows\SysWow64\SSCbFsNetRdr3.dll

2013-03-11 18:40:57   347904            ----a-w-            C:\Windows\System32\drivers\sscbfs3.sys

2013-02-26 17:31:23   --------  d-----w-           C:\Program Files\iPod

2013-02-26 17:31:22   --------  d-----w-           C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-02-26 17:31:22   --------  d-----w-           C:\Program Files\iTunes

2013-02-26 17:31:22   --------  d-----w-           C:\Program Files (x86)\iTunes

.

==================== Find3M  ====================

.

2013-03-13 03:24:24   473520            ----a-w-            C:\Windows\SysWow64\deployJava1.dll

2013-03-13 03:22:04   526256            ----a-w-            C:\Windows\System32\deployJava1.dll

2013-03-13 02:52:54   691568            ----a-w-            C:\Windows\SysWow64\FlashPlayerApp.exe

2013-03-13 02:52:53   71024  ----a-w-            C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-02-19 18:59:06   70112  ----a-w-            C:\Windows\System32\drivers\cfwids.sys

2013-02-19 18:56:26   340216            ----a-w-            C:\Windows\System32\drivers\mfewfpk.sys

2013-02-19 18:56:14   182752            ----a-w-            C:\Windows\System32\mfevtps.exe

2013-02-19 18:55:26   10728  ----a-w-            C:\Windows\System32\drivers\mfeclnk.sys

2013-02-19 18:55:14   106552            ----a-w-            C:\Windows\System32\drivers\mferkdet.sys

2013-02-19 18:54:32   771536            ----a-w-            C:\Windows\System32\drivers\mfehidk.sys

2013-02-19 18:53:42   515968            ----a-w-            C:\Windows\System32\drivers\mfefirek.sys

2013-02-19 18:53:02   309840            ----a-w-            C:\Windows\System32\drivers\mfeavfk.sys

2013-02-19 18:52:44   179280            ----a-w-            C:\Windows\System32\drivers\mfeapfk.sys

2013-02-07 12:15:22   18456  ----a-w-            C:\Windows\System32\drivers\psi_mf_amd64.sys

.

============= FINISH: 19:07:21.08 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 18 March 2013 - 04:33 PM

Please re-run unhide.exe again before runnign ComboFix,

then run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
  • NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.



Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 18 March 2013 - 07:28 PM

Thanks CatByte!

 

Your help is very much appreciated :-)

 

I followed the instructions with no problems.  Here's the ComboFix log.

 

ComboFix 13-03-17.01 - Tony 03/18/2013  18:48:29.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.1878 [GMT -4:00]
Running from: c:\users\Tony\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\sASAjCWuus
c:\users\Tony\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-18 to 2013-03-18  )))))))))))))))))))))))))))))))
.
.
2013-03-18 23:26 . 2013-03-18 23:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-14 17:30 . 2013-03-14 17:30 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-13 19:51 . 2013-03-13 19:51 -------- d-----w- c:\windows\Sun
2013-03-13 03:24 . 2013-03-13 03:24 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-03-13 03:22 . 2013-03-13 03:22 544688 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-13 03:22 . 2013-03-13 03:22 193968 ----a-w- c:\windows\system32\javaws.exe
2013-03-13 03:22 . 2013-03-13 03:22 172976 ----a-w- c:\windows\system32\javaw.exe
2013-03-13 03:22 . 2013-03-13 03:22 172976 ----a-w- c:\windows\system32\java.exe
2013-03-13 03:19 . 2013-03-13 03:19 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-03-13 02:41 . 2013-03-13 02:41 -------- d-----w- c:\users\Tony\AppData\Local\Secunia PSI
2013-03-13 02:40 . 2013-03-13 02:40 -------- d-----w- c:\program files (x86)\Secunia
2013-03-13 00:26 . 2013-03-13 00:26 -------- d-----w- c:\users\Tony\AppData\Roaming\Malwarebytes
2013-03-13 00:25 . 2013-03-13 00:25 -------- d-----w- c:\programdata\Malwarebytes
2013-03-13 00:25 . 2013-03-13 00:25 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-13 00:25 . 2013-03-13 00:25 -------- d-----w- c:\users\Tony\AppData\Local\Programs
2013-03-12 23:28 . 2013-03-12 23:28 -------- d-----w- c:\program files (x86)\7-zip
2013-03-12 23:24 . 2013-03-12 23:24 -------- d-----w- c:\programdata\APN
2013-03-11 18:42 . 2013-01-30 17:12 143104 ----a-w- c:\windows\system32\SSCbFsNetRdr3.dll
2013-03-11 18:42 . 2013-01-30 17:12 192256 ----a-w- c:\windows\system32\SSCbFsMntNtf3.dll
2013-03-11 18:42 . 2013-01-30 17:12 159488 ----a-w- c:\windows\SysWow64\SSCbFsMntNtf3.dll
2013-03-11 18:42 . 2013-01-30 17:12 225024 ----a-w- c:\windows\SysWow64\SSCbFsNetRdr3.dll
2013-03-11 18:40 . 2013-01-30 17:11 347904 ----a-w- c:\windows\system32\drivers\sscbfs3.sys
2013-02-26 17:31 . 2013-02-26 17:31 -------- d-----w- c:\program files\iPod
2013-02-26 17:31 . 2013-02-26 17:32 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-26 17:31 . 2013-02-26 17:32 -------- d-----w- c:\program files\iTunes
2013-02-26 17:31 . 2013-02-26 17:32 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 03:24 . 2011-04-13 23:28 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-13 03:22 . 2011-04-13 23:28 526256 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-13 02:52 . 2012-07-25 14:30 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-13 02:52 . 2011-10-05 06:39 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-19 18:59 . 2012-04-26 21:09 70112 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-02-19 18:56 . 2012-04-26 21:09 340216 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-02-19 18:56 . 2012-04-26 20:28 182752 ----a-w- c:\windows\system32\mfevtps.exe
2013-02-19 18:55 . 2012-04-26 21:09 10728 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-02-19 18:55 . 2012-04-26 21:09 106552 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-02-19 18:54 . 2012-02-22 17:29 771536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-02-19 18:53 . 2012-04-26 21:09 515968 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-02-19 18:53 . 2012-04-26 21:09 309840 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-02-19 18:52 . 2012-02-22 17:29 179280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-02-07 12:15 . 2013-02-07 12:15 18456 ----a-w- c:\windows\system32\drivers\psi_mf_amd64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-18 00:29 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{e327b07a-0e11-4fd4-bef2-b2c5605b59c6}]
2012-11-28 21:14 1031752 ----a-w- c:\users\Tony\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
"{e327b07a-0e11-4fd4-bef2-b2c5605b59c6}"= "c:\users\Tony\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll" [2012-11-28 1031752]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{e327b07a-0e11-4fd4-bef2-b2c5605b59c6}]
[HKEY_CLASSES_ROOT\wtb.Band.1]
[HKEY_CLASSES_ROOT\TypeLib\{a85e31f1-a6ce-4ace-a560-ec01271b7f55}]
[HKEY_CLASSES_ROOT\wtb.Band]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-06-27 21:45 208608 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-06-27 21:45 208608 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-06-27 21:45 208608 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 17:12 159488 ----a-w- c:\windows\SysWOW64\SSCbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-05 39408]
"SugarSync"="c:\program files (x86)\SugarSync\SugarSync.exe" [2013-02-13 12343648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-28 336384]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2011-03-16 61112]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-01-18 318520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-01-14 1534504]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2013-2-7 575000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\SysWOW64\SSCbFsMntNtf3.dll" [2013-01-30 159488]
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"EldosMountNotificator"= {C28617FD-4FE7-4043-AD51-C8132CE90106} - c:\windows\SysWOW64\SSCbFsMntNtf3.dll [2013-01-30 159488]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-02-05 235216]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-02-19 106552]
R3 PTUMLBUS;PTUML USB Composite Device Driver;c:\windows\system32\DRIVERS\PTUMLBUS.sys [2010-11-02 73616]
R3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;c:\windows\system32\DRIVERS\PTUMLCVsp.sys [2010-11-02 182672]
R3 PTUMLMdm;PANTECH UML290;c:\windows\system32\DRIVERS\PTUMLMdm.sys [2010-11-02 182672]
R3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);c:\windows\system32\DRIVERS\PTUMLNET61.sys [2010-11-02 98832]
R3 PTUMLNVsp;PANTECH UML290 NMEA Port;c:\windows\system32\DRIVERS\PTUMLNVsp.sys [2010-11-02 183824]
R3 PTUMLRMNET;PANTECH UML290 RMNET Service;c:\windows\system32\DRIVERS\PTUMLRMNET.sys [2010-11-02 69136]
R3 PTUMLVsp;PANTECH UML290 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMLVsp.sys [2010-11-02 182672]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-05 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-01-29 77952]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-01-29 38016]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-02-19 340216]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-02-28 203776]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-02-28 354304]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
S2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-28 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2013-02-19 218760]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-02-19 182752]
S2 ptumlcmsvc;PTUML290 Connection Manager Service;c:\windows\system32\ptumlcmsvc64.exe [2010-11-03 138768]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2013-02-07 1223704]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2013-02-07 660504]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-02-19 70112]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]
S3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-02-19 515968]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2011-03-07 1353280]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys [2013-02-07 18456]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]
S3 SSCBFS3;SugarSync CallBack File System driver v3;c:\windows\system32\DRIVERS\sscbfs3.sys [2013-01-30 347904]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-29 44672]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-25 02:52]
.
2013-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 06:39]
.
2013-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 06:39]
.
2013-03-01 c:\windows\Tasks\HPCeeScheduleForTony.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-06-27 21:45 232672 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-06-27 21:45 232672 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-06-27 21:45 232672 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 17:12 192256 ----a-w- c:\windows\System32\SSCbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{39D54CC2-69CF-43b4-B167-577D25E7F496}"
[HKEY_CLASSES_ROOT\CLSID\{39D54CC2-69CF-43b4-B167-577D25E7F496}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncSharedPending]
@="{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}"
[HKEY_CLASSES_ROOT\CLSID\{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-15 1128448]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\system32\SSCbFsMntNtf3.dll" [2013-01-30 192256]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{2d8ee268-8d7a-4996-b80b-8999ce8c7fe2} - {e327b07a-0e11-4fd4-bef2-b2c5605b59c6} - c:\users\Tony\AppData\Roaming\DownTangoFTToolbar\DownTangoFTToolbar.dll
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 198.224.187.135 198.224.186.135
FF - ProfilePath - c:\users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\b37351gq.default\
FF - ExtSQL: 2013-03-12 23:24; {CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-Run-SynTPEnh - H.EXE
SSODL-EldosMountNotificator    REG_SZ    {C28617FD-4FE7-4043-AD51-C8132CE90106}- - (no file)
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-18  19:57:23
ComboFix-quarantined-files.txt  2013-03-18 23:57
.
Pre-Run: 332,987,551,744 bytes free
Post-Run: 342,612,221,952 bytes free
.
- - End Of File - - A5B19276778C98B51BA3FACBEE632FA1
 



