Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Backup MyPC virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 AMano

AMano

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 16 June 2013 - 11:18 PM

My daughters laptop became infected with this pain in the nect virus and ive tried what I know and could not get the bugger out.  I found your website before to kill some other virus's a year or two ago and even helped some other people who were in a bind.  Now its my turn for some help, as ive never had to ask.  In the extreme cases, it was just reformat and reinstall as the registry was shredded too much.

 

I found a recent topic where Gringo was helping someone with this persisitent virus.  He used OTL and a customized script to get at the virus after a few other things did not work.  I did run OTL and attempted the modified script, and then saw the warning afterwards about not running the script.

 

Anyway, the icon for  Backup MyPC is still there and sends me an ugly reminder in the way of a popup.

 

i ran the OTL program and have files ready; I undrestand I may not hear from you in a few days and thats no problem

 

Thank you in advance!

 

Anthony

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 17 June 2013 - 03:12 AM

Hello AMano and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:
 

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

I am looking at your logs now and will reply with instructions shortly.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 17 June 2013 - 03:40 AM

Hello again

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.
 

  • run AdwCleaner and select Delete
  • when it has finished it will ask to reboot - allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run aswMBR
 

  • download aswMBR.exe to your desktop.
  • double click the aswMBR.exe to run it
  • if asked, accept the AVAST virus definition download
  • click the "Scan" button to start scan
  • on completion of the scan click Save log, save it to your desktop and post in your next reply. Note - do NOT attempt any Fix yet.

Please run OTL again and send a new log.

Logs to include with next post:

AdwCleaner log
aswMBR log
New OTL log


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#4 AMano

AMano
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 17 June 2013 - 07:19 PM

Satchfan,

 

 

Thank you for your help.  I appreciate you digging in on this one, I'm sure you are busy as anything.

 

I ran all three utilities and attached the files as requeted.  The Icon is still on my desktop and still active with popups, but I did see the other two cleaners grab a bunch of crap already.

 

Im across the pond in NY, so the lengthy pause in replies.

 

Anthony

Attached Files



#5 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 18 June 2013 - 03:06 AM

Hi AMano

IObit Security 360 is a rogue security program known to cause system problems and that had stolen material from other computer security companies to use in their own program. See:

IOBit Steals Malwarebytes’ Intellectual Property
IOBit’s Denial of Theft Unconvincing

The program has also been seen to cause numerous system problems that tend to go away after uninstalling their software.

Go to Start>Control Panel>Programs and Features>Programs and uninstall the following programs:

IObit Security 360
Advanced SystemCare

(or any program from IObit)

T-Tools has created a free program that has been designed specifically to remove every last trace of the entries of IObit programs left behind if and when you had decided to uninstall one or more of these programs. Please download BitRemover from here:

Save the program to your Desktop and double-click on the program to run it.

===================================================

Run OTL

  • double click on the icon to run it.
  • copy/paste ALL the following text written inside the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services
    
    :OTL
    IE - HKCU\..\SearchScopes\{22455C07-62F2-4DE9-8938-441B76A705F5}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=668083&p={searchTerms}
    IE - HKCU\..\SearchScopes\{28DDFDE0-6566-49D0-9CE2-73569B43CD39}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
    IE - HKCU\..\SearchScopes\{5BEDEF75-C5E3-4C29-A7DA-8921B1D26460}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>
    
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • click the Run Fix button at the top
  • let the program run unhindered, reboot when it is done
  • please post the OTL fix log and new OTL log.

===================================================

Download and run ComboFix

Download Combofix from either of the links below, and save it to your desktop.
 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
 

  • when finished, it will produce a report
  • please post the C:\ComboFix.txt in your next reply.

Logs to include in the next post:

OTL fix log
New OTL log
ComboFix.txt


Thanks

Satchfan


Edited by satchfan, 18 June 2013 - 03:10 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 AMano

AMano
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 18 June 2013 - 09:14 PM

Satchfan,

I ran everything as requested but I ionly have two files, the combofix log and the OTL fix log.  i dont see another OTL log come up.

 

Anthony



#7 AMano

AMano
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 18 June 2013 - 09:23 PM

Files from last nights run

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 19 June 2013 - 08:42 AM

That log looked fine.

Download Malwarebytes-Anti-Malware

Click here.
 

