TechSpot

Help needed to determine if my machine is infected..

By bobbygeorge
Jan 3, 2011
  1. Help needed to determine if my machine is infected...(kind of urgent,playing up alot)

    I am using vista, 64 bit.
    I believe my machine was deliberately infected with malware, but unsure how bad it is. I will include some logs below:


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5448

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18999

    03/01/2011 18:32:31
    mbam-log-2011-01-03 (18-32-31).txt

    Scan type: Quick scan
    Objects scanned: 157630
    Time elapsed: 3 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Shaun\downloads\setupcasino_10fec3.exe (PUP.Casino) -> Quarantined and deleted successfully.

    -----------------------------------------------------------------------------------------------------

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-03 19:28:51
    Windows 6.0.6002 Service Pack 2
    Running: bym2ebeo.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xB5 0x60 0x8C ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xB5 0x60 0x8C ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}@jamgffmgahcacledlfic 0x6F 0x61 0x6D 0x67 ...

    ---- EOF - GMER 1.0.15 ----

    --------------------------------------------------------------------------------------------------------



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 01/10/2009 02:24:41
    System Uptime: 03/01/2011 18:33:55 (1 hours ago)

    Motherboard: PEGATRON CORPORATION | | NARRA5
    Processor: AMD Phenom(tm) 9650 Quad-Core Processor | Socket AM2 | 1200/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 451 GiB total, 79.303 GiB free.
    D: is FIXED (NTFS) - 15 GiB total, 2.133 GiB free.
    E: is CDROM ()
    J: is Removable
    K: is Removable
    L: is Removable
    N: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    AAA Logo 2008 2.10
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Any Video Converter 3.0.5
    ArcSoft VideoImpression 2
    µTorrent
    AVG 9.0
    AVS Audio Converter version 6.2
    AVS Update Manager 1.0
    AVS4YOU Software Navigator 1.4
    Belkin Wireless USB Adapter Setup
    Bing Bar
    Bing Bar Platform
    Blaze Media Pro
    Casino.com
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Compatibility Pack for the 2007 Office system
    Conduit Engine
    Convert WAV To MP3 1.0
    CyberLink DVD Suite Deluxe
    D3DX10
    DirectX for Managed Code Update (Summer 2004)
    DVDVideoSoftTB Toolbar
    Free Video to MP3 Converter version 4.2.12
    Free WMA to MP3 Converter 1.16
    FreeRIP v3.42
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Advisor
    HP Customer Experience Enhancements
    HP Games
    HP MediaSmart Demo
    HP MediaSmart DVD
    HP MediaSmart Music/Photo/Video
    HP Odometer
    HP Picasso Media Center Add-In
    HP Recovery Manager RSS
    HP Support Information
    HP Total Care Setup
    HP Update
    HPAsset component for HP Active Support Library
    Huawei modem
    Java(TM) 6 Update 16
    Junk Mail filter update
    K-Lite Codec Pack 5.1.0 (Full)
    LabelPrint
    LG PC Suite II
    LG USB Modem driver
    LightScribe System Software
    Live 7.0.14
    Magic Desktop
    Magic DVD Copier Version 5.0.0
    Malwarebytes' Anti-Malware
    Microsoft Office Live Add-in 1.5
    Microsoft Office Outlook Connector
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.6.8)
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 7 Ultra Edition
    neroxml
    PC VGA Camer@ Plus
    PokerStars
    Power Structure
    Power2Go
    PowerDirector
    PowerISO
    Pro Evolution Soccer 2009
    Python 2.6 pywin32-212
    Python 2.6.1
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.0
    Reason 4.0.1
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Segoe UI
    Skins
    Skype™ Beta 4.2
    Spybot - Search & Destroy
    SpyShelter Premium 4.55
    Steinberg Cubase 5
    Steinberg Drum Loop Expansion 01
    Steinberg Groove Agent ONE Content
    Steinberg HALionOne
    Steinberg HALionOne Additional Content Set 01
    Steinberg HALionOne Expression Set
    Steinberg HALionOne GM Drum Set
    Steinberg HALionOne GM Set
    Steinberg HALionOne Pro Set
    Steinberg HALionOne Studio Drum Set
    Steinberg HALionOne Studio Set
    Steinberg LoopMash Content
    Steinberg REVerence Content 01
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    uTorrentBar Toolbar
    Visual C++ 8.0 Runtime Setup Package (x64)
    Wav2MP3 Wizard v3.2 (Build 354)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    Word to PDF Converter

    ==== End Of File ===========================


    --------------------------------------------------------------------------------------------------------



    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Shaun at 19:33:21.31 on 03/01/2011
    Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_16
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.4094.2142 [GMT 0:00]

    AV: AVG Internet Security 3-pack *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security 3-pack *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
    C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\a-squared Free\a2service.exe
    C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
    C:\Program Files (x86)\AVG\AVG9\avgfws9.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\Blaze Media Pro\NMSAccess32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\AVG\AVG9\avgam.exe
    C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files (x86)\AVG\AVG9\avgtray.exe
    C:\Program Files (x86)\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Users\Shaun\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Shaun\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Shaun\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Shaun\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    uSearch Bar = Preserve
    mStart Page = hxxp://www.yahoo.com/
    mDefault_Page_URL = hxxp://www.yahoo.com/
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    uURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
    TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files (x86)\DVDVideoSoftTB\tbDVDV.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [Google Update] "C:\Users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [SpyShelter] C:\Program Files (x86)\SpyShelter Premium\SpyShelter.exe
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: HideFastUserSwitching = 0 (0x0)
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB-X64: {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - No File
    mRun-x64: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    AppInit_DLLs-X64: avgrssta.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - C:\Users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q=
    FF - component: C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
    FF - component: C:\Users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\FFExternalAlert.dll
    FF - component: C:\Users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCore.dll
    FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: C:\Users\Shaun\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - C:\Program Files (x86)\AVG\AVG9\Firefox
    FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSErHrvta;AVG9IDSErHr;C:\Windows\System32\drivers\AVGIDSva.sys [2010-6-14 27216]
    R0 AvgRkx64;avgrkx64.sys;C:\Windows\System32\drivers\avgrkx64.sys [2010-6-14 56008]
    R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-6-14 29976]
    R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-6-14 269904]
    R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-6-14 35536]
    R1 AvgTdiA;AVG Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2010-6-14 317520]
    R1 SpyShelter;SpyShelter;C:\Program Files (x86)\SpyShelter Premium\SpyShelter.sys [2010-10-6 178624]
    R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/06/17 03:51:03];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2010-6-17 146928]
    R2 a2free;a-squared Free Service;C:\Program Files (x86)\a-squared Free\a2service.exe [2010-6-14 1872320]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-3-10 202752]
    R2 avg9wd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-6-23 308136]
    R2 avgfws9;AVG Firewall;C:\Program Files (x86)\AVG\AVG9\avgfws9.exe [2010-6-23 2331544]
    R2 AVGIDSAgent;AVG9IDSAgent;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-6-23 5897808]
    R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe -k netsvcs [2008-1-21 27648]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-1-26 1153368]
    R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-3-10 6403072]
    R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-3-10 188928]
    R3 AVGIDSDrivervta;AVG9IDSDriver;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista64\AVGIDSDriver.sys [2010-6-14 132688]
    R3 AVGIDSFiltervta;AVG9IDSFilter;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista64\AVGIDSFilter.sys [2010-6-14 35920]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 RelevantKnowledge;RelevantKnowledge;C:\Program Files (x86)\RelevantKnowledge\rlservice.exe /service --> C:\Program Files (x86)\RelevantKnowledge\rlservice.exe [?]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 27648]
    S3 fssfltr;FssFltr;C:\Windows\System32\drivers\fssfltr.sys [2010-11-10 48488]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
    S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\System32\drivers\netr28ux.sys [2011-1-2 804864]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
    S3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);C:\Windows\System32\drivers\swnc8u90.sys [2008-12-2 206848]
    S3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);C:\Windows\System32\drivers\swumx90.sys [2008-11-17 194944]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-4-1 89920]

    =============== File Associations ===============

    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

    =============== Created Last 30 ================

    2011-01-02 21:48:53 804864 ----a-w- C:\Windows\System32\drivers\netr28ux.sys
    2011-01-02 21:48:53 305664 ----a-w- C:\Windows\System32\RaCoInstx.dll
    2011-01-02 21:48:53 -------- d-----w- C:\Program Files (x86)\Belkin
    2010-12-15 13:34:44 -------- d-----w- C:\fb09c73799e3104f11c2afcb
    2010-12-15 13:19:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2010-12-15 13:19:53 2048 ----a-w- C:\Windows\System32\tzres.dll
    2010-12-15 13:19:37 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
    2010-12-15 13:19:37 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
    2010-12-15 13:19:36 87552 ----a-w- C:\Windows\System32\consent.exe
    2010-12-15 13:19:35 68096 ----a-w- C:\Program Files\Windows Mail\wabmig.exe
    2010-12-15 13:19:35 66048 ----a-w- C:\Program Files (x86)\Windows Mail\wabmig.exe
    2010-12-15 13:19:35 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
    2010-12-15 13:19:35 515584 ----a-w- C:\Program Files (x86)\Windows Mail\wab.exe
    2010-12-15 13:19:35 35328 ----a-w- C:\Program Files\Windows Mail\wabfind.dll
    2010-12-15 13:19:35 33280 ----a-w- C:\Program Files (x86)\Windows Mail\wabfind.dll
    2010-12-09 19:00:11 34304 ----a-w- C:\Windows\System32\drivers\swmsflt.sys
    2010-12-09 19:00:07 -------- d-----w- C:\Users\Shaun\AppData\Roaming\Sierra Wireless
    2010-12-09 19:00:07 -------- d-----w- C:\Program Files (x86)\Sierra Wireless Inc
    2010-12-05 17:27:16 -------- d-----w- C:\Program Files (x86)\ConduitEngine
    2010-12-05 17:27:10 -------- d-----w- C:\Program Files (x86)\uTorrentBar
    2010-12-05 17:26:36 -------- d-----w- C:\Program Files (x86)\uTorrent
    2010-12-05 17:25:46 -------- d-----w- C:\Users\Shaun\AppData\Roaming\uTorrent
    2010-12-05 17:24:38 -------- d-----w- C:\Users\Shaun\AppData\Roaming\GetRightToGo
    2010-12-04 20:35:56 -------- d-----w- C:\Casino