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 18 March 2013 - 07:53 PM

Please run the following:
  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.
  • Please post: All RKreport.txt text files located on your desktop.


    NEXT


    Please download Junkware Removal Tool to your desktop.
    • Shutdown your antivirus to avoid any conflicts.
    • Right-mouse click JRT.exe and select Run as administrator
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message

    NEXT


    Download AdwCleaner from here and save it to your desktop.
    • Run AdwCleaner and select Delete
    • Once done it will ask to reboot, allow the reboot
    • On reboot a log will be produced, please attach the content of the log to your next reply
    NEXT
    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    Go here to run an online scanner from ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 19 March 2013 - 11:54 AM

Hi CatByte

I'm following the directions. JRT has been running 2+ hrs with most of it being in Checking Registry - Deep Scan. Your instructions say it takes a while. There doesn't appear to be much if any disk activity according to the indicator light. How long should I wait?

Thanks again for your help!

#6 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 19 March 2013 - 05:23 PM

Hi CatByte,

 

JRT eventually completed after about 5 hrs. I'm including the logs as requested below. One thing I noticed is that my LAN Status is still showing a lot of Received/Download activity ( 200 MB ) while there's relatively not as much Sent/Upload ( less than 20 MB ) over the course of two hours even though I was not doing anything other than running the suggested tools.

 

Thanks again for your help,

CuriousT

 

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating

System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tony [Admin rights]
Mode : Scan -- Date : 03/19/2013 09:13:31
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST950032 5AS SATA Disk Device +++++
--- User ---
[MBR] 1f98cc3b9f543c664b7f3a68bdbd50f2
[BSP] 145bacf3f96928ad8ff6084b25ef62ff : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 461577 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 945719296 | Size: 15059 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7818a983e78e8cef111273ef1cdfbf13
[BSP] baf9db6ae766a805a9239f6400923740 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 77824 Mo
1 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 159793152 | Size: 4000 Mo
2 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 167985152 | Size: 2000 Mo
3 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 172081152 | Size: 20000 Mo

Finished : << RKreport[1]_S_03192013_02d0913.txt >>
RKreport[1]_S_03192013_02d0913.txt

 

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating

System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tony [Admin rights]
Mode : Remove -- Date : 03/19/2013 09:17:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST950032 5AS SATA Disk Device +++++
--- User ---
[MBR] 1f98cc3b9f543c664b7f3a68bdbd50f2
[BSP] 145bacf3f96928ad8ff6084b25ef62ff : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 461577 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 945719296 | Size: 15059 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7818a983e78e8cef111273ef1cdfbf13
[BSP] baf9db6ae766a805a9239f6400923740 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 77824 Mo
1 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 159793152 | Size: 4000 Mo
2 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 167985152 | Size: 2000 Mo
3 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 172081152 | Size: 20000 Mo

Finished : << RKreport[2]_D_03192013_02d0917.txt >>
RKreport[1]_S_03192013_02d0913.txt ; RKreport[2]_D_03192013_02d0917.txt

 

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating

System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tony [Admin rights]
Mode : Shortcuts HJfix -- Date : 03/19/2013 09:20:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 3 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 140 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 246 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 45 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : Root.MBR ¤¤¤

Finished : << RKreport[3]_SC_03192013_02d0920.txt >>
RKreport[1]_S_03192013_02d0913.txt ; RKreport[2]_D_03192013_02d0917.txt ; RKreport[3]_SC_03192013_02d0920.txt