  • double-click mbam-setup.exe and follow the prompts to install the program.
  • at the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware. and Launch Malwarebytes' Anti-Malware, then click Finish..
  • if an update is found, it will download and install the latest version.
  • once the program has loaded, select Perform quick scan, then click Scan.
  • when the scan is complete, click OK, then Show Results to view the results.
  • be sure that everything is checked, and click Remove Selected.
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Can you tell me if there are any outstanding problems.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 AMano

AMano
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2013 - 09:22 AM

Satchfan,

I already had Malwarebytes loaded previously does it matter?

Anthony

Edited by AMano, 19 June 2013 - 10:29 AM.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 19 June 2013 - 10:25 AM

I already haves leads bytes loaded

I don't understand what you mean.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 19 June 2013 - 04:45 PM

I opened your reply in IE and it appears differntly in Firefox so please accept my apology for the previous response.

 

Go ahead and run Malwarebytes.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 AMano

AMano
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2013 - 08:58 PM

Satchfan,

No need to apologize, there were typos from my Iphone, and I edited the entry afterward, sorry, youre not crazy.

 

I thought I had Malwarebytes, but I guess not. 

 

I deleted Advanced Care yesterday and it was miraculously back again.  Malwarebytes ran and did not find anything.

 

Backup mypc is still there, this is very sad... I've never been bitten this hard and still had a operating system to work with.

 

So im back to square one almost, minus the garbage that the other utilities found.

 

What next?

 

Anthony

Attached Files


Edited by AMano, 19 June 2013 - 09:01 PM.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 20 June 2013 - 12:25 AM

MyPC Backup is not malicious but you should be able to uninstall it if you want to.

Uninstall programs

Uninstall these programs:

MyPCBackup
iObit

 

  • click Start, Control Panel, Programs and Features
  • click on MyPCBackup and then Uninstall.

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  • repeat this for iObit

================================================

I’d like another ComboFix report to see what is installed on your computer.

Click the Windows “Start” button, select Run, then copy/paste the following bolded text into the run box and then click OK

C:\Qoobox\Add-Remove Programs.txt

Please post back with the list and copy/paste it into the post, not attach it.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 AMano

AMano
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 20 June 2013 - 08:50 PM

Satchfan,

 

I deinstalled IOBIT and Backup My PC and all went well this time.

 

I ran Combofix, but it never prompted for the box to enter text, it just ran and counted up the modules...(is this the OTL program?)

 

