Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Tidy Network! :(


  • This topic is locked This topic is locked
37 replies to this topic

#1 tompkinst

tompkinst

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 16 September 2013 - 10:17 AM

I've got a computer that was heavily infected with a bunch of crap. Ran Malwarebytes, had over 100 infections. Removed several things in Add/Remove Programs. Ran ADWCleaner. That found some stuff. But I still get the 'links' from Tidy Network on websites. It's only happening in Chrome. If you need more info, let me know.

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.25.2
Run by spangenbergerd at 11:13:43 on 2013-09-16
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3999.1491 [GMT -4:00]
.
AV: System Center 2012 Endpoint Protection *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: System Center 2012 Endpoint Protection *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\SMART Technologies\Education Software\SMARTHelperService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Box Sync\BoxSyncHelper.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Box Sync\BoxSync.exe
C:\Users\spangenbergerd\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\SMART Technologies\Education Software\SMARTBoardTools.exe
C:\Program Files (x86)\SMART Technologies\Education Software\SMARTBoardService.exe
C:\Program Files (x86)\SMART Technologies\Education Software\SMARTInk.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\SMART Technologies\Education Software\sbsdk-server\SBWDKService.exe
C:\Program Files (x86)\SMART Technologies\Education Software\Office\SMARTInk-SBSDKProxy.exe
C:\Windows\System32\mobsync.exe
C:\Windows\CCM\CcmExec.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\CCM\RemCtrl\CmRcService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\CCM\SCNotification.exe
C:\Windows\System32\WUDFHost.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\splwow64.exe
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sesdweb.net/
uDefault_Page_URL = hxxp://www.sesdweb.net
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: SMART Notebook Download Utility: {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files (x86)\SMART Technologies\Education Software\Win32\NotebookPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [Google Update] "C:\Users\spangenbergerd\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Yontoo Desktop] "C:\Users\spangenbergerd\AppData\Roaming\Yontoo\YontooDesktop.exe"
uRun: [17CFF3B0F600B12A5E485909BF200167590E7EBB._service_run] "C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service
uRun: [GoogleChromeAutoLaunch_459D6AD95F61E65A862C8F4C876537D5] "C:\Users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe" --no-startup-window
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.4111.0525"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727_1] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727_1"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2006.0314"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2010.0530] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2010.0530"
uRunOnce: [Uninstall C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\spangenbergerd\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627"
mRun: [ZenNotifyIcon] C:\Program Files (x86)\Novell\Zenworks\bin\ZenNotifyIcon.exe
mRun: [NalView] C:\Program Files (x86)\Novell\ZENworks\bin\nalview.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [TOSDCR] C:\Program Files (x86)\TOSHIBA\PasswordUtility\TOSDCR.exe
mRun: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
mRun: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
mRun: [BrowserPlugInHelper] C:\Program Files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SMART Board Tools] "C:\Program Files (x86)\SMART Technologies\Education Software\SMARTBoardTools.exe"
mRun: [sbsdk-server] "C:\Program Files (x86)\SMART Technologies\Education Software\sbsdk-server\NodeLauncher.exe"
mRun: [SMART Board Service] "C:\Program Files (x86)\SMART Technologies\Education Software\SMARTBoardService.exe" -d
mRun: [SMART Ink] "C:\Program Files (x86)\SMART Technologies\Education Software\SMARTInk.exe" -a
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
StartupFolder: C:\Users\SPANGE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\spangenbergerd\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BOXSYN~1.LNK - C:\Program Files\Box Sync\BoxSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-System: ConnectHomeDirToRoot = dword:0
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableSecureUIAPaths = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: DefaultLogonDomain = SESD
mPolicies-System: HideFastUserSwitching = dword:1
mPolicies-System: SoftwareSASGeneration = dword:2
mPolicies-Windows\System: CompatibleRUPSecurity = dword:1
mPolicies-Windows\System: WaitForNetwork = dword:0
mPolicies-Windows\System: UseOEMBackground = dword:0
mPolicies-Windows\System: UserPolicyMode = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: NameServer = 10.138.50.250 10.141.40.250
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE} : DHCPNameServer = 10.138.50.250 10.141.40.250
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE}\0516454514E47457563747 : DHCPNameServer = 10.61.19.20 10.61.19.15
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE}\350716E6B6976416D6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE}\35475677F575962756C6563737 : DHCPNameServer = 10.140.23.253 10.138.50.250 10.138.80.252 10.141.40.250
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE}\35543544F5F4574737964656F55417579607D656E647 : DHCPNameServer = 10.138.50.250 10.141.40.250
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE}\36861607D616E636573747F6D65627 : DHCPNameServer = 68.87.77.130 68.87.72.130
TCP: Interfaces\{07448B73-E38C-4E8F-AAFD-CE0A57F454FE}\4456C64716F575962756C6563737 : DHCPNameServer = 10.138.50.250 10.141.40.250
TCP: Interfaces\{B98F0724-6746-4E58-9216-D92C8CE54BD5} : DHCPNameServer = 10.138.50.250 10.141.40.250
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages =  msv1_0 ZenV1_0
x64-BHO: SMART Notebook Download Utility: {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files (x86)\SMART Technologies\Education Software\Win64\NotebookPlugin.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [BoxSyncHelper] "C:\Program Files\Box Sync\BoxSyncHelper.exe"
x64-DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: {763370C4-268E-4308-A60C-D8DA0342BE32} - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\Windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2011-10-5 189424]
R2 chromoting;Chrome Remote Desktop Service;C:\Program Files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe [2013-7-23 10192]
R2 CmRcService;Configuration Manager Remote Control;C:\Windows\CCM\RemCtrl\CmRcService.exe [2012-2-20 605040]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-8-14 39056]
R2 risdxc;risdxc;C:\Windows\System32\drivers\risdxc64.sys [2011-12-19 101888]
R2 SMARTHelperService;SMART Helper Service;C:\Program Files (x86)\SMART Technologies\Education Software\SMARTHelperService.exe [2013-3-7 582992]
R3 ATSwpWDF;AuthenTec TruePrint USB Driver;C:\Windows\System32\drivers\ATSwpWDF.sys [2011-12-19 770152]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2011-10-5 40832]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-10-5 84864]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-9-2 288256]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-12-19 82432]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-12-19 181760]
R3 SMARTMouseFilterx64;HID-compliant mouse;C:\Windows\System32\drivers\SMARTMouseFilterx64.sys [2013-3-7 10240]
R3 SMARTVHidMiniVistaAmd64;SMART HID Device;C:\Windows\System32\drivers\SMARTVHidMiniVistaAmd64.sys [2013-3-7 9216]
R3 SMARTVTabletPCx64;SMART Virtual TabletPC;C:\Windows\System32\drivers\SMARTVTabletPCx64.sys [2013-3-7 22184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Novell ZENworks Image-Safe Data Service;Novell ZENworks ISD Service;C:\Program Files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe --> C:\Program Files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 lpasvc;Microsoft Policy Platform Local Authority;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2011-12-6 50472]
S3 lppsvc;Microsoft Policy Platform Processor;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2011-12-6 50472]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-6-11 19456]
S3 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2011-12-19 73216]
S3 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2011-12-19 53760]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-6-11 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-6-11 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-14 1255736]
.
=============== Created Last 30 ================
.
2013-09-16 03:30:26 9515512 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B731022F-0D0C-4A33-83C2-2F62DA410177}\mpengine.dll
2013-09-13 10:25:21 -------- d-----w- C:\ProgramData\RealNetworks
2013-09-13 10:25:21 -------- d-----w- C:\Program Files (x86)\RealNetworks
2013-09-13 10:24:52 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2013-08-20 23:36:59 -------- d-----w- C:\Users\spangenbergerd\AppData\Local\Screencast-O-Matic
2013-08-20 21:52:22 -------- d-----w- C:\Users\spangenbergerd\Doceri
2013-08-20 21:52:22 -------- d-----w- C:\Users\spangenbergerd\AppData\Roaming\Doceri Desktop
2013-08-20 21:52:15 -------- d-----w- C:\Program Files (x86)\Doceri Desktop
2013-08-19 20:43:42 -------- d-----w- C:\Program Files\iPod
2013-08-19 20:43:41 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-19 20:43:41 -------- d-----w- C:\Program Files\iTunes
2013-08-19 20:43:41 -------- d-----w- C:\Program Files (x86)\iTunes
.
==================== Find3M  ====================
.
2013-09-15 19:33:25 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-15 19:33:24 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-13 10:24:35 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2013-09-13 10:24:35 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2013-08-12 03:32:59 28609640 ----a-w- C:\Program Files\InstallScreencastOMatic-v1.4.exe
2013-08-12 03:18:48 1998248 ----a-w- C:\Program Files\Driverwhiz.exe
2013-07-24 13:55:47 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-24 13:55:45 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-07-24 13:55:45 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-05-27 04:49:06 114688 ----a-w- C:\Program Files (x86)\ad_ff.dll
.
============= FINISH: 11:14:17.21 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 16 September 2013 - 10:26 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 16 September 2013 - 10:34 AM