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.2 (03.15.2013:1)
OS: Windows 7 Home Premium x64
Ran by Tony on Tue 03/19/2013 at  9:27:27.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{e327b07a-0e11-4fd4-bef2-b2c5605b59c6}
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-2657143741-2729202127-2502961078-1001\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}\\URL
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\abouturls\\Tabs
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440}

 

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\genericasktoolbar.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fef
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.band
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.band.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.notificationsource
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.notificationsource.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.sourcesinkimpl
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.sourcesinkimpl.1
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.toolbarinfo
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\wtb.toolbarinfo.1
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e327b07a-0e11-4fd4-bef2-b2c5605b59c6}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{e327b07a-0e11-4fd4-bef2-b2c5605b59c6}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440}
Successfully deleted: [Registry Key] "hkey_current_user\software\apn"
Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar"
Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"
Successfully deleted: [Registry Key] "hkey_local_machine\software\apn"
Successfully deleted: [Registry Key] "hkey_local_machine\software\asktoolbar"

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Tony\AppData\Roaming\downtangofttoolbar"
Successfully deleted: [Folder] "C:\Users\Tony\appdata\local\downtango"
Successfully deleted: [Folder] "C:\Users\Tony\appdata\locallow\downtangofttoolbar"
Successfully deleted: [Folder] "C:\Users\Tony\appdata\locallow\simplytech"
Successfully deleted: [Folder] "C:\Program Files (x86)\downtangofttoolbar"
Successfully deleted: [Folder] "C:\Users\Tony\appdata\locallow\asktoolbar"
Successfully deleted: [Folder] "C:\Program Files (x86)\ask.com"
Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 03/19/2013 at 14:39:06.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

# AdwCleaner v2.115 - Logfile created 03/19/2013 at 14:55:47
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Tony - TPG_LAPTOP-HP
# Boot Mode : Normal
# Running from : C:\Users\Tony\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\END
Folder Deleted : C:\Program Files (x86)\Red Sky
Folder Deleted : C:\ProgramData\APN
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Protected Search
Folder Deleted : C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DownTango

***** [Registry] *****

Key Deleted : HKCU\Software\DownTango
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\ProtectedSearch
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{3FC27B34-0C19-49DA-875E-1875DDD4A6B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\Software\DownTango
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\DownTangoFTToolbar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\DownTangoFTToolbar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A928E66C-F501-4E66-9953-855C712F93B2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8DA8B89E-0C65-403B-8231-AB22ECFA0687}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A928E66C-F501-4E66-9953-855C712F93B2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B0E28FA0-DF07-44B6-95CE-48BE26DB9266}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E6B4EE8F-C38E-4994-BE28-229A3F92262C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FCA8936E-403A-4487-A966-70F80F1D5A6A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DownTango
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8DA8B89E-0C65-403B-8231-AB22ECFA0687}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A928E66C-F501-4E66-9953-855C712F93B2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0E28FA0-DF07-44B6-95CE-48BE26DB9266}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E6B4EE8F-C38E-4994-BE28-229A3F92262C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FCA8936E-403A-4487-A966-70F80F1D5A6A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\b37351gq.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [5420 octets] - [19/03/2013 14:55:47]

########## EOF - C:\AdwCleaner[S1].txt - [5480 octets] ##########

 

 

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database

version: v2013.03.19.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tony :: TPG_LAPTOP-HP [administrator]

Protection: Disabled

3/19/2013 3:04:53 PM
mbam-log-2013-03-19 (15-04-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233184
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

ESETSCAN.txt

C:\Users\Tony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\11980559-24c5c78d a variant of Java/Exploit.Agent.NLS trojan
C:\Users\Tony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\53fc892c-47eef1a4 Java/Exploit.Agent.NLS trojan
C:\Users\Tony\Desktop\RK_Quarantine\PhysicalDrive0_User.dat Win32/Olmasco.AC trojan
C:\Users\Tony\Downloads\7zip_installer_d162802.exe probably a variant of Win32/InstallIQ application
C:\Users\Tony\Downloads\cdbxp_setup_4.4.0.2838.exe Win32/OpenCandy application
C:\Users\Tony\Downloads\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask application
 



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 19 March 2013 - 07:24 PM

Please run the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

  • Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Press the WinKey + R to open a run box, type Notepad > click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')
    File::
    C:\Users\Tony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\11980559-24c5c78d 
    C:\Users\Tony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\53fc892c-47eef1a4 
    C:\Users\Tony\Desktop\RK_Quarantine\PhysicalDrive0_User.dat 
    C:\Users\Tony\Downloads\7zip_installer_d162802.exe 
    C:\Users\Tony\Downloads\cdbxp_setup_4.4.0.2838.exe 
    C:\Users\Tony\Downloads\CuteWriter.exe 
    
    ClearJavaCache::
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"

    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    CFScriptB-4.gif
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    NEXT


    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • when the window opens, click on Change Parameters
    • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
    • click OK
    • Press Start Scan
      • If Malicious objects are found then ensure Cure is selected
      • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 20 March 2013 - 08:18 AM

Thanks CatByte!

 

ComboFix ran fine but TDSSKiller does not run. I get an hour glass and then nothing. I tried renaming it as well.

 

Three things I noted:

1) Still have cursor Auto Select behavior

2) Still have a lot of Receive/Download occuring ( 20+ MB in less than 10 minutes ) whenever I connect to Internet and without my doing anything.

3) Get the following message in Warning - Security window when ComboFix was running. I've gotten this before too:

 

The application's digital signature cannot be verified. 

Do you want to run the application?

 

Name: System Security Update

Publisher: UNKNOWN

From: Tech.net.microsoft.windows.update.system.release.gie.6targetdayanalize.info

 

 