ComboFix 13-06-20.01 - Francesca 06/20/2013  21:16:57.2.4 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2992.1717 [GMT -4:00]
Running from: c:\users\Francesca\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\5849\AddOnDownloaded\0e53a45b-5a41-43e5-96ab-776b00e48a6e.dll
c:\programdata\PCDr\5849\AddOnDownloaded\6189c538-c102-424b-b645-3fb824a63826.dll
c:\programdata\PCDr\5849\AddOnDownloaded\9ad80016-92d9-41a4-9436-c44907366397.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-21 to 2013-06-21  )))))))))))))))))))))))))))))))
.
.
2013-06-21 01:26 . 2013-06-21 01:26    --------    d-----w-    c:\users\Francesca\AppData\Local\temp
2013-06-21 01:26 . 2013-06-21 01:26    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-06-21 01:26 . 2013-06-21 01:26    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-06-21 01:10 . 2013-06-21 01:10    60872    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE95169B-5F62-4DD4-9F79-C9A75256816D}\offreg.dll
2013-06-20 01:41 . 2013-06-20 01:41    --------    d-----w-    c:\users\Francesca\AppData\Roaming\Malwarebytes
2013-06-20 01:40 . 2013-06-20 01:40    --------    d-----w-    c:\programdata\Malwarebytes
2013-06-20 01:40 . 2013-06-20 01:40    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-06-20 01:40 . 2013-04-04 18:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-06-20 01:40 . 2013-06-20 01:40    --------    d-----w-    c:\users\Francesca\AppData\Local\Programs
2013-06-17 03:32 . 2013-06-17 03:32    --------    d-----w-    C:\_OTL
2013-06-17 00:13 . 2013-06-08 11:41    218112    ----a-w-    c:\program files\Internet Explorer\sqmapi.dll
2013-06-17 00:13 . 2013-06-08 11:13    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-06-17 00:08 . 2013-05-17 01:25    2877440    ----a-w-    c:\windows\system32\jscript9.dll
2013-06-17 00:08 . 2013-05-17 01:25    108032    ----a-w-    c:\program files\Internet Explorer\jsdebuggeride.dll
2013-06-17 00:07 . 2013-05-17 01:25    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-06-17 00:07 . 2013-05-17 01:25    257536    ----a-w-    c:\program files\Internet Explorer\ieproxy.dll
2013-06-17 00:07 . 2013-05-17 01:25    235520    ----a-w-    c:\program files\Internet Explorer\IEShims.dll
2013-06-17 00:07 . 2013-05-17 01:25    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-06-17 00:07 . 2013-05-14 08:40    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-06-17 00:07 . 2013-05-17 01:25    817664    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-06-17 00:07 . 2013-05-17 02:32    770648    ----a-w-    c:\program files\Internet Explorer\iexplore.exe
2013-06-17 00:07 . 2013-05-17 01:25    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-06-16 01:59 . 2013-06-16 01:59    --------    d-----w-    c:\program files\iPod
2013-06-16 01:59 . 2013-06-16 01:59    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-16 01:56 . 2013-06-16 01:56    --------    d-----w-    c:\program files\Common Files\Java
2013-06-16 01:37 . 2013-06-16 01:36    866720    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-06-16 01:37 . 2013-06-16 01:36    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-16 01:36 . 2013-06-16 01:36    --------    d-----w-    c:\program files\Java
2013-06-16 01:28 . 2013-06-16 01:28    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Roaming\SearchProtect
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-16 01:36 . 2012-02-23 06:18    788896    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-16 01:32 . 2012-08-23 05:05    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-16 01:32 . 2012-08-23 05:05    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-09 08:59 . 2013-03-25 03:50    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-05-09 08:59 . 2013-03-25 03:50    174664    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-05-09 08:59 . 2012-03-19 01:45    61680    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-05-09 08:59 . 2012-01-02 16:06    765736    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-05-09 08:59 . 2012-01-02 16:06    56080    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-05-09 08:59 . 2012-01-02 16:06    368944    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-05-09 08:59 . 2012-01-02 16:06    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-05-09 08:59 . 2012-01-02 16:06    29816    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-05-09 08:58 . 2012-01-02 16:06    41664    ----a-w-    c:\windows\avastSS.scr
2013-05-09 08:58 . 2012-01-02 16:06    229648    ----a-w-    c:\windows\system32\aswBoot.exe
2013-04-24 05:23 . 2013-04-24 05:23    347888    ----a-w-    c:\windows\system32\drivers\SynTP.sys
2013-04-24 05:23 . 2013-04-24 05:23    175856    ----a-w-    c:\windows\system32\SynTPAPI.dll
2013-04-24 05:23 . 2013-04-24 05:23    143088    ----a-w-    c:\windows\system32\SynTPCo14.dll
2013-04-24 05:23 . 2012-01-02 06:38    540400    ----a-w-    c:\windows\system32\SynCOM.dll
2013-04-12 13:45 . 2013-04-26 03:46    1211752    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-11 14:22 . 2013-05-03 20:44    421200    ----a-w-    c:\windows\system32\msvcp100.dll
2013-04-11 14:22 . 2013-05-03 20:44    770384    ----a-w-    c:\windows\system32\msvcr100.dll
2013-04-10 04:14 . 2013-04-10 04:14    745472    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-10 04:14 . 2013-04-10 04:14    73728    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-04-10 04:14 . 2013-04-10 04:14    719360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-04-10 04:14 . 2013-04-10 04:14    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-04-10 04:14 . 2013-04-10 04:14    523264    ----a-w-    c:\windows\system32\vbscript.dll
2013-04-10 04:14 . 2013-04-10 04:14    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-04-10 04:14 . 2013-04-10 04:14    38400    ----a-w-    c:\windows\system32\imgutil.dll
2013-04-10 04:14 . 2013-04-10 04:14    361984    ----a-w-    c:\windows\system32\html.iec
2013-04-10 04:14 . 2013-04-10 04:14    23040    ----a-w-    c:\windows\system32\licmgr10.dll
2013-04-10 04:14 . 2013-04-10 04:14    185344    ----a-w-    c:\windows\system32\elshyph.dll
2013-04-10 04:14 . 2013-04-10 04:14    158720    ----a-w-    c:\windows\system32\msls31.dll
2013-04-10 04:14 . 2013-04-10 04:14    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-04-10 04:14 . 2013-04-10 04:14    1441280    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-04-10 04:14 . 2013-04-10 04:14    138752    ----a-w-    c:\windows\system32\wextract.exe