    ==================== Find3M ====================

    2010-12-20 18:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2010-12-06 13:44:16 71279 ----a-w- C:\Windows\Huawei ModemsUninstall.exe
    2010-11-22 14:33:08 99384 ----a-w- C:\Users\Shaun\AppData\Roaming\inst.exe
    2010-11-22 14:33:08 82816 ----a-w- C:\Windows\System32\drivers\pcouffin.sys
    2010-11-22 14:33:08 82816 ----a-w- C:\Users\Shaun\AppData\Roaming\pcouffin.sys
    2010-11-10 00:46:45 269904 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2010-11-06 11:18:48 500224 ----a-w- C:\Windows\System32\wmicmiplugin.dll
    2010-11-06 11:18:27 655872 ----a-w- C:\Windows\System32\taskschd.dll
    2010-11-06 11:18:27 410112 ----a-w- C:\Windows\System32\taskcomp.dll
    2010-11-06 11:18:13 855040 ----a-w- C:\Windows\System32\schedsvc.dll
    2010-11-04 23:58:17 267776 ----a-w- C:\Windows\System32\taskeng.exe
    2010-11-04 18:55:38 352768 ----a-w- C:\Windows\SysWow64\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
    2010-11-04 16:34:06 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
    2010-11-02 06:27:41 1147904 ----a-w- C:\Windows\System32\wininet.dll
    2010-11-02 06:24:01 56832 ----a-w- C:\Windows\System32\licmgr10.dll
    2010-11-02 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
    2010-11-02 06:23:35 77312 ----a-w- C:\Windows\System32\iesetup.dll
    2010-11-02 06:23:35 132096 ----a-w- C:\Windows\System32\iesysprep.dll
    2010-11-02 06:01:54 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2010-11-02 05:25:33 479232 ----a-w- C:\Windows\System32\html.iec
    2010-11-02 05:01:31 385024 ----a-w- C:\Windows\SysWow64\html.iec
    2010-11-02 04:45:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
    2010-11-02 04:44:24 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2010-11-02 04:26:10 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2010-10-28 16:29:18 48128 ----a-w- C:\Windows\System32\atmlib.dll
    2010-10-28 15:44:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2010-10-28 14:05:21 367104 ----a-w- C:\Windows\System32\atmfd.dll
    2010-10-28 13:27:47 292352 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2010-10-18 15:25:36 2753536 ----a-w- C:\Windows\System32\win32k.sys

    ============= FINISH: 19:34:06.36 ===============



    Hope these logs are sufficient to help determine any infections.

    Thanks,

    BobbyGeorge
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! Can you tell me what problems you are experiencing that lead you to believe the system has a malware infection? It would also be helpful if you know what method someone used to infect the system. I'm checking these logs now and I see several potential problem areas- so while I finish checking these logs, please run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================================
    Note: you will have to uninstall AVG to run the following program:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===============================================
    Please uninstall or disable the following while I am helping you:
    µTorrent
    uTorrentBar Toolbar
    FreeRIP v3.42

    If you choose not to uninstall them, do not allow use while we're cleaning.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Well to start with, OSD Lockout keeps popping up and seems to be controlled by someone else.
    Also, someone mentioned the blue screen of death to me, and said if it happened you have to press ctrl 5 times to get rid of it. The same evening it happened....too much of a coincidence for me.
    All this started happening after a guy shared some files with me and installed a game.


    Ran as you suggested, logs below:

    ComboFix 11-01-04.01 - Shaun 04/01/2011 20:36:36.1.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.4094.2506 [GMT 0:00]
    Running from: c:\users\Shaun\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Shaun\AppData\Roaming\.#
    c:\users\Shaun\AppData\Roaming\inst.exe
    c:\windows\system32\Memman.vxd
    c:\windows\system32\skinboxer43.dll
    c:\windows\system32\system
    c:\windows\SysWow64\Memman.vxd
    c:\windows\SysWow64\skinboxer43.dll
    c:\windows\SysWow64\system

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_RelevantKnowledge


    ((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
    .

    2011-01-04 18:05 . 2011-01-04 18:05 -------- d-----w- c:\program files (x86)\ESET
    2011-01-04 02:30 . 2011-01-04 02:34 -------- d-----r- c:\users\Shaun\Music Production Videos
    2011-01-04 01:11 . 2011-01-04 14:42 -------- d-----r- c:\users\Shaun\Documentaries
    2011-01-03 20:16 . 2011-01-03 20:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2011-01-03 20:08 . 2011-01-03 20:08 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-02 21:48 . 2011-01-02 21:48 -------- d-----w- c:\program files (x86)\Belkin
    2010-12-15 13:34 . 2010-12-15 13:40 -------- d-----w- C:\fb09c73799e3104f11c2afcb
    2010-12-15 13:19 . 2010-10-28 13:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2010-12-15 13:19 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2010-12-15 13:19 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2010-12-15 13:19 . 2010-10-12 17:43 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2010-12-15 13:19 . 2010-10-12 15:53 33280 ----a-w- c:\program files (x86)\Windows Mail\wabfind.dll
    2010-12-15 13:19 . 2010-10-12 15:19 516096 ----a-w- c:\program files\Windows Mail\wab.exe
    2010-12-15 13:19 . 2010-10-12 15:19 68096 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2010-12-15 13:19 . 2010-10-12 13:41 66048 ----a-w- c:\program files (x86)\Windows Mail\wabmig.exe
    2010-12-15 13:19 . 2010-10-12 13:41 515584 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
    2010-12-09 19:00 . 2010-12-09 19:04 -------- d-----w- c:\users\Shaun\AppData\Roaming\Sierra Wireless
    2010-12-09 19:00 . 2010-12-09 19:01 -------- d-----w- c:\program files (x86)\Sierra Wireless Inc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2010-07-05 02:29 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-11-22 14:33 . 2010-11-22 14:33 82816 ----a-w- c:\users\Shaun\AppData\Roaming\pcouffin.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-11-13 3913000]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2010-04-27 10:08 2393184 ----a-w- c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-11-13 3913000]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-24 136176]
    "SpyShelter"="c:\program files (x86)\SpyShelter Premium\SpyShelter.exe" [2010-09-20 2233792]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "HideFastUserSwitching"= 0 (0x0)

    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\windows\10127553.exe \??\c:\windows\10127553.dat

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]
    R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
    R3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\DRIVERS\swnc8u90.sys [2008-12-02 206848]
    R3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\DRIVERS\swumx90.sys [2008-11-17 194944]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-09 834544]
    S1 SpyShelter;SpyShelter;c:\program files (x86)\SpyShelter Premium\SpyShelter.sys [2010-09-20 178624]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/06/17 03:51];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-09 13:26 146928]
    S2 a2free;a-squared Free Service;c:\program files (x86)\a-squared Free\a2service.exe [2010-06-14 1872320]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-10 202752]
    S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-10 6403072]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-10 188928]
    S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000Core.job
    - c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

    2011-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000UA.job
    - c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

    2010-12-12 c:\windows\Tasks\HPCeeScheduleForShaun.job
    - c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-11 17:17]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF5231.cfxxe" [X]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    FF - ProfilePath - c:\users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe



    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2692080489-224753940-1066125639-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}*]
    "jamgffmgahcacledlfic"=hex:6f,61,6d,67,63,68,62,67,6c,61,67,6c,65,68,66,66,62,
    6e,6b,6f,6b,61,6c,68,64,6c,66,6d,66,64,00,9b

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"

    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Blaze Media Pro\NMSAccess32.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-04 20:57:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-04 20:57

    Pre-Run: 172,647,124,992 bytes free
    Post-Run: 191,246,274,560 bytes free

    - - End Of File - - E1A11076021B5A9049683D134BBD97A6



    C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application
    C:\Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus
    C:\Windows\SysWOW64\ezShellStart.exe probably unknown NewHeur_PE virus



    _________________________________________________________________

    Thanks!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  5. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    hey

    I am not familiar with that site either....I did not post that thread, probably posted by those who have infected my computer.

    This is the only site I am using and will be using to sort out the difficulties I am facing.

    So your help is much appreciated, you can be sure of that much.

    Thanks again.

    P.S. How did you even find that site? I tried searching google for my title....and it did not show up....


    Also, shall I run eset again and delete those viruses.....they look feckin nasty?

    And I have also installed avg 2011 since.....but have not run it yet.
     