There was an error when downloading the Avast definitions. Microsoft Endpoint is on the computer. I'm not sure if that makes a difference.



aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-16 11:31:11
-----------------------------
11:31:11.762    OS Version: Windows x64 6.1.7601 Service Pack 1
11:31:11.762    Number of processors: 4 586 0x2A07
11:31:11.762    ComputerName: EAST07372  UserName: 
11:31:12.698    Initialize success
11:31:20.876    AVAST engine download error: 403
11:31:44.323    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:31:44.323    Disk 0 Vendor: Hitachi_HTS723232A7A364 EC2OA70K Size: 305245MB BusType: 11
11:31:44.401    Disk 0 MBR read successfully
11:31:44.401    Disk 0 MBR scan
11:31:44.417    Disk 0 Windows 7 default MBR code
11:31:44.417    Disk 0 Partition 1 00     07    HPFS/NTFS NTFS       304942 MB offset 2048
11:31:44.448    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          301 MB offset 624523264
11:31:44.479    Disk 0 scanning C:\Windows\system32\drivers
11:31:51.000    Service scanning
11:31:58.410    Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
11:32:07.520    Modules scanning
11:32:07.520    Disk 0 trace - called modules:
11:32:07.551    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
11:32:07.567    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005057060]
11:32:07.567    3 CLASSPNP.SYS[fffff8800192a43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004de8060]
11:32:07.583    Scan finished successfully
11:32:21.531    Disk 0 MBR has been saved successfully to "C:\Users\spangenbergerd\Desktop\MBR.dat"
11:32:21.578    The log file has been saved successfully to "C:\Users\spangenbergerd\Desktop\aswMBR.txt"


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 16 September 2013 - 10:41 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 16 September 2013 - 11:18 AM