ComboFix 13-03-19.01 - Tony 03/19/2013  21:04:02.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.1400 [GMT -4:00]
Running from: c:\users\Tony\Desktop\ComboFix.exe
Command switches used :: c:\users\Tony\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Tony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\11980559-24c5c78d"
"c:\users\Tony\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\53fc892c-47eef1a4"
"c:\users\Tony\Desktop\RK_Quarantine\PhysicalDrive0_User.dat"
"c:\users\Tony\Downloads\7zip_installer_d162802.exe"
"c:\users\Tony\Downloads\cdbxp_setup_4.4.0.2838.exe"
"c:\users\Tony\Downloads\CuteWriter.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair
c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\System Repair.lnk
c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
c:\users\Tony\Desktop\RK_Quarantine\PhysicalDrive0_User.dat
c:\users\Tony\Downloads\7zip_installer_d162802.exe
c:\users\Tony\Downloads\cdbxp_setup_4.4.0.2838.exe
c:\users\Tony\Downloads\CuteWriter.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-20 to 2013-03-20  )))))))))))))))))))))))))))))))
.
.
2013-03-20 02:17 . 2013-03-20 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-20 02:17 . 2013-03-20 02:17 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-03-19 19:19 . 2013-03-19 19:19 -------- d-----w- c:\program files (x86)\ESET
2013-03-19 13:27 . 2013-03-19 13:27 -------- d-----w- c:\windows\ERUNT
2013-03-19 13:26 . 2013-03-19 13:26 -------- d-----w- C:\JRT
2013-03-14 17:30 . 2013-03-14 17:30 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-03-13 19:51 . 2013-03-13 19:51 -------- d-----w- c:\windows\Sun
2013-03-13 03:24 . 2013-03-13 03:24 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-03-13 03:22 . 2013-03-13 03:22 544688 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-13 03:22 . 2013-03-13 03:22 193968 ----a-w- c:\windows\system32\javaws.exe
2013-03-13 03:22 . 2013-03-13 03:22 172976 ----a-w- c:\windows\system32\javaw.exe
2013-03-13 03:22 . 2013-03-13 03:22 172976 ----a-w- c:\windows\system32\java.exe
2013-03-13 03:19 . 2013-03-13 03:19 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-03-13 02:41 . 2013-03-13 02:41 -------- d-----w- c:\users\Tony\AppData\Local\Secunia PSI
2013-03-13 02:40 . 2013-03-13 02:40 -------- d-----w- c:\program files (x86)\Secunia
2013-03-13 00:26 . 2013-03-13 00:26 -------- d-----w- c:\users\Tony\AppData\Roaming\Malwarebytes
2013-03-13 00:25 . 2013-03-13 00:25 -------- d-----w- c:\programdata\Malwarebytes
2013-03-13 00:25 . 2013-03-13 00:25 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-13 00:25 . 2013-03-13 00:25 -------- d-----w- c:\users\Tony\AppData\Local\Programs
2013-03-12 23:28 . 2013-03-12 23:28 -------- d-----w- c:\program files (x86)\7-zip
2013-03-11 18:42 . 2013-01-30 17:12 143104 ----a-w- c:\windows\system32\SSCbFsNetRdr3.dll
2013-03-11 18:42 . 2013-01-30 17:12 192256 ----a-w- c:\windows\system32\SSCbFsMntNtf3.dll
2013-03-11 18:42 . 2013-01-30 17:12 159488 ----a-w- c:\windows\SysWow64\SSCbFsMntNtf3.dll
2013-03-11 18:42 . 2013-01-30 17:12 225024 ----a-w- c:\windows\SysWow64\SSCbFsNetRdr3.dll
2013-03-11 18:40 . 2013-01-30 17:11 347904 ----a-w- c:\windows\system32\drivers\sscbfs3.sys
2013-02-26 17:31 . 2013-02-26 17:31 -------- d-----w- c:\program files\iPod
2013-02-26 17:31 . 2013-02-26 17:32 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-26 17:31 . 2013-02-26 17:32 -------- d-----w- c:\program files\iTunes
2013-02-26 17:31 . 2013-02-26 17:32 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-13 03:24 . 2011-04-13 23:28 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-13 03:22 . 2011-04-13 23:28 526256 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-13 02:52 . 2012-07-25 14:30 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-13 02:52 . 2011-10-05 06:39 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-19 18:59 . 2012-04-26 21:09 70112 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-02-19 18:56 . 2012-04-26 21:09 340216 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-02-19 18:56 . 2012-04-26 20:28 182752 ----a-w- c:\windows\system32\mfevtps.exe
2013-02-19 18:55 . 2012-04-26 21:09 10728 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-02-19 18:55 . 2012-04-26 21:09 106552 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-02-19 18:54 . 2012-02-22 17:29 771536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-02-19 18:53 . 2012-04-26 21:09 515968 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-02-19 18:53 . 2012-04-26 21:09 309840 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-02-19 18:52 . 2012-02-22 17:29 179280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-02-07 12:15 . 2013-02-07 12:15 18456 ----a-w- c:\windows\system32\drivers\psi_mf_amd64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-06-27 21:45 208608 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-06-27 21:45 208608 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-06-27 21:45 208608 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 17:12 159488 ----a-w- c:\windows\SysWOW64\SSCbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SugarSync"="c:\program files (x86)\SugarSync\SugarSync.exe" [2013-02-13 12343648]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-28 336384]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2011-03-16 61112]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-01-18 318520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-01-14 1534504]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2013-2-7 575000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\SysWOW64\SSCbFsMntNtf3.dll" [2013-01-30 159488]
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"EldosMountNotificator"= {C28617FD-4FE7-4043-AD51-C8132CE90106} - c:\windows\SysWOW64\SSCbFsMntNtf3.dll [2013-01-30 159488]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-02-05 235216]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-02-19 106552]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
R3 PTUMLBUS;PTUML USB Composite Device Driver;c:\windows\system32\DRIVERS\PTUMLBUS.sys [2010-11-02 73616]
R3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;c:\windows\system32\DRIVERS\PTUMLCVsp.sys [2010-11-02 182672]
R3 PTUMLMdm;PANTECH UML290;c:\windows\system32\DRIVERS\PTUMLMdm.sys [2010-11-02 182672]
R3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);c:\windows\system32\DRIVERS\PTUMLNET61.sys [2010-11-02 98832]
R3 PTUMLNVsp;PANTECH UML290 NMEA Port;c:\windows\system32\DRIVERS\PTUMLNVsp.sys [2010-11-02 183824]
R3 PTUMLRMNET;PANTECH UML290 RMNET Service;c:\windows\system32\DRIVERS\PTUMLRMNET.sys [2010-11-02 69136]
R3 PTUMLVsp;PANTECH UML290 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMLVsp.sys [2010-11-02 182672]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-05 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-01-29 77952]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-01-29 38016]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-02-19 340216]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-02-28 203776]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-02-28 354304]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
S2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-28 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2013-02-19 218760]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-02-19 182752]
S2 ptumlcmsvc;PTUML290 Connection Manager Service;c:\windows\system32\ptumlcmsvc64.exe [2010-11-03 138768]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2013-02-07 1223704]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2013-02-07 660504]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-02-19 70112]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]
S3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-02-19 515968]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2011-03-07 1353280]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys [2013-02-07 18456]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]
S3 SSCBFS3;SugarSync CallBack File System driver v3;c:\windows\system32\DRIVERS\sscbfs3.sys [2013-01-30 347904]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-29 44672]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-25 02:52]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 06:39]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 06:39]
.
2013-03-01 c:\windows\Tasks\HPCeeScheduleForTony.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-06-27 21:45 232672 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-06-27 21:45 232672 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-06-27 21:45 232672 ----a-w- c:\users\Tony\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{69925D1B-6A0F-4413-861A-81AB98039DB9}"
[HKEY_CLASSES_ROOT\CLSID\{69925D1B-6A0F-4413-861A-81AB98039DB9}]
2013-01-30 17:12 192256 ----a-w- c:\windows\System32\SSCbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 00:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{39D54CC2-69CF-43b4-B167-577D25E7F496}"
[HKEY_CLASSES_ROOT\CLSID\{39D54CC2-69CF-43b4-B167-577D25E7F496}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncSharedPending]
@="{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}"
[HKEY_CLASSES_ROOT\CLSID\{F7395C2E-A5D8-4a32-9536-5C6A9F1DC450}]
2013-02-13 18:53 2198368 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="H.EXE" [BU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-15 1128448]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C28617FD-4FE7-4043-AD51-C8132CE90106}"= "c:\windows\system32\SSCbFsMntNtf3.dll" [2013-01-30 192256]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{2d8ee268-8d7a-4996-b80b-8999ce8c7fe2} - {e327b07a-0e11-4fd4-bef2-b2c5605b59c6} -
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 198.224.187.135 198.224.186.135
FF - ProfilePath - c:\users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\b37351gq.default\
FF - ExtSQL: 2013-03-12 23:24; {CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0043-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SSODL-EldosMountNotificator    REG_SZ    {C28617FD-4FE7-4043-AD51-C8132CE90106}- - (no file)
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-{4a505538-f48f-412e-9b69-dbac7e3149c3}_is1 - c:\program files (x86)\DownTangoFTToolbar\unins000.exe
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-19  22:42:38
ComboFix-quarantined-files.txt  2013-03-20 02:42
ComboFix2.txt  2013-03-18 23:57
.
Pre-Run: 341,210,046,464 bytes free
Post-Run: 341,322,301,440 bytes free
.
- - End Of File - - BA7EB3CC4E00330612FE43BBBEF25BF8
 