  6. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Help needed to determine if my machine is infected...(kind of urgent,playing up alot)

    Help please......
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- got snowed yesterday.
    Regarding Computer Monitor OSD Lockout?
    [​IMG]
    OSD= On screen display. It acts as a quick way to access your monitor and make adjustments.Note some OSD's may actually have a feature known as "OSD lockout" to prevent accidental changes to the screen. The OSD allows the user to change monitor setting using this display instead of pushing buttons.

    Lockouts occur when the software driving the OSD encounters a problem or conflict--similar to your PC's operating system freezing. Locked out OSD's mean you can't access the monitor's various controls, or it can even render the screen unusable, as in the incompatible resolution. If you accidentally engage a screen's "OSD lockout" feature, long-pressing the menu or power button should clear it up. Check the manual for specifics and Make sure you know your monitor's specifications--resolution, sound support and refresh rates. As the most likely cause of your lockout is incompatibility with the computer connected to the monitor, the best solution would be prevention.
    Source: eHow
    My guess is that your friend may have changed the resolution for the game and it wasn't compatible on the monitor.
    ====================================================
    Regarding a BSOD and 5 hits on Ctrl:
    Since there are many reasons for a BSOD, there is no one fix for it. And I have never heard of using multiple Ctrl keystrokes to resolve it.
    ===================================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processe
      :Files  
      C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe 
      C:\Windows\System32\ezShellStart.exe 
      C:\Windows\SysWOW64\ezShellStart.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================
    Regarding the unknown NewHeur_PE virus in Eset:
    I have some concern about this. There are 2 file infectors that are found under this name by AVG. We may have to look further for this.
    ======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\DRIVERS\ewusbnet.sys
    c:\windows\system32\DRIVERS\ewusbdev.sys
    c:\windows\system32\DRIVERS\ewusbfake.sys
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru nOnce]
    "AvgUninstallURL"=-
    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\ex plorer\ShellExecuteHooks]
    
    Driver::
    ewusbnet
    hwusbdev
    hwusbfake
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ========================================
    Edit: Regarding gadgetechie.com/computers...-infected.html Apparently this is yet another web crawler that happened to pull your thread out for reference. I hadn't come across that one before. We sometimes have to search to identify an entry in a log. If the entry is unusual or not found any other place, we see your thread or others with same entry. I don't remember what I was searching for when I saw this.
    (http://en.wikipedia.org/wiki/Web_crawler)
     
  8. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    I may have done a silly thing....

    Firstly, thanks Bob for your help thus far.

    Yesterday, out of curiosity, I wanted some info on the probable viruses. I could not remember the exact name of them so I scanned until the first 1 was found. I entered it into google, and pressed finish on the scan.
    But, the scan deleted the files. I forgot to uncheck the appropriate box, and although I did not let the scan finish it still deleted the files it found.
    So, sorry if this f**ks things up a bit.

    What I found out about the viruses is that they originate from china, and are passed through usb keys.

    When I read this, I suddenly remembered, that OSD problem among others actually started when I got a loan of a friends mobile broadband key.
    I even got a warning that someone on my network was using my IP address, even though I was not on a network.

    So, question, are my usb keys, mp3 player and mobile phone also infected? If so, can they be cleaned?
    And what typically are the purpose of these viruses, identity theft?

    I will add the logs below:

    All processes killed
    Error: Unable to interpret <:processe> in the current context!
    ========== FILES ==========
    File/Folder C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe not found.
    File/Folder C:\Windows\System32\ezShellStart.exe not found.
    File/Folder C:\Windows\SysWOW64\ezShellStart.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: AppData
    ->Temp folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Shaun
    ->Temp folder emptied: 35782 bytes
    ->Temporary Internet Files folder emptied: 69053 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 82904190 bytes
    ->Flash cache emptied: 1812 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2057050 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 81.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 01062011_160539

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    _______________________________________________________________


    ComboFix 11-01-04.01 - Shaun 06/01/2011 16:49:11.2.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.4094.2633 [GMT 0:00]
    Running from: c:\users\Shaun\Desktop\ComboFix.exe
    Command switches used :: c:\users\Shaun\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\system32\DRIVERS\ewusbdev.sys"
    "c:\windows\system32\DRIVERS\ewusbfake.sys"
    "c:\windows\system32\DRIVERS\ewusbnet.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_ewusbnet
    -------\Service_hwusbdev
    -------\Service_hwusbfake


    ((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
    .

    2011-01-06 16:55 . 2011-01-06 16:58 -------- d-----w- c:\users\Shaun\AppData\Local\temp
    2011-01-06 16:55 . 2011-01-06 16:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-01-06 16:55 . 2011-01-06 16:55 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-06 16:05 . 2011-01-06 16:05 -------- d-----w- C:\_OTM
    2011-01-04 21:28 . 2011-01-04 21:28 -------- d-----w- c:\users\Shaun\AppData\Roaming\AVG10
    2011-01-04 21:27 . 2011-01-04 21:27 -------- d--h--w- c:\programdata\Common Files
    2011-01-04 21:26 . 2011-01-06 16:26 -------- d-----w- c:\programdata\AVG10
    2011-01-04 21:22 . 2011-01-04 21:25 -------- d-----w- c:\programdata\MFAData
    2011-01-04 18:05 . 2011-01-04 18:05 -------- d-----w- c:\program files (x86)\ESET
    2011-01-04 02:30 . 2011-01-04 02:34 -------- d-----r- c:\users\Shaun\Music Production Videos
    2011-01-04 01:11 . 2011-01-04 14:42 -------- d-----r- c:\users\Shaun\Documentaries
    2011-01-03 20:16 . 2011-01-03 20:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2011-01-03 20:08 . 2011-01-03 20:08 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-01-03 20:08 . 2010-11-12 18:53 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-02 21:48 . 2011-01-02 21:48 -------- d-----w- c:\program files (x86)\Belkin
    2010-12-15 13:34 . 2010-12-15 13:40 -------- d-----w- C:\fb09c73799e3104f11c2afcb
    2010-12-15 13:19 . 2010-10-28 13:20 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2010-12-15 13:19 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2010-12-15 13:19 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2010-12-15 13:19 . 2010-10-12 17:43 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2010-12-15 13:19 . 2010-10-12 15:53 33280 ----a-w- c:\program files (x86)\Windows Mail\wabfind.dll
    2010-12-15 13:19 . 2010-10-12 15:19 516096 ----a-w- c:\program files\Windows Mail\wab.exe
    2010-12-15 13:19 . 2010-10-12 15:19 68096 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2010-12-15 13:19 . 2010-10-12 13:41 66048 ----a-w- c:\program files (x86)\Windows Mail\wabmig.exe
    2010-12-15 13:19 . 2010-10-12 13:41 515584 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
    2010-12-09 19:00 . 2010-12-09 19:04 -------- d-----w- c:\users\Shaun\AppData\Roaming\Sierra Wireless
    2010-12-09 19:00 . 2010-12-09 19:01 -------- d-----w- c:\program files (x86)\Sierra Wireless Inc

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2010-07-05 02:29 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-11-22 14:33 . 2010-11-22 14:33 82816 ----a-w- c:\users\Shaun\AppData\Roaming\pcouffin.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-04_20.45.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 03:20 . 2011-01-06 15:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2010-12-31 14:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2010-12-31 14:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:20 . 2011-01-06 15:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-01-06 16:20 77074 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-10-01 01:34 . 2011-01-06 16:47 24914 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2692080489-224753940-1066125639-1000_UserData.bin
    + 2010-07-12 04:34 . 2010-07-12 04:34 57696 c:\windows\system32\DriverStore\FileRepository\avgfwfd6.inf_48f314d4\avgfwd6a.sys
    + 2010-07-12 04:34 . 2010-07-12 04:34 57696 c:\windows\system32\drivers\avgfwd6a.sys
    + 2009-10-01 01:30 . 2011-01-06 15:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-10-01 01:30 . 2011-01-04 08:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-01-03 19:29 . 2011-01-04 08:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-01-03 19:29 . 2011-01-06 15:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-10-01 01:30 . 2011-01-06 15:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-10-01 01:30 . 2011-01-04 08:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-02-23 09:27 . 2011-01-04 20:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-02-23 09:27 . 2011-01-06 04:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-02-23 09:27 . 2011-01-06 04:55 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-02-23 09:27 . 2011-01-04 20:27 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-02-23 09:27 . 2011-01-04 20:27 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-02-23 09:27 . 2011-01-06 04:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-02-23 09:27 . 2011-01-04 20:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-02-23 09:27 . 2011-01-06 00:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-02-23 09:27 . 2011-01-06 00:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-02-23 09:27 . 2011-01-04 20:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-01-04 21:24 . 2011-01-04 21:24 80384 c:\windows\Installer\251be1.msi
    - 2010-09-15 11:54 . 2010-09-29 14:57 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    + 2010-09-15 11:54 . 2011-01-06 16:03 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    - 2006-11-02 12:40 . 2011-01-04 20:05 51200 c:\windows\inf\infpub.dat
    + 2006-11-02 12:40 . 2011-01-04 21:26 51200 c:\windows\inf\infpub.dat
    - 2011-01-04 20:44 . 2011-01-04 20:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-01-06 16:57 . 2011-01-06 16:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-01-04 20:44 . 2011-01-04 20:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-01-06 16:57 . 2011-01-06 16:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-10-01 18:31 . 2011-01-06 04:55 641110 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2006-11-02 15:45 . 2011-01-06 16:47 129056 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 12:46 . 2011-01-06 16:48 608760 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-01-06 16:48 108268 c:\windows\system32\perfc009.dat
    + 2011-01-04 21:24 . 2011-01-04 21:24 219648 c:\windows\Installer\251bdd.msi
    + 2006-11-02 12:40 . 2011-01-04 21:26 143360 c:\windows\inf\infstrng.dat
    - 2006-11-02 12:40 . 2011-01-04 20:05 143360 c:\windows\inf\infstrng.dat
    + 2006-11-02 12:40 . 2011-01-04 21:26 143360 c:\windows\inf\infstor.dat
    - 2006-11-02 12:40 . 2011-01-04 20:05 143360 c:\windows\inf\infstor.dat
    + 2010-04-01 02:17 . 2011-01-06 16:56 2629720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2010-04-01 02:17 . 2011-01-04 20:43 2629720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2011-01-04 21:27 . 2011-01-04 21:27 4779008 c:\windows\Installer\251be9.msi
    + 2011-01-04 21:24 . 2011-01-04 21:24 1940480 c:\windows\Installer\251be5.msi
    + 2006-11-02 12:33 . 2011-01-04 21:28 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    - 2006-11-02 12:33 . 2010-12-16 02:06 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2011-01-06 16:02 . 2011-01-06 16:02 20304384 c:\windows\Installer\625ed.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
    2010-04-27 10:08 2393184 ----a-w- c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2010-11-13 21:58 3913000 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files (x86)\DVDVideoSoftTB\tbDVDV.dll" [2010-04-27 2393184]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]