ComboFix 13-09-14.01 - spangenbergerd 09/16/2013  11:49:11.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3999.2229 [GMT -4:00]
Running from: c:\users\spangenbergerd\Desktop\ComboFix.exe
AV: System Center 2012 Endpoint Protection *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: System Center 2012 Endpoint Protection *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\hannigand\AppData\Local\assembly\tmp
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\_ctypes.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\_elementtree.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\_hashlib.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\_multiprocessing.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\_socket.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\_ssl.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\msvcp100.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\msvcr100.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\pyexpat.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\pysqlite2._sqlite.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\python27.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\pythoncom27.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\PyWinTypes27.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\select.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\unicodedata.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32api.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32com.shell.shell.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32crypt.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32event.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32file.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32inet.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32pdh.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32process.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32profile.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32security.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\win32ts.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\windows._cacheinvalidation.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._controls_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._core_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._gdi_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._html2.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._misc_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._windows_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wx._wizard.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wxbase294u_net_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wxbase294u_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wxmsw294u_adv_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wxmsw294u_core_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wxmsw294u_html_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43362\wxmsw294u_webview_vc90.dll
c:\users\spangenbergerd\AppData\Local\assembly\tmp
c:\users\spangenbergerd\AppData\Local\Google\Chrome\User Data\Default\preferences
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\_ctypes.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\_elementtree.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\_hashlib.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\_multiprocessing.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\_socket.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\_ssl.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\msvcp100.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\msvcr100.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\pyexpat.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\pysqlite2._sqlite.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\python27.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\pythoncom27.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\PyWinTypes27.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\select.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\unicodedata.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32api.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32com.shell.shell.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32crypt.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32event.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32file.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32inet.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32pdh.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32process.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32profile.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32security.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\win32ts.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\windows._cacheinvalidation.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._controls_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._core_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._gdi_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._html2.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._misc_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._windows_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wx._wizard.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wxbase294u_net_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wxbase294u_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wxmsw294u_adv_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wxmsw294u_core_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wxmsw294u_html_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43362\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-16 to 2013-09-16  )))))))))))))))))))))))))))))))
.
.
2013-09-16 15:54 . 2013-09-16 15:54 -------- d-----w- c:\users\hannigand\AppData\Local\temp
2013-09-16 15:54 . 2013-09-16 15:54 -------- d-----w- c:\users\easetup\AppData\Local\temp
2013-09-16 03:30 . 2013-08-06 08:58 9515512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B731022F-0D0C-4A33-83C2-2F62DA410177}\mpengine.dll
2013-09-13 10:25 . 2013-09-13 10:25 -------- d-----w- c:\program files (x86)\RealNetworks
2013-09-13 10:25 . 2013-09-13 10:25 -------- d-----w- c:\programdata\RealNetworks
2013-09-13 10:24 . 2013-09-13 10:24 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2013-08-25 16:20 . 2013-08-25 16:20 -------- d-----w- c:\users\spangenbergerd\AppData\Roaming\dvdcss
2013-08-20 23:36 . 2013-09-12 14:56 -------- d-----w- c:\users\spangenbergerd\AppData\Local\Screencast-O-Matic
2013-08-20 21:52 . 2013-08-20 23:40 -------- d-----w- c:\users\spangenbergerd\AppData\Roaming\Doceri Desktop
2013-08-20 21:52 . 2013-08-20 21:52 -------- d-----w- c:\users\spangenbergerd\Doceri
2013-08-20 21:52 . 2013-08-20 21:52 -------- d-----w- c:\program files (x86)\Doceri Desktop
2013-08-19 20:43 . 2013-08-19 20:43 -------- d-----w- c:\program files\iPod
2013-08-19 20:43 . 2013-08-19 20:44 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-19 20:43 . 2013-08-19 20:44 -------- d-----w- c:\program files\iTunes
2013-08-19 20:43 . 2013-08-19 20:44 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-15 19:33 . 2012-05-23 10:52 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-15 19:33 . 2011-12-19 13:55 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-13 10:24 . 2013-01-02 11:55 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2013-09-13 10:24 . 2013-01-02 11:55 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-08-12 03:32 . 2013-08-12 03:32 28609640 ----a-w- c:\program files\InstallScreencastOMatic-v1.4.exe
2013-08-12 03:18 . 2013-08-12 03:18 1998248 ----a-w- c:\program files\Driverwhiz.exe