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 20 March 2013 - 05:33 PM

Please try the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 21 March 2013 - 09:24 AM

Hi CatByte

I got into Advanced Boot Options but when I select System Repair I get a blank screen. There is no disk activity at all, even when I press Esc, Ctl-Alt-Dlt or Enter. The only the it reaponds to is holding down the Power button til my laptop shuts down.

Thanks
CuriousT

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 21 March 2013 - 05:08 PM

do you have an installation disk you can use?

If not, make a repair disk


Note that this disk can only be used to access the Recovery Environment, not to reinstall Windows 7.
  • Press Windows Key + R, type recdisc.exe in the runbox and press enter.
  • If you get a UAC prompt, allow the application to run by clicking Yes. You will see the following:

    win7srd1.png

  • Make sure you have a blank CD or DVD in your CD/DVD drive and click Create disc. Note: If AutoPlay comes up, just close it.
  • When the System Repair Disk has been created, click Close and then OK. Your System Repair Disk is now ready for use.
  • Start PC, Insert Windows 7 DVD and hit a key when asked to. You may have to change your boot order to boot from DVD!

    Click on Repair your computer:
    startup-repair-fix-mbr.JPG
    The installer will scan your PC for previous Windows installations:
    windows-7-system-recovery-options.jpg
    windows-7-system-recovery-options-select
    Click on Command Prompt
    how_to_delete_grub_4.jpg


    make sure your BIOS is set to boot from CD first

    see if you can now boot to the recovery environment

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 23 March 2013 - 06:49 PM

Hi CatByte,

 

Here's the log from FRST:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 10 days old)
Ran by SYSTEM at 23-03-2013 19:05:42
Running from I:\
Windows 7 Home Premium   (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] H.EXE [x]
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-02-14] (IDT, Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [336384 2011-02-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [94264 2011-02-15] (Hewlett-Packard Development Company L.P.)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [61112 2011-03-16] (EasyBits Software AS)
HKLM-x32\...\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [318520 2011-01-17] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1534504 2013-01-14] (McAfee, Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKU\Tony\...\Run: [SugarSync] "C:\Program Files (x86)\SugarSync\SugarSync.exe" -startInTray -usedelay=true [12343648 2013-02-13] (SugarSync, Inc.)
HKU\Tony\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-10-04] (Google Inc.)
HKU\Tony\...\Policies\system: [DisableLockWorkstation] 0
HKU\Tony\...\Policies\system: [DisableChangePassword] 0
Tcpip\Parameters: [DhcpNameServer] 198.224.187.135 198.224.186.135

==================== Services (Whitelisted) ===================

2 AMD Reservation Manager; "C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe" [194496 2010-06-17] (Advanced Micro Devices)
3 hpCMSrv; "C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe" [1071160 2011-02-15] (Hewlett-Packard Development Company L.P.)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe" [235216 2013-02-05] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [383608 2012-11-16] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [241456 2013-02-19] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218760 2013-02-19] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [182752 2013-02-19] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [201304 2012-08-31] (McAfee, Inc.)
2 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [1223704 2013-02-07] (Secunia)
2 Secunia Update Agent; "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [660504 2013-02-07] (Secunia)