    [HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-24 136176]
    "SpyShelter"="c:\program files (x86)\SpyShelter Premium\SpyShelter.exe" [2010-09-20 2233792]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    "HideFastUserSwitching"= 0 (0x0)

    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\windows\10127553.exe \??\c:\windows\10127553.dat

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]
    R3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\DRIVERS\swnc8u90.sys [2008-12-02 206848]
    R3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\DRIVERS\swumx90.sys [2008-11-17 194944]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-09 834544]
    S1 SpyShelter;SpyShelter;c:\program files (x86)\SpyShelter Premium\SpyShelter.sys [2010-09-20 178624]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/06/17 03:51];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-09 13:26 146928]
    S2 a2free;a-squared Free Service;c:\program files (x86)\a-squared Free\a2service.exe [2010-06-14 1872320]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-10 202752]
    S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-10 6403072]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-10 188928]


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000Core.job
    - c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

    2011-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2692080489-224753940-1066125639-1000UA.job
    - c:\users\Shaun\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24 20:40]

    2010-12-12 c:\windows\Tasks\HPCeeScheduleForShaun.job
    - c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-11 17:17]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF647.cfxxe" [X]
    "SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2269050
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    FF - ProfilePath - c:\users\Shaun\AppData\Roaming\Mozilla\Firefox\Profiles\omm3n6o8.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2692080489-224753940-1066125639-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4BF5041B-071B-2CB2-14D0-D9F88302CA33}*]
    "jamgffmgahcacledlfic"=hex:6f,61,6d,67,63,68,62,67,6c,61,67,6c,65,68,66,66,62,
    6e,6b,6f,6b,61,6c,68,64,6c,66,6d,66,64,00,9b

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""

    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"

    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\Blaze Media Pro\NMSAccess32.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-06 17:16:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-06 17:16
    ComboFix2.txt 2011-01-04 20:57

    Pre-Run: 181,726,384,128 bytes free
    Post-Run: 181,562,843,136 bytes free

    - - End Of File - - AD66A17A6BC3AEC6CACC1C8A3D412C39


    ___________________________________________________________


    About the BSOD.....it may have been to press shift 5 times, either way I pressed whatever it was and it disappeared.

    Also, since the first time I ran CombiFix, I get this message upon boot-up:

    PEV.cfxxe encountered a problem
    Check online for a solution
    Close the program

    Again thanks, and sorry if I messed things up.

    Bobby
     
  9. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    other symptoms

    also, i believe I've been experiencing pharming problems.

    When I would purchase something online, the paypal page appeared to be a clone.

    I would also get google pages in german, even though I am in ireland.

    I believe there is definitely a keylogger on my machine, but finding it or a good free anti-keylogger has proved difficult.

    Thanks again.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You were specifically asked not to run any scans or cleaning programs other than those I direct you to do while I am helping you. When you do it anyway, you change the contents of logs I'm working with.

    Let's talk about what I'm seeing-
    Mbam: c:\Users\Shaun\downloads\setupcasino_10fec3.exe (PUP.Casino) removed. A potentially unwanted program (PUP) in the setup for Casino. Nothing else.
    GMER: no evidence of rootkit.

    Combofix deleted a process named Menman>>>
    Source: Sophos

    Combofix removed skinboxer43.dll
    Source: Gratis

    "I even got a warning that someone on my network was using my IP address, even though I was not on a network."
    At this point, you should have shut down and reformatted/reinstalled the OS. Your computer has been compromised.


    I would advise you to wipe the drive, reformat and reinstall. The system has been compromised and if most likely no safe to use. Cleaning is not recommended as there is no way to assure what information has been stolen.
    ================================================
    P2P/ File Sharing Warning- this includes sharing flash drives:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    Allowing a 'friend' to put their file on your computer is foolish. Sharing a USB drive with anyone is foolish. When you share files, you also share the malware.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
  11. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Thanks mate!

    Appreciate your help Bob.

    I knew all along I had been compromised, but just had so much work on here that was hesitant to format. Anyway, job is done now.

    The mad thing about this is, the guy is a moderator on one of these sites.....can't believe he wasn't to be trusted. Already can't trust very many here, if only ya knew....

    But he can't be blamed for all the trouble I have had, anyway it is in the past now.

    The only thing that is still weighing on my shoulders, is that is my machine infected again?

    You see, I have to use a wireless dongle at the moment.....and I am just thinking, is it possible for it to carry the viruses too?

    Without it I could not connect to the internet to write this so you see my perdicament.

    Also, about my phone, usb key and mp3 player......are they all compromised also? What shall I do? (Burn them? :) )

    Thanks again for your help and time Bob.

    All the Best for now!
     
  12. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Here we go again

    Eset has picked up same threats again......will do all scans and post them when finished.
     
  13. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Ok....

    ...not sure where I stand now but the logs are below anyway:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5474

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    07/01/2011 04:17:11
    mbam-log-2011-01-07 (04-17-11).txt

    Scan type: Quick scan
    Objects scanned: 150236
    Time elapsed: 1 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    _______________________________________________________________



    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Seano at 4:40:35.23 on 07/01/2011
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2528 [GMT 0:00]

    AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}

    ============== Running Processes ===============

    C:\PROGRA~2\AVG\AVG10\avgchsva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\AVG\AVG10\avgfws.exe
    C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\AVG\AVG10\avgam.exe
    C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\16.0.0.125\InstStub.exe
    C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgemca.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
    C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
    C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE
    c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\conime.exe
    C:\Program Files (x86)\Internet Explorer\ieuser.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    c:\program files (x86)\aol\aol toolbar 5.0\AolTbServer.exe
    C:\PROGRA~2\AVG\AVG10\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
    C:\Program Files (x86)\AVG\AVG10\avgsystx.exe
    C:\Program Files (x86)\AVG\AVG10\avgsysta.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Seano\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
    mWinlogon: Userinit=C:\WINDOWS\system32\userinit.exe
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\IPSBHO.DLL
    BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
    TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
    uRun: [Google Update] "C:\Users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
    mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    mRun: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    mRun: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    mRun: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
    mRun: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    mRun: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
    mRun: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
    mRun: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
    mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-IE\local\search.html
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
    SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - C:\Windows\SysWow64\EZUPBH~1.DLL
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    TB-X64: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} -
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun-x64: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe
    mRun-x64: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2010-9-7 30288]
    R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-7-12 57696]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2010-12-8 308304]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2010-9-7 41040]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2010-11-12 382032]
    R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30:21];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-6-11 146928]
    R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG10\avgfws.exe [2010-11-22 3226632]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2010-10-22 265400]
    R2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe -k netsvcs [2008-1-21 27648]
    R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [2009-6-11 115560]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\AVGIDSDriver.sys [2010-8-19 133712]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\AVGIDSFilter.sys [2010-8-19 35920]
    R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\System32\drivers\netr28ux.sys [2011-1-7 804864]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-1-7 517448]
    S3 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-11-23 6128208]
    S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-1-21 93696]
    S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-2-2 23536]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]