2013-08-06 08:58 . 2012-12-20 21:31 9515512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-24 13:55 . 2013-07-24 13:55 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-24 13:55 . 2013-06-11 17:47 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-07-24 13:55 . 2011-12-19 13:55 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-05-27 04:49 . 2011-05-27 04:49 114688 ----a-w- c:\program files (x86)\ad_ff.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2013-06-27 20097696]
"17CFF3B0F600B12A5E485909BF200167590E7EBB._service_run"="c:\users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-09-02 829392]
"GoogleChromeAutoLaunch_459D6AD95F61E65A862C8F4C876537D5"="c:\users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-09-02 829392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"TOSDCR"="c:\program files (x86)\TOSHIBA\PasswordUtility\TOSDCR.exe" [2007-08-28 169296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SMART Board Tools"="c:\program files (x86)\SMART Technologies\Education Software\SMARTBoardTools.exe" [2013-01-31 9279824]
"sbsdk-server"="c:\program files (x86)\SMART Technologies\Education Software\sbsdk-server\NodeLauncher.exe" [2013-03-07 62800]
"SMART Board Service"="c:\program files (x86)\SMART Technologies\Education Software\SMARTBoardService.exe" [2013-03-07 2111824]
"SMART Ink"="c:\program files (x86)\SMART Technologies\Education Software\SMARTInk.exe" [2013-03-05 99152]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2013-09-13 295512]
.
c:\users\spangenbergerd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Box Sync.lnk - c:\program files\Box Sync\BoxSync.exe -hidden [2013-6-7 7959552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DefaultLogonDomain"= SESD
"HideFastUserSwitching"= 1 (0x1)
"SoftwareSASGeneration"= 2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-879983540-1801674531-10817\Scripts\Logon\0\0]
"Script"=DeleteSEMSPrinters.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-879983540-1801674531-17149\Scripts\Logon\0\0]
"Script"=DeleteSEMSPrinters.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-879983540-1801674531-17652\Scripts\Logon\0\0]
"Script"=DeleteSEMSPrinters.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Novell ZENworks Image-Safe Data Service;Novell ZENworks ISD Service;c:\program files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe;c:\program files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys;c:\windows\SYSNATIVE\drivers\rimspe64.sys [x]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys;c:\windows\SYSNATIVE\drivers\rixdpe64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S2 chromoting;Chrome Remote Desktop Service;c:\program files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe;c:\program files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe [x]
S2 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe;c:\windows\CCM\RemCtrl\CmRcService.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 risdxc;risdxc;c:\windows\system32\drivers\risdxc64.sys;c:\windows\SYSNATIVE\drivers\risdxc64.sys [x]
S2 SMARTHelperService;SMART Helper Service;c:\program files (x86)\SMART Technologies\Education Software\SMARTHelperService.exe;c:\program files (x86)\SMART Technologies\Education Software\SMARTHelperService.exe [x]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys;c:\windows\SYSNATIVE\Drivers\ATSwpWDF.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys;c:\windows\SYSNATIVE\DRIVERS\MpNWMon.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
S3 SMARTMouseFilterx64;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx64.sys;c:\windows\SYSNATIVE\DRIVERS\SMARTMouseFilterx64.sys [x]
S3 SMARTVHidMiniVistaAmd64;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMiniVistaAmd64.sys;c:\windows\SYSNATIVE\DRIVERS\SMARTVHidMiniVistaAmd64.sys [x]
S3 SMARTVTabletPCx64;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx64.sys;c:\windows\SYSNATIVE\DRIVERS\SMARTVTabletPCx64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-15 19:33]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-08 12:59]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-08 12:59]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-879983540-1801674531-17149Core.job
- c:\users\spangenbergerd\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 21:59]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-879983540-1801674531-17149UA.job
- c:\users\spangenbergerd\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 21:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopFileLocked]
@="{C253B817-3A00-475f-A5A3-6F2DD704B48D}"
[HKEY_CLASSES_ROOT\CLSID\{C253B817-3A00-475f-A5A3-6F2DD704B48D}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopNotSynced]
@="{19ACC806-F7AA-46AA-A80A-726A07CA6637}"
[HKEY_CLASSES_ROOT\CLSID\{19ACC806-F7AA-46AA-A80A-726A07CA6637}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopNotSyncedCollabs]
@="{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}"
[HKEY_CLASSES_ROOT\CLSID\{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopSynced]
@="{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}"
[HKEY_CLASSES_ROOT\CLSID\{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopSyncedCollab]
@="{9E48C232-F601-4E41-BB3E-16CBAF317AA4}"
[HKEY_CLASSES_ROOT\CLSID\{9E48C232-F601-4E41-BB3E-16CBAF317AA4}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-19 11775592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-10-29 1437064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-31 167744]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-31 392512]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-31 417088]
"BoxSyncHelper"="c:\program files\Box Sync\BoxSyncHelper.exe" [2013-06-08 393216]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.sesdweb.net/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.138.50.250 10.141.40.250
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe
Wow6432Node-HKCU-Run-Weather - c:\program files (x86)\AWS\WeatherBug\Weather.exe
Wow6432Node-HKCU-Run-Yontoo Desktop - c:\users\spangenbergerd\AppData\Roaming\Yontoo\YontooDesktop.exe
Wow6432Node-HKLM-Run-ZenNotifyIcon - c:\program files (x86)\Novell\Zenworks\bin\ZenNotifyIcon.exe
Wow6432Node-HKLM-Run-NalView - c:\program files (x86)\Novell\ZENworks\bin\nalview.exe
Wow6432Node-HKLM-Run-Aimersoft Helper Compact.exe - c:\program files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
Wow6432Node-HKLM-Run-Wondershare Helper Compact.exe - c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
Wow6432Node-HKLM-Run-BrowserPlugInHelper - c:\program files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
Toolbar-Locked - (no file)
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
ShellExecuteHooks-{763370C4-268E-4308-A60C-D8DA0342BE32} - (no file)
AddRemove-ZENworks - c:\program files (x86)\novell\zenworks\bin\ZENworksUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-879983540-1801674531-17149\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1645522239-879983540-1801674531-17149\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files (x86)\SMART Technologies\Education Software\sbsdk-server\SBWDKService.exe
c:\program files (x86)\SMART Technologies\Education Software\Office\SMARTInk-SBSDKProxy.exe
c:\windows\CCM\SCNotification.exe
c:\program files (x86)\real\realplayer\RealPlay.exe
c:\program files (x86)\real\realplayer\RealPlay.exe
.
**************************************************************************
.
Completion time: 2013-09-16  12:09:17 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-16 16:09
.
Pre-Run: 135,802,933,248 bytes free
Post-Run: 135,915,483,136 bytes free
.
- - End Of File - - B3201A1F891564C53AADC18410D2EFDD
A36C5E4F47E84449FF07ED3517B43A31