==================== Drivers (Whitelisted) =====================

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2013-02-07] (Secunia)
3 SSCBFS3; C:\Windows\System32\Drivers\SSCBFS3.sys [347904 2013-01-30] (EldoS Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]
3 mfeavfk01;  [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-03-20 03:27 - 2013-03-20 03:28 - 02218636 ____A C:\Users\Tony\Desktop\tdsskiller.zip
2013-03-19 18:42 - 2013-03-19 18:42 - 00028963 ____A C:\ComboFix.txt
2013-03-19 16:53 - 2013-03-19 18:43 - 00000000 ____D C:\ComboFix
2013-03-19 14:04 - 2013-03-19 14:04 - 00000597 ____A C:\Users\Tony\Desktop\ESETSCAN - 20130319.txt
2013-03-19 11:19 - 2013-03-19 11:19 - 00000000 ____D C:\Program Files (x86)\ESET
2013-03-19 11:01 - 2013-03-19 11:01 - 00005529 ____A C:\Users\Tony\Desktop\AdwCleaner[S1] - 20130319.txt
2013-03-19 10:55 - 2013-03-19 10:56 - 00005529 ____A C:\AdwCleaner[S1].txt
2013-03-19 10:39 - 2013-03-19 10:39 - 00006037 ____A C:\Users\Tony\Desktop\JRT - 20130319.txt
2013-03-19 05:27 - 2013-03-19 05:27 - 00000000 ____D C:\Windows\ERUNT
2013-03-19 05:26 - 2013-03-19 05:26 - 00000000 ____D C:\JRT
2013-03-19 05:20 - 2013-03-19 05:20 - 00001311 ____A C:\Users\Tony\Desktop\RKreport[3]_SC_03192013_02d0920.txt
2013-03-19 05:17 - 2013-03-19 05:17 - 00002759 ____A C:\Users\Tony\Desktop\RKreport[2]_D_03192013_02d0917.txt
2013-03-19 05:13 - 2013-03-19 05:13 - 00002738 ____A C:\Users\Tony\Desktop\RKreport[1]_S_03192013_02d0913.txt
2013-03-19 05:10 - 2013-03-19 18:14 - 00000000 ____D C:\Users\Tony\Desktop\RK_Quarantine
2013-03-19 05:06 - 2013-03-19 05:09 - 00000000 ____D C:\Users\Tony\Desktop\Cleaning
2013-03-18 19:33 - 2013-03-18 19:33 - 00609993 ____A C:\Users\Tony\Desktop\adwcleaner.exe
2013-03-18 19:31 - 2013-03-18 19:31 - 00549920 ____A (Oleg N. Scherbakov) C:\Users\Tony\Desktop\JRT Junkware Removal Tool.exe
2013-03-18 19:29 - 2013-03-18 19:29 - 00791040 ____A C:\Users\Tony\Desktop\RogueKillerX64.exe
2013-03-18 14:38 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2013-03-18 14:38 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2013-03-18 14:38 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-03-18 14:38 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-03-18 14:38 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-03-18 14:38 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2013-03-18 14:38 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2013-03-18 14:38 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2013-03-18 14:30 - 2013-03-19 18:43 - 00000000 ____D C:\Qoobox
2013-03-18 14:29 - 2013-03-18 15:37 - 00000000 ____D C:\Windows\erdnt
2013-03-18 14:16 - 2013-03-19 16:49 - 05041561 ____R (Swearware) C:\Users\Tony\Desktop\ComboFix.exe
2013-03-18 14:04 - 2013-03-11 10:42 - 00001905 ____A C:\Users\Public\Desktop\SugarSync.lnk
2013-03-18 14:04 - 2012-04-15 10:48 - 00002513 ____A C:\Users\Public\Desktop\TurboTax 2011.lnk
2013-03-18 14:04 - 2011-12-19 20:58 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2013-03-18 14:04 - 2011-10-08 15:57 - 00001296 ____A C:\Users\Public\Desktop\ZoomBrowser EX.lnk
2013-03-18 14:04 - 2011-10-08 12:23 - 00001806 ____A C:\Users\Public\Desktop\Quicken Home & Business 2009.lnk
2013-03-18 14:04 - 2011-06-22 01:07 - 00002128 ____A C:\Users\Public\Desktop\Snapfish.lnk
2013-03-18 13:57 - 2013-03-18 14:04 - 00002124 ____A C:\Users\Tony\Desktop\unhide - 20130318.txt
2013-03-16 15:17 - 2013-03-16 15:17 - 00022781 ____A C:\Users\Tony\Desktop\DDS Notepad - 20130316.txt
2013-03-16 15:17 - 2013-03-16 15:17 - 00010474 ____A C:\Users\Tony\Desktop\DDS Attach - 20130316.txt
2013-03-16 15:08 - 2013-03-16 15:08 - 00010474 ____A C:\Users\Tony\Desktop\attach.txt
2013-03-16 15:08 - 2013-03-16 15:07 - 00022781 ____A C:\Users\Tony\Desktop\dds.txt
2013-03-16 15:02 - 2013-03-16 15:02 - 00688992 ____R (Swearware) C:\Users\Tony\Desktop\dds.com
2013-03-16 09:36 - 2013-03-16 09:36 - 00001103 ____A C:\Users\Tony\Desktop\Apple iPod USB Device - Shortcut.lnk
2013-03-15 14:15 - 2013-03-15 16:11 - 00000000 ____D C:\Users\Tony\Desktop\tdsskiller
2013-03-15 13:26 - 2013-03-15 13:26 - 00001460 ____A C:\Users\Tony\Desktop\sc-cleaner - 20130315.txt
2013-03-15 13:25 - 2013-03-15 13:25 - 00385440 ____A (Bleeping Computer, LLC) C:\Users\Tony\Desktop\sc-cleaner.exe
2013-03-14 09:30 - 2013-03-14 09:30 - 00000000 ____D C:\ProgramData\Mozilla
2013-03-14 09:30 - 2013-03-14 09:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-03-13 11:51 - 2013-03-13 11:51 - 00000000 ____D C:\Windows\Sun
2013-03-12 19:24 - 2013-03-12 19:24 - 00477616 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2013-03-12 19:24 - 2013-03-12 19:24 - 00158128 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2013-03-12 19:24 - 2013-03-12 19:24 - 00149936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2013-03-12 19:24 - 2013-03-12 19:24 - 00149936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2013-03-12 19:22 - 2013-03-12 19:22 - 00544688 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2013-03-12 19:22 - 2013-03-12 19:22 - 00193968 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2013-03-12 19:22 - 2013-03-12 19:22 - 00172976 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2013-03-12 19:22 - 2013-03-12 19:22 - 00172976 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2013-03-12 19:19 - 2013-03-12 19:19 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2013-03-12 19:19 - 2013-03-12 19:19 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-03-12 18:52 - 2013-03-23 13:36 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-12 18:41 - 2013-03-12 18:41 - 00000000 ____D C:\Users\Tony\AppData\Local\Secunia PSI
2013-03-12 18:40 - 2013-03-12 18:40 - 00000000 ____D C:\Program Files (x86)\Secunia
2013-03-12 18:37 - 2013-03-12 18:37 - 03199760 ____A (Secunia) C:\Users\Tony\Desktop\PSISetup.exe
2013-03-12 17:59 - 2013-02-26 09:32 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-03-12 17:59 - 2012-08-26 12:05 - 00001833 ____A C:\Users\Public\Desktop\Elyse.lnk
2013-03-12 17:59 - 2012-06-07 13:23 - 00001248 ____A C:\Users\Public\Desktop\Google Calendar.lnk
2013-03-12 17:59 - 2011-04-13 15:30 - 00002179 ____A C:\Users\Public\Desktop\HP Support Assistant.lnk
2013-03-12 17:59 - 2011-04-13 15:12 - 00002107 ____A C:\Users\Public\Desktop\Blio.lnk
2013-03-12 17:51 - 2013-03-13 15:18 - 00002472 ____A C:\Users\Tony\Desktop\unhide - 20130313.txt
2013-03-12 17:49 - 2013-03-12 17:49 - 00398752 ____A (Bleeping Computer, LLC) C:\Users\Tony\Desktop\unhide.exe
2013-03-12 16:26 - 2013-03-12 16:26 - 00000000 ____D C:\Users\Tony\AppData\Roaming\Malwarebytes
2013-03-12 16:25 - 2013-03-12 16:25 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-12 16:25 - 2013-03-12 16:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-12 16:25 - 2013-03-12 16:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-12 16:22 - 2013-03-12 16:23 - 10156424 ____A (Malwarebytes Corporation                                    ) C:\Users\Tony\Desktop\mbam-setup.exe
2013-03-12 15:46 - 2013-03-12 15:47 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Tony\Desktop\iexplore123.exe
2013-03-12 15:28 - 2013-03-12 15:28 - 00000000 ____D C:\Program Files (x86)\7-zip
2013-03-12 12:57 - 2013-03-12 13:25 - 00000176 ____A C:\ProgramData\-sASAjCWuus
2013-03-12 12:57 - 2013-03-12 12:57 - 00000176 ____A C:\ProgramData\-sASAjCWuusr
2013-03-11 10:42 - 2013-01-30 09:12 - 00225024 ____A (EldoS Corporation) C:\Windows\SysWOW64\SSCbFsNetRdr3.dll
2013-03-11 10:42 - 2013-01-30 09:12 - 00192256 ____A (EldoS Corporation) C:\Windows\System32\SSCbFsMntNtf3.dll
2013-03-11 10:42 - 2013-01-30 09:12 - 00159488 ____A (EldoS Corporation) C:\Windows\SysWOW64\SSCbFsMntNtf3.dll
2013-03-11 10:42 - 2013-01-30 09:12 - 00143104 ____A (EldoS Corporation) C:\Windows\System32\SSCbFsNetRdr3.dll
2013-03-11 10:40 - 2013-01-30 09:11 - 00347904 ____A (EldoS Corporation) C:\Windows\System32\Drivers\sscbfs3.sys
2013-03-11 10:34 - 2013-03-11 10:40 - 20286592 ____A (SugarSync, Inc.) C:\Users\Tony\Downloads\SugarSyncSetup.exe
2013-02-26 09:31 - 2013-02-26 09:32 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-26 09:31 - 2013-02-26 09:32 - 00000000 ____D C:\Program Files\iTunes
2013-02-26 09:31 - 2013-02-26 09:32 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-02-26 09:31 - 2013-02-26 09:31 - 00000000 ____D C:\Program Files\iPod