    =============== Created Last 30 ================

    2011-01-07 03:59:48 -------- d-----w- C:\Users\Seano\AppData\Roaming\Malwarebytes
    2011-01-07 03:59:43 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-07 03:59:43 -------- d-----w- C:\PROGRA~3\Malwarebytes
    2011-01-07 03:59:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-01-07 03:59:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-01-07 02:52:12 -------- d-----w- C:\Program Files (x86)\ESET
    2011-01-07 02:39:27 -------- d-----w- C:\Users\Seano\AppData\Local\Google
    2011-01-07 02:39:10 -------- d-----w- C:\Users\Seano\AppData\Local\Deployment
    2011-01-07 02:39:10 -------- d-----w- C:\Users\Seano\AppData\Local\Apps
    2011-01-07 02:07:03 -------- d-----w- C:\Users\Seano\AppData\Roaming\AVG10
    2011-01-07 02:06:41 -------- d--h--w- C:\PROGRA~3\Common Files
    2011-01-07 02:06:31 -------- d-----w- C:\PROGRA~3\AVG Security Toolbar
    2011-01-07 02:06:16 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
    2011-01-07 02:05:03 -------- d-----w- C:\Windows\System32\drivers\AVG
    2011-01-07 02:05:02 -------- d-----w- C:\PROGRA~3\AVG10
    2011-01-07 02:04:14 -------- d-----w- C:\Program Files (x86)\AVG
    2011-01-07 01:39:02 -------- d-----w- C:\PROGRA~3\MFAData
    2011-01-07 01:34:55 98304 ----a-w- C:\Windows\SysWow64\cabview.dll
    2011-01-07 01:34:55 104960 ----a-w- C:\Windows\System32\cabview.dll
    2011-01-07 01:34:53 218112 ----a-w- C:\Windows\System32\wintrust.dll
    2011-01-07 01:34:53 171520 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2011-01-07 01:21:01 2621440 ----a-w- C:\Windows\System32\wucltux.dll
    2011-01-07 01:20:50 98816 ----a-w- C:\Windows\System32\wudriver.dll
    2011-01-07 01:20:50 87552 ----a-w- C:\Windows\SysWow64\wudriver.dll
    2011-01-07 01:20:45 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2011-01-07 01:20:45 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
    2011-01-07 01:20:45 185416 ----a-w- C:\Windows\System32\wuwebv.dll
    2011-01-07 01:20:45 171608 ----a-w- C:\Windows\SysWow64\wuwebv.dll
    2011-01-07 01:19:51 -------- d-----w- C:\Users\Seano\AppData\Local\AOL
    2011-01-07 00:17:20 804864 ----a-w- C:\Windows\System32\drivers\netr28ux.sys
    2011-01-07 00:17:20 305664 ----a-w- C:\Windows\System32\RaCoInstx.dll
    2011-01-07 00:15:41 -------- d-----w- C:\Users\Seano\AppData\Local\ATI
    2011-01-07 00:14:44 -------- d-----w- C:\Users\Seano\AppData\Local\Hewlett-Packard
    2011-01-07 00:14:19 -------- d-----w- C:\Users\Seano\AppData\Local\VirtualStore
    2011-01-07 00:08:32 -------- d-----w- C:\Users\Seano\AppData\Roaming\HP TCS
    2011-01-07 00:02:36 -------- d-sh--we C:\Documents and Settings

    ==================== Find3M ====================

    2011-01-07 02:00:26 588472 ----a-w- C:\Windows\SysWow64\ezsvc7x.dll
    2010-12-08 04:12:36 308304 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
    2010-11-12 13:19:38 382032 ----a-w- C:\Windows\System32\drivers\avgtdia.sys

    ============= FINISH: 4:41:00.33 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 06/01/2011 23:55:08
    System Uptime: 07/01/2011 04:05:37 (0 hours ago)

    Motherboard: PEGATRON CORPORATION | | NARRA5
    Processor: AMD Phenom(tm) 9650 Quad-Core Processor | Socket AM2 | 1200/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 451 GiB total, 417.292 GiB free.
    D: is FIXED (NTFS) - 15 GiB total, 2.133 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP6: 07/01/2011 00:17:20 - Device Driver Package Install: Ralink Network adapters
    RP7: 07/01/2011 01:20:34 - Windows Update
    RP8: 07/01/2011 01:34:56 - Windows Update
    RP9: 07/01/2011 01:40:35 - Installed
    RP10: 07/01/2011 01:40:59 - Installed
    RP11: 07/01/2011 01:59:18 - Scripted restore
    RP12: 07/01/2011 02:04:00 - Installed AVG 2011
    RP13: 07/01/2011 02:04:30 - Installed AVG 2011

    ==== Installed Programs ======================

    ActiveCheck component for HP Active Support Library
    Adobe Flash Player 10 ActiveX
    AOL Toolbar 5.0
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    CyberLink DVD Suite Deluxe
    DirectX for Managed Code Update (Summer 2004)
    ESET Online Scanner v3
    Google Chrome
    HP Active Support Library
    HP Advisor
    HP Customer Experience Enhancements
    HP Games
    HP MediaSmart Demo
    HP MediaSmart DVD
    HP MediaSmart Music/Photo/Video
    HP Odometer
    HP Picasso Media Center Add-In
    HP Recovery Manager RSS
    HP Support Information
    HP Total Care Setup
    HP Update
    HPAsset component for HP Active Support Library
    LabelPrint
    LightScribe System Software
    Magic Desktop
    Malwarebytes' Anti-Malware
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Norton Internet Security
    Power2Go
    PowerDirector
    Python 2.6 pywin32-212
    Python 2.6.1
    Realtek High Definition Audio Driver
    Skins
    Visual Studio 2008 x64 Redistributables

    ==== Event Viewer Messages From Past Week ========

    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-tw-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-hk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-cn-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-uk-ua-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-tr-tr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-th-th-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sv-se-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sr-latn-cs-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sl-si-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sk-sk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ru-ru-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ro-ro-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-pt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-br-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ps-ps-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pl-pl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nl-nl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-Neutral from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nb-no-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lv-lv-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lt-lt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ko-kr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ja-jp-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-it-it-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hu-hu-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hr-hr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-he-il-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fr-fr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fi-fi-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-et-ee-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-es-es-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP from package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP(Feature Pack) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-el-gr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-de-de-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-da-dk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-cs-cz-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-bg-bg-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ar-sa-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxResourcesLP from package WindowsUpdateClient-SelfUpdate-Aux-Package(Language Pack) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxComp from package WindowsUpdateClient-SelfUpdate-Aux-Package(Update) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux32 from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux32 from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP (Feature Pack) into Install Requested(Install Requested) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Update) into Install Requested(Install Requested) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Language Pack) into Install Requested(Install Requested) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US (Language Pack) into Install Requested(Install Requested) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package (Update) into Install Requested(Install Requested) state
    07/01/2011 01:21:56, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KBWUClient-SelfUpdate-Aux (Feature Pack) into Install Requested(Install Requested) state
    07/01/2011 00:01:49, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

    ==== End Of File ===========================


    GMER came back clean


    _____________________________________________________________

    C:\Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus
    C:\Windows\SysWOW64\ezShellStart.exe probably unknown NewHeur_PE virus


    _______________________________________________________________

    ComboFix 11-01-06.03 - Seano 07/01/2011 5:06.1.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2897 [GMT 0:00]
    Running from: c:\users\Seano\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
    .

    2011-01-07 05:10 . 2011-01-07 05:10 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-07 05:05 . 2011-01-07 05:05 -------- d-----w- C:\32788R22FWJFW
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
    2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
    "HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
    "Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
    "TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
    "CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
    R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
    R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
    S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X]
    "HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mLocal Page = %SystemRoot%\system32\blank.htm
    IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
    "ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    @SACL=
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @SACL=
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="IFlashBroker2"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @SACL=
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @SACL=
    @="Shockwave Flash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @SACL=
    @="FlashBroker"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    Completion time: 2011-01-07 05:12:50
    ComboFix-quarantined-files.txt 2011-01-07 05:12

    Pre-Run: 453,089,615,872 bytes free
    Post-Run: 453,012,672,512 bytes free

    - - End Of File - - 79FA2EF1F61720046FBA78DE72392042to be continued

    to be continued...........
     
  14. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    .....continued.

    All processes killed
    Error: Unable to interpret <:processe> in the current context!
    ========== FILES ==========
    File/Folder C:\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe not found.
    C:\Windows\System32\ezShellStart.exe moved successfully.
    File/Folder C:\Windows\SysWOW64\ezShellStart.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Seano
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 4728837 bytes
    ->Google Chrome cache emptied: 856432 bytes
    ->Flash cache emptied: 405 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 01072011_051843

    Files moved on Reboot...
    File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YS080EZK\desktop.ini scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MDOBNGAZ\desktop.ini scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KGIPAM2I\desktop.ini scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8GEEZJ12\desktop.ini scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini scheduled to be moved on reboot.
    File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini scheduled to be moved on reboot.

    Registry entries deleted on Reboot...


    _______________________________________________________________


    ComboFix 11-01-06.03 - Seano 07/01/2011 5:29.2.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2851 [GMT 0:00]
    Running from: c:\users\Seano\Desktop\ComboFix.exe
    Command switches used :: c:\users\Seano\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point

    FILE ::
    "c:\windows\system32\DRIVERS\ewusbdev.sys"
    "c:\windows\system32\DRIVERS\ewusbfake.sys"
    "c:\windows\system32\DRIVERS\ewusbnet.sys"
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
    .

    2011-01-07 05:33 . 2011-01-07 05:33 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-07 05:18 . 2011-01-07 05:18 -------- d-----w- C:\_OTM
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
    2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-07_05.10.48 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 02:23 . 2011-01-07 05:23 29956 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2011-01-07 05:23 52916 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-07 00:07 . 2011-01-07 05:23 2932 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-139329902-3773949464-2642598458-1000_UserData.bin
    - 2011-01-07 05:02 . 2011-01-07 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-01-07 05:20 . 2011-01-07 05:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-01-07 05:20 . 2011-01-07 05:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-01-07 05:02 . 2011-01-07 05:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2006-11-02 12:46 . 2011-01-07 05:08 599942 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-01-07 05:26 599942 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-01-07 05:26 105448 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2011-01-07 05:08 105448 c:\windows\system32\perfc009.dat
    - 2009-06-11 16:02 . 2011-01-07 05:01 393952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2009-06-11 16:02 . 2011-01-07 05:19 393952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
    "HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
    "Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
    "TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
    "CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
    R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
    R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
    S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
    "SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mLocal Page = %SystemRoot%\system32\blank.htm
    IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
    "ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    @SACL=
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @SACL=
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="IFlashBroker2"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @SACL=
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @SACL=
    @="Shockwave Flash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @SACL=
    @="FlashBroker"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    Completion time: 2011-01-07 05:35:47
    ComboFix-quarantined-files.txt 2011-01-07 05:35
    ComboFix2.txt 2011-01-07 05:12

    Pre-Run: 449,897,967,616 bytes free
    Post-Run: 449,868,423,168 bytes free

    - - End Of File - - 0ADD97B0F4136628B4BF77E35BFA7495


    Thats them all done there now........chat later Bob, Thanks!
     