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 17 September 2013 - 01:33 AM

Scan with SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :regfind
    tidy
    :filefind
    *tidy*
    :folderfind
    *tidy*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2013 - 06:50 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 07:49 on 17/09/2013 by spangenbergerd
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.
 
========== regfind ==========
 
Searching for "tidy"
[HKEY_CURRENT_USER\Software\TidyNetwork.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TidyNetwork_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TidyNetwork_RASMANCS]
[HKEY_USERS\S-1-5-21-1645522239-879983540-1801674531-17149\Software\TidyNetwork.com]
 
========== filefind ==========
 
Searching for "*tidy*"
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libtidy.dll --a---- 329616 bytes [02:56 12/10/2012] [02:56 12/10/2012] 3687E37869B69040657E0CE3F5DB58AA
C:\ProgramData\SMART Technologies\Gallery Essentials\ELF_TALES_TIDYING_THE_BOOKS_0015CD72.galleryitem --a---- 1060167 bytes [12:20 16/08/2013] [19:56 26/04/2010] 7B8AD1F71AF7AD93F4AED40B6B28A9C8
C:\Users\All Users\SMART Technologies\Gallery Essentials\ELF_TALES_TIDYING_THE_BOOKS_0015CD72.galleryitem --a---- 1060167 bytes [12:20 16/08/2013] [19:56 26/04/2010] 7B8AD1F71AF7AD93F4AED40B6B28A9C8
 
========== folderfind ==========
 
Searching for "*tidy*"
No folders found.
 
-= EOF =-


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 17 September 2013 - 06:53 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2013 - 06:55 AM

I don't see an attached file.



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 17 September 2013 - 06:57 AM

Rats - it happened again...:( Sorry for that!

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2013 - 08:13 AM

Not a problem. Thanks for your quick replies! Below is the combofix log. I will post the malwarbytes log once the scan finishes.