==================== One Month Modified Files and Folders =======

2013-03-23 19:04 - 2013-03-23 19:04 - 00000000 ____D C:\FRST
2013-03-23 14:42 - 2011-10-04 05:27 - 02085876 ____A C:\Windows\System32\ptumlacsvc-0.log
2013-03-23 14:41 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-23 14:41 - 2009-07-13 20:51 - 00060175 ____A C:\Windows\setupact.log
2013-03-23 14:28 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-23 14:28 - 2009-07-13 20:45 - 00032064 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-23 14:27 - 2011-06-22 00:57 - 02074511 ____A C:\Windows\WindowsUpdate.log
2013-03-23 14:27 - 2009-07-13 21:13 - 00782154 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-23 14:04 - 2011-10-04 22:39 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-23 14:01 - 2011-10-04 22:39 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-23 13:36 - 2013-03-12 18:52 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-23 11:06 - 2012-06-27 12:48 - 00000000 ____D C:\Users\Tony\AppData\Local\SugarSync
2013-03-21 06:10 - 2009-07-13 21:08 - 00032592 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-03-20 06:51 - 2010-11-20 19:47 - 00353800 ____A C:\Windows\PFRO.log
2013-03-20 03:29 - 2013-02-11 14:51 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Tony\Desktop\iExplore3.exe
2013-03-20 03:28 - 2013-03-20 03:27 - 02218636 ____A C:\Users\Tony\Desktop\tdsskiller.zip
2013-03-19 18:43 - 2013-03-19 16:53 - 00000000 ____D C:\ComboFix
2013-03-19 18:43 - 2013-03-18 14:30 - 00000000 ____D C:\Qoobox
2013-03-19 18:42 - 2013-03-19 18:42 - 00028963 ____A C:\ComboFix.txt
2013-03-19 18:21 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2013-03-19 18:14 - 2013-03-19 05:10 - 00000000 ____D C:\Users\Tony\Desktop\RK_Quarantine
2013-03-19 16:49 - 2013-03-18 14:16 - 05041561 ____R (Swearware) C:\Users\Tony\Desktop\ComboFix.exe
2013-03-19 14:04 - 2013-03-19 14:04 - 00000597 ____A C:\Users\Tony\Desktop\ESETSCAN - 20130319.txt
2013-03-19 11:19 - 2013-03-19 11:19 - 00000000 ____D C:\Program Files (x86)\ESET
2013-03-19 11:01 - 2013-03-19 11:01 - 00005529 ____A C:\Users\Tony\Desktop\AdwCleaner[S1] - 20130319.txt
2013-03-19 10:56 - 2013-03-19 10:55 - 00005529 ____A C:\AdwCleaner[S1].txt
2013-03-19 10:39 - 2013-03-19 10:39 - 00006037 ____A C:\Users\Tony\Desktop\JRT - 20130319.txt
2013-03-19 05:27 - 2013-03-19 05:27 - 00000000 ____D C:\Windows\ERUNT
2013-03-19 05:26 - 2013-03-19 05:26 - 00000000 ____D C:\JRT
2013-03-19 05:20 - 2013-03-19 05:20 - 00001311 ____A C:\Users\Tony\Desktop\RKreport[3]_SC_03192013_02d0920.txt
2013-03-19 05:17 - 2013-03-19 05:17 - 00002759 ____A C:\Users\Tony\Desktop\RKreport[2]_D_03192013_02d0917.txt
2013-03-19 05:13 - 2013-03-19 05:13 - 00002738 ____A C:\Users\Tony\Desktop\RKreport[1]_S_03192013_02d0913.txt
2013-03-19 05:09 - 2013-03-19 05:06 - 00000000 ____D C:\Users\Tony\Desktop\Cleaning
2013-03-18 19:33 - 2013-03-18 19:33 - 00609993 ____A C:\Users\Tony\Desktop\adwcleaner.exe
2013-03-18 19:31 - 2013-03-18 19:31 - 00549920 ____A (Oleg N. Scherbakov) C:\Users\Tony\Desktop\JRT Junkware Removal Tool.exe
2013-03-18 19:29 - 2013-03-18 19:29 - 00791040 ____A C:\Users\Tony\Desktop\RogueKillerX64.exe
2013-03-18 15:37 - 2013-03-18 14:29 - 00000000 ____D C:\Windows\erdnt
2013-03-18 14:04 - 2013-03-18 13:57 - 00002124 ____A C:\Users\Tony\Desktop\unhide - 20130318.txt
2013-03-16 15:17 - 2013-03-16 15:17 - 00022781 ____A C:\Users\Tony\Desktop\DDS Notepad - 20130316.txt
2013-03-16 15:17 - 2013-03-16 15:17 - 00010474 ____A C:\Users\Tony\Desktop\DDS Attach - 20130316.txt
2013-03-16 15:08 - 2013-03-16 15:08 - 00010474 ____A C:\Users\Tony\Desktop\attach.txt
2013-03-16 15:07 - 2013-03-16 15:08 - 00022781 ____A C:\Users\Tony\Desktop\dds.txt
2013-03-16 15:02 - 2013-03-16 15:02 - 00688992 ____R (Swearware) C:\Users\Tony\Desktop\dds.com
2013-03-16 09:36 - 2013-03-16 09:36 - 00001103 ____A C:\Users\Tony\Desktop\Apple iPod USB Device - Shortcut.lnk
2013-03-16 09:04 - 2011-12-05 17:35 - 00000000 ____D C:\Users\Tony\AppData\Local\CrashDumps
2013-03-15 16:11 - 2013-03-15 14:15 - 00000000 ____D C:\Users\Tony\Desktop\tdsskiller
2013-03-15 13:26 - 2013-03-15 13:26 - 00001460 ____A C:\Users\Tony\Desktop\sc-cleaner - 20130315.txt
2013-03-15 13:25 - 2013-03-15 13:25 - 00385440 ____A (Bleeping Computer, LLC) C:\Users\Tony\Desktop\sc-cleaner.exe
2013-03-14 09:30 - 2013-03-14 09:30 - 00000000 ____D C:\ProgramData\Mozilla
2013-03-14 09:30 - 2013-03-14 09:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-03-14 09:30 - 2012-12-29 12:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-03-13 15:18 - 2013-03-12 17:51 - 00002472 ____A C:\Users\Tony\Desktop\unhide - 20130313.txt
2013-03-13 13:30 - 2011-11-26 15:11 - 00794900 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-03-13 11:51 - 2013-03-13 11:51 - 00000000 ____D C:\Windows\Sun
2013-03-12 19:24 - 2013-03-12 19:24 - 00477616 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2013-03-12 19:24 - 2013-03-12 19:24 - 00158128 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2013-03-12 19:24 - 2013-03-12 19:24 - 00149936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2013-03-12 19:24 - 2013-03-12 19:24 - 00149936 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2013-03-12 19:24 - 2011-04-13 15:28 - 00473520 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2013-03-12 19:22 - 2013-03-12 19:22 - 00544688 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2013-03-12 19:22 - 2013-03-12 19:22 - 00193968 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2013-03-12 19:22 - 2013-03-12 19:22 - 00172976 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2013-03-12 19:22 - 2013-03-12 19:22 - 00172976 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2013-03-12 19:22 - 2011-04-13 15:28 - 00526256 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2013-03-12 19:22 - 2011-04-13 15:21 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-03-12 19:19 - 2013-03-12 19:19 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2013-03-12 19:19 - 2013-03-12 19:19 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-03-12 19:19 - 2011-04-13 15:25 - 00000000 ____D C:\ProgramData\Adobe
2013-03-12 18:52 - 2012-07-25 06:30 - 00691568 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-12 18:52 - 2011-10-04 22:39 - 00071024 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-12 18:41 - 2013-03-12 18:41 - 00000000 ____D C:\Users\Tony\AppData\Local\Secunia PSI
2013-03-12 18:40 - 2013-03-12 18:40 - 00000000 ____D C:\Program Files (x86)\Secunia
2013-03-12 18:37 - 2013-03-12 18:37 - 03199760 ____A (Secunia) C:\Users\Tony\Desktop\PSISetup.exe
2013-03-12 17:49 - 2013-03-12 17:49 - 00398752 ____A (Bleeping Computer, LLC) C:\Users\Tony\Desktop\unhide.exe
2013-03-12 16:26 - 2013-03-12 16:26 - 00000000 ____D C:\Users\Tony\AppData\Roaming\Malwarebytes
2013-03-12 16:25 - 2013-03-12 16:25 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-12 16:25 - 2013-03-12 16:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-12 16:25 - 2013-03-12 16:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-12 16:23 - 2013-03-12 16:22 - 10156424 ____A (Malwarebytes Corporation                                    ) C:\Users\Tony\Desktop\mbam-setup.exe
2013-03-12 15:47 - 2013-03-12 15:46 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Tony\Desktop\iexplore123.exe
2013-03-12 15:28 - 2013-03-12 15:28 - 00000000 ____D C:\Program Files (x86)\7-zip
2013-03-12 13:25 - 2013-03-12 12:57 - 00000176 ____A C:\ProgramData\-sASAjCWuus
2013-03-12 13:15 - 2012-06-27 12:48 - 00000000 ____D C:\Program Files (x86)\SugarSync
2013-03-12 13:15 - 2012-04-26 13:09 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-03-12 12:57 - 2013-03-12 12:57 - 00000176 ____A C:\ProgramData\-sASAjCWuusr
2013-03-12 12:55 - 2011-10-03 16:02 - 00000000 ____D C:\users\Tony
2013-03-11 15:01 - 2011-10-10 18:12 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2013-03-11 10:42 - 2013-03-18 14:04 - 00001905 ____A C:\Users\Public\Desktop\SugarSync.lnk
2013-03-11 10:40 - 2013-03-11 10:34 - 20286592 ____A (SugarSync, Inc.) C:\Users\Tony\Downloads\SugarSyncSetup.exe
2013-03-07 13:11 - 2011-11-26 15:25 - 00000000 ____D C:\Users\Tony\AppData\Local\CutePDF Writer
2013-03-07 12:54 - 2012-04-26 13:09 - 00000000 ____D C:\Program Files\Common Files\McAfee
2013-03-07 12:46 - 2011-12-05 13:18 - 00000000 ____D C:\Categories
2013-03-01 15:46 - 2012-01-05 14:22 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForTony.job
2013-02-26 09:32 - 2013-03-12 17:59 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-02-26 09:32 - 2013-02-26 09:31 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-02-26 09:32 - 2013-02-26 09:31 - 00000000 ____D C:\Program Files\iTunes
2013-02-26 09:32 - 2013-02-26 09:31 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-02-26 09:31 - 2013-02-26 09:31 - 00000000 ____D C:\Program Files\iPod