  15. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    eset results 2

    C:\_OTM\MovedFiles\01072011_051843\C_Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus


    Only the one now.....getting there.

    Chat later, I'm done for now.
     
  16. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Almost done here I think.......

    ......but can I be guaranteed that my computer will be ok to use IF & When I get rid of the last New_Heur Virus? Or will it be a risk forever?

    Next move?

    Thanks!
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note the location of this file:
    C:\_OTM\MovedFiles\01072011_051843\C_Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus

    This file was handled in OTM and is not a threat to your system.
    ===============================================
    If you reformatted and reinstalled, your system should be clean. If you backed up and reintroduced any infected files back into the system, they would reinfect the system. If you were using a flash drive when the computer was infected, then it will have gotten infected also. If you used it back on the clean system, you will have reinfected it.
    =================================================
    FlashDrive Disinfection:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    What will Flash Disinfector Do
    - Clean up junks created by flash malwares
    - Deletes autorun.inf from every root folder
    - Fix back damages done to your system
    - Creates an autorun.inf folder in the root of your system drives
    1. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
    2. Please do so and allow the utility to clean up those drives as well.
    3. Wait until it has finished scanning and then exit the program.
    4. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    ============================================
    You have made the system more vulnerable by using multiple AV programs and firewalls. You should have only 1 of each:
    AV: Norton Internet Security *Enabled/Updated*
    AV: AVG Internet Security 2011 *Disabled/Updated*
    FW: Norton Internet Security *Disabled*
    FW: AVG Firewall *Disabled*

    Tools to help: download only the tool for the AV you are not going to keep:
    Norton Removal Tool
    AVG Removal Tool
    Decide which you want to keep and remove the other. Reboot the computer when finished.
    ==========================================
    Handle the above. Then rescan with Eset and Combofix.
    Post the logs back to this thread. You don't need to send a PM.
     
  18. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

     
  19. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Scans done + results

    About the 2 AV's, 1 was installed for recovery, it was a 60 day trail. And I have already deleted it.
    Also it said AVG was running, but i uninstalled it and rebooted so dont know what was wrong there.

    Logs below:

    Sorry: looks like AVG messed it up. will try again
     
  20. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Sorry: looks like AVG messed it up. will try again
     
  21. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    Sorry: looks like AVG messed it up. will try again
     
  22. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    ComboFix 11-01-06.03 - Seano 09/01/2011 5:44.4.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2505 [GMT 0:00]
    Running from: c:\users\Seano\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))
    .

    2011-01-09 05:48 . 2011-01-09 05:48 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-08 01:04 . 2009-11-08 10:55 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
    2011-01-08 01:04 . 2009-11-08 10:55 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
    2011-01-08 01:04 . 2009-11-08 10:55 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
    2011-01-08 01:04 . 2009-11-08 10:55 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
    2011-01-08 01:04 . 2009-11-08 10:55 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
    2011-01-07 21:29 . 2009-08-24 12:16 378368 ----a-w- c:\windows\SysWow64\winhttp.dll
    2011-01-07 21:29 . 2010-03-05 14:01 420352 ----a-w- c:\windows\SysWow64\vbscript.dll
    2011-01-07 21:27 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2011-01-07 21:27 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2011-01-07 21:26 . 2010-09-06 16:24 9728 ----a-w- c:\windows\SysWow64\sscore.dll
    2011-01-07 21:26 . 2010-09-06 16:23 17920 ----a-w- c:\windows\SysWow64\netevent.dll
    2011-01-07 21:26 . 2010-05-27 19:16 738816 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
    2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\program files (x86)\Activation Assistant for the 2007 Microsoft Office suites
    2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\windows\PCHEALTH
    2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2011-01-07 17:16 . 2011-01-07 17:19 -------- d-----w- c:\programdata\Microsoft Help
    2011-01-07 17:15 . 2011-01-07 17:15 -------- d-----r- C:\MSOCache
    2011-01-07 16:59 . 2010-09-20 09:25 231936 ----a-w- c:\windows\SysWow64\msshsq.dll
    2011-01-07 16:22 . 2011-01-07 16:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2011-01-07 16:10 . 2008-06-20 01:14 37384 ----a-w- c:\windows\SysWow64\infocardcpl.cpl
    2011-01-07 16:10 . 2008-06-20 01:14 11264 ----a-w- c:\windows\SysWow64\icardres.dll
    2011-01-07 16:10 . 2008-06-20 01:14 781344 ----a-w- c:\windows\SysWow64\PresentationNative_v0300.dll
    2011-01-07 16:10 . 2008-06-20 01:14 97800 ----a-w- c:\windows\SysWow64\infocardapi.dll
    2011-01-07 16:10 . 2008-06-20 01:14 622080 ----a-w- c:\windows\SysWow64\icardagt.exe
    2011-01-07 16:10 . 2008-06-20 01:14 105016 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
    2011-01-07 16:01 . 2008-07-27 18:03 158720 ----a-w- c:\windows\SysWow64\mscorier.dll
    2011-01-07 16:01 . 2008-07-27 18:03 83968 ----a-w- c:\windows\SysWow64\mscories.dll
    2011-01-07 15:58 . 2010-02-20 23:39 24064 ----a-w- c:\windows\SysWow64\nshhttp.dll
    2011-01-07 15:58 . 2010-02-20 23:37 31232 ----a-w- c:\windows\SysWow64\httpapi.dll
    2011-01-07 15:54 . 2010-04-14 17:46 80896 ----a-w- c:\windows\SysWow64\MSNP.ax
    2011-01-07 15:54 . 2010-04-14 17:45 177664 ----a-w- c:\windows\SysWow64\mpg2splt.ax
    2011-01-07 15:54 . 2010-04-14 17:47 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
    2011-01-07 15:54 . 2010-04-14 17:47 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
    2011-01-07 15:54 . 2010-04-14 17:46 428544 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-01-07 05:18 . 2011-01-07 05:18 -------- d-----w- C:\_OTM
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-07 03:28 . 2010-08-31 15:41 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
    2011-01-07 03:28 . 2010-08-31 15:41 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll
    2011-01-07 03:28 . 2009-09-10 15:48 1486848 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
    2011-01-07 03:28 . 2009-09-10 15:21 1418752 ----a-w- c:\program files (x86)\Windows Media Player\setup_wm.exe
    2011-01-07 03:28 . 2009-09-10 15:21 310784 ----a-w- c:\windows\SysWow64\unregmp2.exe
    2011-01-07 03:25 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\SysWow64\msxml6.dll
    2011-01-07 03:25 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\SysWow64\mstscax.dll
    2011-01-07 03:25 . 2009-10-23 17:42 714240 ----a-w- c:\windows\SysWow64\timedate.cpl
    2011-01-07 03:25 . 2010-09-10 15:51 171008 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2011-01-07 03:25 . 2010-09-10 16:35 168960 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
    2011-01-07 03:25 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\SysWow64\wmploc.DLL
    2011-01-07 03:24 . 2010-01-25 08:35 523776 ----a-w- c:\windows\SysWow64\RMActivate_isv.exe
    2011-01-07 03:24 . 2010-01-25 08:34 511488 ----a-w- c:\windows\SysWow64\RMActivate.exe
    2011-01-07 03:24 . 2010-01-25 12:48 472576 ----a-w- c:\windows\SysWow64\secproc_isv.dll
    2011-01-07 03:24 . 2010-01-25 12:48 472064 ----a-w- c:\windows\SysWow64\secproc.dll
    2011-01-07 03:24 . 2010-01-25 08:35 346624 ----a-w- c:\windows\SysWow64\RMActivate_ssp_isv.exe
    2011-01-07 03:24 . 2010-01-25 08:34 347136 ----a-w- c:\windows\SysWow64\RMActivate_ssp.exe
    2011-01-07 03:24 . 2010-01-25 12:48 151040 ----a-w- c:\windows\SysWow64\secproc_ssp_isv.dll
    2011-01-07 03:24 . 2010-01-25 12:48 151040 ----a-w- c:\windows\SysWow64\secproc_ssp.dll
    2011-01-07 03:24 . 2010-01-25 12:45 329216 ----a-w- c:\windows\SysWow64\msdrm.dll
    2011-01-07 03:24 . 2010-01-29 16:41 2080768 ----a-w- c:\program files\Windows Mail\msoe.dll
    2011-01-07 03:24 . 2010-01-29 16:22 1616384 ----a-w- c:\program files (x86)\Windows Mail\msoe.dll
    2011-01-07 03:22 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\SysWow64\msxml3.dll
    2011-01-07 03:21 . 2009-07-14 13:00 313344 ----a-w- c:\windows\SysWow64\wmpdxm.dll
    2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
    2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files
    2011-01-07 02:05 . 2011-01-09 04:09 -------- d-----w- c:\programdata\AVG10
    2011-01-07 02:04 . 2011-01-07 02:04 -------- d-----w- c:\program files (x86)\AVG
    2011-01-07 01:39 . 2011-01-07 02:04 -------- d-----w- c:\programdata\MFAData
    2011-01-07 01:34 . 2010-01-15 00:04 98304 ----a-w- c:\windows\SysWow64\cabview.dll
    2011-01-07 01:34 . 2009-12-23 12:43 171520 ----a-w- c:\windows\SysWow64\wintrust.dll
    2011-01-07 01:20 . 2009-08-07 02:24 35552 ----a-w- c:\windows\SysWow64\wups.dll
    2011-01-07 01:20 . 2009-08-07 02:23 575704 ----a-w- c:\windows\SysWow64\wuapi.dll
    2011-01-07 01:20 . 2009-08-07 01:44 87552 ----a-w- c:\windows\SysWow64\wudriver.dll
    2011-01-07 01:20 . 2009-08-06 19:23 171608 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2011-01-07 01:20 . 2009-08-06 18:44 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2011-01-07 00:07 . 2011-01-07 00:08 -------- d-----w- c:\program files (x86)\Microsoft Works
    2011-01-07 00:06 . 2011-01-07 05:58 -------- d-----w- c:\users\Seano