ComboFix 13-09-14.01 - spangenbergerd 09/17/2013   8:01.2.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3999.2064 [GMT -4:00]
Running from: c:\users\spangenbergerd\Desktop\ComboFix.exe
Command switches used :: c:\users\spangenbergerd\Desktop\CFScript.txt
AV: System Center 2012 Endpoint Protection *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: System Center 2012 Endpoint Protection *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\_ctypes.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\_elementtree.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\_hashlib.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\_multiprocessing.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\_socket.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\_ssl.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\msvcp100.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\msvcr100.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\pyexpat.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\pysqlite2._sqlite.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\python27.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\pythoncom27.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\PyWinTypes27.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\select.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\unicodedata.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32api.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32com.shell.shell.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32crypt.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32event.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32file.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32inet.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32pdh.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32process.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32profile.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32security.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\win32ts.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\windows._cacheinvalidation.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._controls_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._core_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._gdi_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._html2.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._misc_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._windows_.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wx._wizard.pyd
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wxbase294u_net_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wxbase294u_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wxmsw294u_adv_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wxmsw294u_core_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wxmsw294u_html_vc90.dll
c:\users\SPANGE~1\AppData\Local\Temp\_MEI43202\wxmsw294u_webview_vc90.dll
c:\users\spangenbergerd\AppData\Local\assembly\tmp
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\_ctypes.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\_elementtree.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\_hashlib.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\_multiprocessing.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\_socket.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\_ssl.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\msvcp100.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\msvcr100.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\pyexpat.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\pysqlite2._sqlite.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\python27.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\pythoncom27.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\PyWinTypes27.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\select.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\unicodedata.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32api.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32com.shell.shell.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32crypt.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32event.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32file.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32inet.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32pdh.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32process.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32profile.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32security.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\win32ts.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\windows._cacheinvalidation.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._controls_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._core_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._gdi_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._html2.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._misc_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._windows_.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wx._wizard.pyd
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wxbase294u_net_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wxbase294u_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wxmsw294u_adv_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wxmsw294u_core_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wxmsw294u_html_vc90.dll
c:\users\spangenbergerd\AppData\Local\Temp\_MEI43202\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-17 to 2013-09-17  )))))))))))))))))))))))))))))))
.
.
2013-09-17 12:07 . 2013-09-17 12:07 -------- d-----w- c:\users\hannigand\AppData\Local\temp
2013-09-17 12:07 . 2013-09-17 12:07 -------- d-----w- c:\users\easetup\AppData\Local\temp
2013-09-17 12:07 . 2013-09-17 12:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-17 12:07 . 2013-09-17 12:07 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-09-16 03:30 . 2013-08-06 08:58 9515512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B731022F-0D0C-4A33-83C2-2F62DA410177}\mpengine.dll
2013-09-13 10:25 . 2013-09-13 10:25 -------- d-----w- c:\program files (x86)\RealNetworks
2013-09-13 10:25 . 2013-09-13 10:25 -------- d-----w- c:\programdata\RealNetworks
2013-09-13 10:24 . 2013-09-13 10:24 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2013-08-25 16:20 . 2013-08-25 16:20 -------- d-----w- c:\users\spangenbergerd\AppData\Roaming\dvdcss
2013-08-20 23:36 . 2013-09-12 14:56 -------- d-----w- c:\users\spangenbergerd\AppData\Local\Screencast-O-Matic
2013-08-20 21:52 . 2013-08-20 23:40 -------- d-----w- c:\users\spangenbergerd\AppData\Roaming\Doceri Desktop
2013-08-20 21:52 . 2013-08-20 21:52 -------- d-----w- c:\users\spangenbergerd\Doceri
2013-08-20 21:52 . 2013-08-20 21:52 -------- d-----w- c:\program files (x86)\Doceri Desktop
2013-08-19 20:43 . 2013-08-19 20:43 -------- d-----w- c:\program files\iPod
2013-08-19 20:43 . 2013-08-19 20:44 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-19 20:43 . 2013-08-19 20:44 -------- d-----w- c:\program files\iTunes