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-02-23 17:53:27
Restore point made on: 2013-02-24 16:00:28
Restore point made on: 2013-03-07 13:38:35
Restore point made on: 2013-03-11 10:41:44
Restore point made on: 2013-03-18 14:39:04

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3834.9 MB
Available physical RAM: 3128.66 MB
Total Pagefile: 3833.05 MB
Available Pagefile: 3118.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:450.76 GB) (Free:316.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:14.71 GB) (Free:1.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
4 Drive g: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.27 GB) (Free:0 GB) UDF
5 Drive h: (CATEGORIES) (Removable) (Total:3.68 GB) (Free:0.09 GB) FAT32
6 Drive i: () (Removable) (Total:1.83 GB) (Free:0.06 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS
8 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B        
  Disk 1    Online         3776 MB      0 B        
  Disk 2    Online         1876 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 08F0C05B

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            199 MB  1024 KB
  Partition 2    Primary            450 GB   200 MB
  Partition 3    Primary             14 GB   450 GB
  Partition 4    Primary            103 MB   465 GB

==================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   SYSTEM       NTFS   Partition    199 MB  Healthy           

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    450 GB  Healthy           

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   RECOVERY     NTFS   Partition     14 GB  Healthy           

=========================================================

Disk: 0
Partition 4
Type  : 0C
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   HP_TOOLS     FAT32  Partition    103 MB  Healthy           

=========================================================

Partitions of Disk 1:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3772 MB  4096 KB

==================================================================================

Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H   CATEGORIES   FAT32  Removable   3772 MB  Healthy           

=========================================================

Partitions of Disk 2:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1875 MB    68 KB

==================================================================================

Disk: 2
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 6     I                FAT    Removable   1875 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 08F0C05B

Partition 1:
=========
Hex: 80202100077E25190008000000380600
Active: YES
Type: 07 (NTFS)
Size: 199 MB

Partition 2:
=========
Hex: 007E261907FEFFFF0040060000485838
Active: NO
Type: 07 (NTFS)
Size: 451 GB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF00885E380098D601
Active: NO
Type: 07 (NTFS)
Size: 15 GB

Partition 4:
=========
Hex: 00FEFFFF0CFEFFFF0020353A30380300
Active: NO
Type: 0C
Size: 103 MB

==============================
Partitions of Disk 1:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 000203010B7DFDBE0020000000E07500
Active: NO
Type: 0B
Size: 4 GB

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 00020C000638F8B889000000779F3A00
Active: NO
Type: 06
Size: 2 GB


Last Boot: 2013-03-14 20:09

==================== End Of Log =============================



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 23 March 2013 - 07:20 PM

Please make sure you do all the steps in the order they are written.
  • For 64bit systems, download Listparts64 and save it to your flashdrive
  • Download
    Save it to your flash drive.
  • Please download
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".

    Run FRST64 and press the fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it later on to your reply. You may close the tool.
  • While still in the recovery environment run ListParts by typing I:\listparts64 in the command prompt and pressing Enter
    Click Fix. Close the pop up after the fix is done.
  • Please restart, let it boot normally and then post the FixLog.txt
Please advise how the computer is running now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 CuriousT

CuriousT
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 AM

Posted 25 March 2013 - 08:32 AM

Hi CatByte,

I started FRST and clicked Fix. Got message it couldn't find fixlist.txt - I changed the name after it ran last time so I renamed it back to fixlist.txt. When I tried again I got the message 'Looks you don't know what to do. To prevent damage to the system the tool will exit.'

Do I need to run FRST again and click Scan before I can click Fix?

Thank you,
CuriousT

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:18 AM

Posted 25 March 2013 - 08:52 AM

please delete the files on your USB and start fresh downloading Listparts64 then the two text files fix.txt and fixlist.txt

then follow the instructions again for FRST - you don't click scan before you click fix

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users