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2011-01-09_04.19.50 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-01-07 19:54 . 2011-01-09 04:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-01-07 19:54 . 2011-01-09 04:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-01-07 06:44 . 2011-01-09 05:36 158542 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
    "HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
    "Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
    "TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
    "CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
    R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
    R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
    S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
    "SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
    "ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    @SACL=
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @SACL=
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="IFlashBroker2"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @SACL=
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @SACL=
    @="Shockwave Flash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @SACL=
    @="FlashBroker"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    Completion time: 2011-01-09 05:50:39
    ComboFix-quarantined-files.txt 2011-01-09 05:50
    ComboFix2.txt 2011-01-09 04:22
    ComboFix3.txt 2011-01-07 05:35
    ComboFix4.txt 2011-01-07 05:12

    Pre-Run: 427,441,881,088 bytes free
    Post-Run: 427,418,591,232 bytes free

    - - End Of File - - ECBDF7A20348A3ABC51FAC214F9AFACD


    C:\_OTM\MovedFiles\01072011_051843\C_Windows\System32\ezShellStart.exe probably unknown NewHeur_PE virus
     
  23. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    A more recent log due to suspicious activity.....

    ....i.e. Suspect people trying to infect my machine again through sharing links with me on facebook.


    ComboFix 11-01-11.01 - Seano 12/01/2011 5:32.5.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.353.1033.18.4094.2623 [GMT 0:00]
    Running from: c:\users\Seano\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-12 to 2011-01-12 )))))))))))))))))))))))))))))))
    .