2013-08-19 20:43 . 2013-08-19 20:44 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-15 19:33 . 2012-05-23 10:52 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-15 19:33 . 2011-12-19 13:55 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-13 10:24 . 2013-01-02 11:55 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2013-09-13 10:24 . 2013-01-02 11:55 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-08-12 03:32 . 2013-08-12 03:32 28609640 ----a-w- c:\program files\InstallScreencastOMatic-v1.4.exe
2013-08-12 03:18 . 2013-08-12 03:18 1998248 ----a-w- c:\program files\Driverwhiz.exe
2013-08-06 08:58 . 2012-12-20 21:31 9515512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-24 13:55 . 2013-07-24 13:55 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-24 13:55 . 2013-06-11 17:47 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-07-24 13:55 . 2011-12-19 13:55 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-05-27 04:49 . 2011-05-27 04:49 114688 ----a-w- c:\program files (x86)\ad_ff.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2013-06-27 20097696]
"17CFF3B0F600B12A5E485909BF200167590E7EBB._service_run"="c:\users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-09-02 829392]
"GoogleChromeAutoLaunch_459D6AD95F61E65A862C8F4C876537D5"="c:\users\spangenbergerd\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-09-02 829392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"TOSDCR"="c:\program files (x86)\TOSHIBA\PasswordUtility\TOSDCR.exe" [2007-08-28 169296]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SMART Board Tools"="c:\program files (x86)\SMART Technologies\Education Software\SMARTBoardTools.exe" [2013-01-31 9279824]
"sbsdk-server"="c:\program files (x86)\SMART Technologies\Education Software\sbsdk-server\NodeLauncher.exe" [2013-03-07 62800]
"SMART Board Service"="c:\program files (x86)\SMART Technologies\Education Software\SMARTBoardService.exe" [2013-03-07 2111824]
"SMART Ink"="c:\program files (x86)\SMART Technologies\Education Software\SMARTInk.exe" [2013-03-05 99152]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2013-09-13 295512]
.
c:\users\spangenbergerd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Box Sync.lnk - c:\program files\Box Sync\BoxSync.exe -hidden [2013-6-7 7959552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DefaultLogonDomain"= SESD
"HideFastUserSwitching"= 1 (0x1)
"SoftwareSASGeneration"= 2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-879983540-1801674531-10817\Scripts\Logon\0\0]
"Script"=DeleteSEMSPrinters.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-879983540-1801674531-17149\Scripts\Logon\0\0]
"Script"=DeleteSEMSPrinters.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-879983540-1801674531-17652\Scripts\Logon\0\0]
"Script"=DeleteSEMSPrinters.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Novell ZENworks Image-Safe Data Service;Novell ZENworks ISD Service;c:\program files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe;c:\program files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys;c:\windows\SYSNATIVE\drivers\rimspe64.sys [x]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys;c:\windows\SYSNATIVE\drivers\rixdpe64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S2 chromoting;Chrome Remote Desktop Service;c:\program files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe;c:\program files (x86)\Google\Chrome Remote Desktop\29.0.1547.32\remoting_host.exe [x]
S2 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe;c:\windows\CCM\RemCtrl\CmRcService.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 risdxc;risdxc;c:\windows\system32\drivers\risdxc64.sys;c:\windows\SYSNATIVE\drivers\risdxc64.sys [x]
S2 SMARTHelperService;SMART Helper Service;c:\program files (x86)\SMART Technologies\Education Software\SMARTHelperService.exe;c:\program files (x86)\SMART Technologies\Education Software\SMARTHelperService.exe [x]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys;c:\windows\SYSNATIVE\Drivers\ATSwpWDF.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys;c:\windows\SYSNATIVE\DRIVERS\MpNWMon.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
S3 SMARTMouseFilterx64;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx64.sys;c:\windows\SYSNATIVE\DRIVERS\SMARTMouseFilterx64.sys [x]
S3 SMARTVHidMiniVistaAmd64;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMiniVistaAmd64.sys;c:\windows\SYSNATIVE\DRIVERS\SMARTVHidMiniVistaAmd64.sys [x]
S3 SMARTVTabletPCx64;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx64.sys;c:\windows\SYSNATIVE\DRIVERS\SMARTVTabletPCx64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-15 19:33]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-08 12:59]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-08 12:59]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-879983540-1801674531-17149Core.job
- c:\users\spangenbergerd\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 21:59]
.
2013-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-879983540-1801674531-17149UA.job
- c:\users\spangenbergerd\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-29 21:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopFileLocked]
@="{C253B817-3A00-475f-A5A3-6F2DD704B48D}"
[HKEY_CLASSES_ROOT\CLSID\{C253B817-3A00-475f-A5A3-6F2DD704B48D}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopNotSynced]
@="{19ACC806-F7AA-46AA-A80A-726A07CA6637}"
[HKEY_CLASSES_ROOT\CLSID\{19ACC806-F7AA-46AA-A80A-726A07CA6637}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopNotSyncedCollabs]
@="{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}"
[HKEY_CLASSES_ROOT\CLSID\{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopSynced]
@="{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}"
[HKEY_CLASSES_ROOT\CLSID\{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopSyncedCollab]
@="{9E48C232-F601-4E41-BB3E-16CBAF317AA4}"
[HKEY_CLASSES_ROOT\CLSID\{9E48C232-F601-4E41-BB3E-16CBAF317AA4}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-27 20:11 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-19 11775592]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-10-29 1437064]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-31 167744]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-31 392512]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-31 417088]
"BoxSyncHelper"="c:\program files\Box Sync\BoxSyncHelper.exe" [2013-06-08 393216]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.sesdweb.net/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.138.50.250 10.141.40.250
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-ZENworks - c:\program files (x86)\novell\zenworks\bin\ZENworksUninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-879983540-1801674531-17149\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1645522239-879983540-1801674531-17149\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\users\spangenbergerd\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files (x86)\SMART Technologies\Education Software\sbsdk-server\SBWDKService.exe
c:\windows\CCM\SCNotification.exe
c:\program files (x86)\SMART Technologies\Education Software\Office\SMARTInk-SBSDKProxy.exe
c:\program files (x86)\real\realplayer\RealPlay.exe
c:\program files (x86)\real\realplayer\RealPlay.exe
.
**************************************************************************
.
Completion time: 2013-09-17  08:20:15 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-17 12:20
ComboFix2.txt  2013-09-16 16:09
.
Pre-Run: 135,999,385,600 bytes free
Post-Run: 135,898,914,816 bytes free
.
- - End Of File - - 7E1AC8CAD50CF3A206553F9B11498072
A36C5E4F47E84449FF07ED3517B43A31