2013-04-10 04:14 . 2013-04-10 04:14    137216    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-04-10 04:14 . 2013-04-10 04:14    12800    ----a-w-    c:\windows\system32\mshta.exe
2013-04-10 04:14 . 2013-04-10 04:14    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-04-10 04:13 . 2013-04-10 04:13    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    906240    ----a-w-    c:\windows\system32\FntCache.dll
2013-04-10 04:13 . 2013-04-10 04:13    604160    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-04-10 04:13 . 2013-04-10 04:13    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-04-10 04:13 . 2013-04-10 04:13    4096    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    364544    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2013-04-10 04:13 . 2013-04-10 04:13    3584    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2013-04-10 04:13 . 2013-04-10 04:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    2560    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    249856    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-04-10 04:13 . 2013-04-10 04:13    2284544    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2013-04-10 04:13 . 2013-04-10 04:13    220160    ----a-w-    c:\windows\system32\d3d10core.dll
2013-04-10 04:13 . 2013-04-10 04:13    207872    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2013-04-10 04:13 . 2013-04-10 04:13    1988096    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-04-10 04:13 . 2013-04-10 04:13    161792    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-04-10 04:13 . 2013-04-10 04:13    1504768    ----a-w-    c:\windows\system32\d3d11.dll
2013-04-10 04:13 . 2013-04-10 04:13    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-04-10 04:13 . 2013-04-10 04:13    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-04-10 04:13 . 2013-04-10 04:13    1158144    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-04-10 04:13 . 2013-04-10 04:13    1080832    ----a-w-    c:\windows\system32\d3d10.dll
2013-04-10 04:13 . 2013-04-10 04:13    10752    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-10 04:13 . 2013-04-10 04:13    293376    ----a-w-    c:\windows\system32\dxgi.dll
2013-04-10 04:13 . 2013-04-10 04:13    187392    ----a-w-    c:\windows\system32\UIAnimation.dll
2013-04-02 14:09 . 2013-04-02 14:09    4550656    ----a-w-    c:\windows\system32\GPhotos.scr
2013-06-17 02:51 . 2013-06-17 02:50    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32    121968    ------w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Francesca\AppData\Local\Akamai\netsession_win.exe" [2013-01-26 4480768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2011-12-01 1322048]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2011-01-07 62312]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-15 307768]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]
"TpShocks"="TpShocks.exe" [2011-03-29 337256]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-05-03 112152]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-10-30 1116920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="d:\music\iTunesHelper.exe" [2013-02-20 152392]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 177944]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2012-1-2 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2011-12-01 292200]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2011-12-01 89152]
R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [2011-12-01 175168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-02 1343400]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2011-12-01 25968]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2011-03-30 20592]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2010-09-07 13680]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-05-09 66336]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 127336]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 131432]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-07-12 142696]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-05-03 2533400]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2011-05-23 132864]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2012-02-02 388264]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-08-03 7517696]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - PCDSRVC{3037D694-FD904ACA-06020200}_0
*Deregistered* - PCDSRVC{3037D694-FD904ACA-06020200}_0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService    REG_MULTI_SZ       HsfXAudioService
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-21 01:00    1165776    ----a-w-    c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-23 01:32]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-02 16:06]
.
2013-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-02 16:06]
.
2013-06-20 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
2013-06-21 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Francesca\AppData\Roaming\Mozilla\Firefox\Profiles\z8qxv9er.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=668083&p=
FF - ExtSQL: !HIDDEN! 2012-01-02 11:26; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,8e,82,4a,24,77,64,42,aa,02,a7,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adt\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adts\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-06-20  21:33:58
ComboFix-quarantined-files.txt  2013-06-21 01:33
ComboFix2.txt  2013-06-19 01:50
.
Pre-Run: 64,417,132,544 bytes free
Post-Run: 64,463,228,928 bytes free
.
- - End Of File - - C46693388C3B18DD09F6F2777CAAD44B
A36C5E4F47E84449FF07ED3517B43A31
 

This looks much better.

 

Anthony



#15 satchfan

satchfan

  • Malware Response Team
  • 2,662 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:55 PM

Posted 21 June 2013 - 03:36 AM

That is looking better.

Open ComboFix

Please do the following:
 

  • close any open browsers.
  • close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
  • open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\windows\system32\config\systemprofile\AppData\Roaming\SearchProtect

Save this as "CFScript.txt", and as  Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt.  Post the contents of Combofix.txt in your next reply.

================================================

Run MiniToolBox

Note: When using the "Reset FF Proxy Settings" option, Firefox should be closed.

Please download MiniToolBox, save it to your desktop and run it.

Place a checkmark in the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users