#12 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2013 - 10:08 AM

No threats found in malwarebytes. Below is the log.



Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.10.11
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
spangenbergerd :: EAST07372 [administrator]
 
9/17/2013 9:13:55 AM
mbam-log-2013-09-17 (09-13-55).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 466345
Time elapsed: 57 minute(s), 43 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 17 September 2013 - 10:11 AM

OK, then we have to do another run with adwcleaner and a cross check with ESET:

 

 

Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.

  • Hit Scan. Wait for the scan to finish.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2013 - 10:44 AM

# AdwCleaner v3.004 - Report created 17/09/2013 at 11:21:11
# Updated 15/09/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : spangenbergerd - EAST07372
# Running from : C:\Users\spangenbergerd\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\spangenbergerd\AppData\Local\Google\Chrome\User Data\Default\Extensions\blaofbhgbmeikidhlkmjhbkbfohpgekf
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16490
 
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\hannigand\AppData\Roaming\Mozilla\Firefox\Profiles\t1lxsw07.default\prefs.js ]
 
 
*************************
 
AdwCleaner[R0].txt - [0 octets] - [16/09/2013 10:47:50]
AdwCleaner[R1].txt - [7248 octets] - [16/09/2013 10:52:27]
AdwCleaner[R2].txt - [1089 octets] - [17/09/2013 11:18:26]
AdwCleaner[S0].txt - [6658 octets] - [16/09/2013 10:56:03]
AdwCleaner[S1].txt - [1013 octets] - [17/09/2013 11:21:11]
 
########## EOF - H:\AdwCleaner\AdwCleaner[S1].txt - [1073 octets] ##########


#15 tompkinst

tompkinst
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2013 - 11:49 AM

C:\Users\spangenbergerd\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\back.js JS/Adware.Yontoo.B application
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\yl.js JS/Adware.Yontoo.A application
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\back.js JS/Adware.Yontoo.B application
C:\Users\spangenbergerd\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\yl.js JS/Adware.Yontoo.A application





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users