    2011-01-12 05:36 . 2011-01-12 05:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-12 05:31 . 2011-01-12 05:31 -------- d-----w- C:\32788R22FWJFW
    2011-01-09 21:18 . 2010-11-16 12:01 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74009AD9-72DC-4739-8FA7-1BFA6AB08183}\mpengine.dll
    2011-01-09 21:18 . 2010-10-19 10:41 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 01:04 . 2009-11-08 10:55 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
    2011-01-08 01:04 . 2009-11-08 10:55 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
    2011-01-08 01:04 . 2009-11-08 10:55 48960 ----a-w- c:\windows\system32\netfxperf.dll
    2011-01-08 01:04 . 2009-11-08 10:55 444752 ----a-w- c:\windows\system32\mscoree.dll
    2011-01-08 01:04 . 2009-11-08 10:55 320352 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-01-08 01:04 . 2009-11-08 10:55 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
    2011-01-08 01:04 . 2009-11-08 10:55 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
    2011-01-08 01:04 . 2009-11-08 10:55 1942856 ----a-w- c:\windows\system32\dfshim.dll
    2011-01-08 01:04 . 2009-11-08 10:55 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
    2011-01-08 01:04 . 2009-11-08 10:55 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-01-07 21:29 . 2009-08-24 12:24 442368 ----a-w- c:\windows\system32\winhttp.dll
    2011-01-07 21:29 . 2009-08-24 12:16 378368 ----a-w- c:\windows\SysWow64\winhttp.dll
    2011-01-07 21:29 . 2010-03-05 14:32 612864 ----a-w- c:\windows\system32\vbscript.dll
    2011-01-07 21:29 . 2010-03-05 14:01 420352 ----a-w- c:\windows\SysWow64\vbscript.dll
    2011-01-07 21:28 . 2009-11-03 22:42 28160 ----a-w- c:\windows\system32\drivers\en-US\http.sys.mui
    2011-01-07 21:27 . 2010-10-19 04:56 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2011-01-07 21:27 . 2010-10-19 04:27 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
    2011-01-07 21:26 . 2010-09-06 13:44 461824 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-01-07 21:26 . 2010-09-06 16:24 9728 ----a-w- c:\windows\SysWow64\sscore.dll
    2011-01-07 21:26 . 2010-09-06 16:23 17920 ----a-w- c:\windows\SysWow64\netevent.dll
    2011-01-07 21:26 . 2010-09-06 15:59 179712 ----a-w- c:\windows\system32\srvsvc.dll
    2011-01-07 21:26 . 2010-09-06 15:59 12288 ----a-w- c:\windows\system32\sscore.dll
    2011-01-07 21:26 . 2010-09-06 15:57 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-01-07 21:26 . 2010-09-06 13:44 144896 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-01-07 21:26 . 2010-09-06 13:44 175104 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-01-07 21:26 . 2010-05-27 20:01 975360 ----a-w- c:\windows\system32\inetcomm.dll
    2011-01-07 21:26 . 2010-05-27 19:16 738816 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\programdata\{B3C2C1CD-6B77-4A96-B670-F734AC2A1CBC}
    2011-01-07 17:19 . 2011-01-07 17:19 -------- d-----w- c:\program files (x86)\Activation Assistant for the 2007 Microsoft Office suites
    2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\windows\PCHEALTH
    2011-01-07 17:17 . 2011-01-07 17:17 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2011-01-07 17:16 . 2011-01-07 17:19 -------- d-----w- c:\programdata\Microsoft Help
    2011-01-07 17:15 . 2011-01-07 17:15 -------- d-----r- C:\MSOCache
    2011-01-07 16:59 . 2010-09-20 12:14 316416 ----a-w- c:\windows\system32\msshsq.dll
    2011-01-07 16:59 . 2010-09-20 09:25 231936 ----a-w- c:\windows\SysWow64\msshsq.dll
    2011-01-07 16:22 . 2011-01-07 16:22 -------- d-----w- c:\program files (x86)\MSXML 4.0
    2011-01-07 16:10 . 2008-06-20 01:16 49160 ----a-w- c:\windows\system32\infocardcpl.cpl
    2011-01-07 16:10 . 2008-06-20 01:14 37384 ----a-w- c:\windows\SysWow64\infocardcpl.cpl
    2011-01-07 16:10 . 2008-06-20 01:16 11264 ----a-w- c:\windows\system32\icardres.dll
    2011-01-07 16:10 . 2008-06-20 01:14 11264 ----a-w- c:\windows\SysWow64\icardres.dll
    2011-01-07 16:10 . 2008-06-20 01:17 1168928 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
    2011-01-07 16:10 . 2008-06-20 01:14 781344 ----a-w- c:\windows\SysWow64\PresentationNative_v0300.dll
    2011-01-07 16:10 . 2008-06-20 01:16 167432 ----a-w- c:\windows\system32\infocardapi.dll
    2011-01-07 16:10 . 2008-06-20 01:16 1383936 ----a-w- c:\windows\system32\icardagt.exe
    2011-01-07 16:10 . 2008-06-20 01:14 97800 ----a-w- c:\windows\SysWow64\infocardapi.dll
    2011-01-07 16:10 . 2008-06-20 01:14 622080 ----a-w- c:\windows\SysWow64\icardagt.exe
    2011-01-07 16:10 . 2008-06-20 01:17 126520 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
    2011-01-07 16:10 . 2008-06-20 01:14 105016 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
    2011-01-07 16:01 . 2008-07-27 18:03 158720 ----a-w- c:\windows\SysWow64\mscorier.dll
    2011-01-07 16:01 . 2008-07-27 18:01 158208 ----a-w- c:\windows\system32\mscorier.dll
    2011-01-07 16:01 . 2008-07-27 18:03 83968 ----a-w- c:\windows\SysWow64\mscories.dll
    2011-01-07 16:01 . 2008-07-27 18:01 76288 ----a-w- c:\windows\system32\mscories.dll
    2011-01-07 15:59 . 2010-02-24 09:28 294912 ----a-w- c:\windows\system32\browserchoice.exe
    2011-01-07 15:58 . 2010-02-20 23:44 32768 ----a-w- c:\windows\system32\nshhttp.dll
    2011-01-07 15:58 . 2010-02-20 23:39 24064 ----a-w- c:\windows\SysWow64\nshhttp.dll
    2011-01-07 15:58 . 2010-02-20 23:42 33792 ----a-w- c:\windows\system32\httpapi.dll
    2011-01-07 15:58 . 2010-02-20 23:37 31232 ----a-w- c:\windows\SysWow64\httpapi.dll
    2011-01-07 15:58 . 2010-02-20 21:40 610304 ----a-w- c:\windows\system32\drivers\http.sys
    2011-01-07 15:54 . 2010-04-14 18:33 101376 ----a-w- c:\windows\system32\MSNP.ax
    2011-01-07 15:54 . 2010-04-14 18:33 227328 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-01-07 15:54 . 2010-04-14 17:46 80896 ----a-w- c:\windows\SysWow64\MSNP.ax
    2011-01-07 15:54 . 2010-04-14 17:45 177664 ----a-w- c:\windows\SysWow64\mpg2splt.ax
    2011-01-07 15:54 . 2010-04-14 18:35 375808 ----a-w- c:\windows\system32\psisdecd.dll
    2011-01-07 15:54 . 2010-04-14 17:47 293376 ----a-w- c:\windows\SysWow64\psisdecd.dll
    2011-01-07 15:54 . 2010-04-14 17:47 217088 ----a-w- c:\windows\SysWow64\psisrndr.ax
    2011-01-07 15:54 . 2010-04-14 18:35 289792 ----a-w- c:\windows\system32\psisrndr.ax
    2011-01-07 15:54 . 2010-04-14 18:35 558592 ----a-w- c:\windows\system32\EncDec.dll
    2011-01-07 15:54 . 2010-04-14 17:46 428544 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-01-07 05:18 . 2011-01-07 05:18 -------- d-----w- C:\_OTM
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-07 03:59 . 2010-12-20 18:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-07 03:59 . 2011-01-07 03:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-07 03:59 . 2010-12-20 18:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-07 03:28 . 2010-08-31 15:41 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
    2011-01-07 03:28 . 2010-08-31 15:41 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll
    2011-01-07 03:28 . 2009-09-10 15:48 1486848 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
    2011-01-07 03:28 . 2009-09-10 15:48 372736 ----a-w- c:\windows\system32\unregmp2.exe
    2011-01-07 03:28 . 2009-09-10 15:21 1418752 ----a-w- c:\program files (x86)\Windows Media Player\setup_wm.exe
    2011-01-07 03:28 . 2009-09-10 15:21 310784 ----a-w- c:\windows\SysWow64\unregmp2.exe
    2011-01-07 03:25 . 2009-08-10 14:09 1794560 ----a-w- c:\windows\system32\msxml6.dll
    2011-01-07 03:25 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\SysWow64\msxml6.dll
    2011-01-07 03:25 . 2009-06-04 12:59 2423296 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-07 03:25 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\SysWow64\mstscax.dll
    2011-01-07 03:25 . 2009-10-23 18:10 880640 ----a-w- c:\windows\system32\timedate.cpl
    2011-01-07 03:25 . 2009-10-23 17:42 714240 ----a-w- c:\windows\SysWow64\timedate.cpl
    2011-01-07 03:25 . 2010-09-10 15:51 171008 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2011-01-07 03:25 . 2010-09-10 16:35 168960 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
    2011-01-07 03:25 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\SysWow64\wmploc.DLL
    2011-01-07 03:25 . 2010-09-10 15:52 8147968 ----a-w- c:\windows\system32\wmploc.DLL
    2011-01-07 03:22 . 2010-06-11 16:08 1875456 ----a-w- c:\windows\system32\msxml3.dll
    2011-01-07 03:21 . 2009-07-14 13:21 368128 ----a-w- c:\windows\system32\wmpdxm.dll
    2011-01-07 02:52 . 2011-01-07 02:52 -------- d-----w- c:\program files (x86)\ESET
    2011-01-07 02:06 . 2011-01-07 02:06 -------- d--h--w- c:\programdata\Common Files
    2011-01-07 02:05 . 2011-01-12 00:22 -------- d-----w- c:\programdata\AVG10
    2011-01-07 02:04 . 2011-01-07 02:04 -------- d-----w- c:\program files (x86)\AVG
    2011-01-07 01:39 . 2011-01-07 02:04 -------- d-----w- c:\programdata\MFAData
    2011-01-07 01:34 . 2010-01-15 00:04 98304 ----a-w- c:\windows\SysWow64\cabview.dll
    2011-01-07 01:34 . 2010-01-13 18:34 104960 ----a-w- c:\windows\system32\cabview.dll
    2011-01-07 01:34 . 2009-12-23 12:43 171520 ----a-w- c:\windows\SysWow64\wintrust.dll
    2011-01-07 01:34 . 2009-12-23 12:39 218112 ----a-w- c:\windows\system32\wintrust.dll
    2011-01-07 01:21 . 2009-08-07 02:24 43744 ----a-w- c:\windows\system32\wups2.dll
    2011-01-07 01:21 . 2009-08-07 02:24 57560 ----a-w- c:\windows\system32\wuauclt.exe
    2011-01-07 01:21 . 2009-08-07 02:24 2424024 ----a-w- c:\windows\system32\wuaueng.dll
    2011-01-07 01:21 . 2009-08-07 01:59 2621440 ----a-w- c:\windows\system32\wucltux.dll
    2011-01-07 01:20 . 2009-08-07 02:24 38112 ----a-w- c:\windows\system32\wups.dll
    2011-01-07 01:20 . 2009-08-07 02:24 35552 ----a-w- c:\windows\SysWow64\wups.dll
    2011-01-07 01:20 . 2009-08-07 02:23 700640 ----a-w- c:\windows\system32\wuapi.dll
    2011-01-07 01:20 . 2009-08-07 02:23 575704 ----a-w- c:\windows\SysWow64\wuapi.dll
    2011-01-07 01:20 . 2009-08-07 01:59 98816 ----a-w- c:\windows\system32\wudriver.dll
    2011-01-07 01:20 . 2009-08-07 01:44 87552 ----a-w- c:\windows\SysWow64\wudriver.dll
    2011-01-07 01:20 . 2009-08-06 19:23 185416 ----a-w- c:\windows\system32\wuwebv.dll
    2011-01-07 01:20 . 2009-08-06 19:23 171608 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2011-01-07 01:20 . 2009-08-06 18:59 36864 ----a-w- c:\windows\system32\wuapp.exe
    2011-01-07 01:20 . 2009-08-06 18:44 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2011-01-07 00:17 . 2008-09-26 04:31 804864 ----a-w- c:\windows\system32\drivers\netr28ux.sys
    2011-01-07 00:17 . 2008-09-26 04:26 305664 ----a-w- c:\windows\system32\RaCoInstx.dll
    2011-01-07 00:07 . 2011-01-07 00:08 -------- d-----w- c:\program files (x86)\Microsoft Works
    2011-01-07 00:06 . 2011-01-10 00:17 -------- d-----w- c:\users\Seano

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-07 02:00 . 2009-06-11 15:53 588472 ----a-w- c:\windows\SysWow64\ezsvc7x.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2011-01-09_04.19.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 03:20 . 2011-01-11 14:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2011-01-08 03:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-01-11 14:24 . 2011-01-11 14:23 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2011-01-11 14:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2011-01-08 03:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-01-12 05:27 34914 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2011-01-12 05:27 58292 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-01-07 00:02 . 2011-01-11 14:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-01-07 00:02 . 2011-01-09 03:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-01-07 00:02 . 2011-01-09 03:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-01-07 00:02 . 2011-01-11 14:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-01-07 00:02 . 2011-01-09 03:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-01-07 00:02 . 2011-01-11 14:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-01-07 19:54 . 2011-01-10 10:50 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-01-07 19:54 . 2011-01-08 17:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-01-07 19:54 . 2011-01-10 10:50 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2006-11-02 12:40 . 2011-01-08 04:11 86016 c:\windows\inf\infstor.dat
    + 2006-11-02 12:40 . 2011-01-10 00:17 86016 c:\windows\inf\infstor.dat
    + 2006-11-02 12:40 . 2011-01-10 00:17 51200 c:\windows\inf\infpub.dat
    - 2006-11-02 12:40 . 2011-01-08 04:11 51200 c:\windows\inf\infpub.dat
    + 2011-01-07 00:07 . 2011-01-12 05:27 5518 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-139329902-3773949464-2642598458-1000_UserData.bin
    - 2011-01-09 04:11 . 2011-01-09 04:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-01-12 05:24 . 2011-01-12 05:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-01-09 04:11 . 2011-01-09 04:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-01-12 05:24 . 2011-01-12 05:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-01-07 06:44 . 2011-01-10 20:31 192876 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2006-11-02 12:46 . 2011-01-09 04:17 599942 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-01-12 05:29 599942 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-01-12 05:29 105448 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2011-01-09 04:17 105448 c:\windows\system32\perfc009.dat
    - 2009-06-11 16:02 . 2011-01-09 04:10 564704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2009-06-11 16:02 . 2011-01-12 00:31 564704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2006-11-02 12:40 . 2011-01-10 00:17 143360 c:\windows\inf\infstrng.dat
    - 2006-11-02 12:40 . 2011-01-08 04:11 143360 c:\windows\inf\infstrng.dat
    + 2011-01-10 00:17 . 2011-01-10 00:17 4779008 c:\windows\Installer\a5c329.msi
    + 2011-01-10 00:15 . 2011-01-10 00:15 1940480 c:\windows\Installer\a5c325.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
    "HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
    "Google Update"="c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-07 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-01-27 61440]
    "HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
    "UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
    "UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
    "TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-09 1328424]
    "CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-09 185640]
    "DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]
    R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
    R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
    S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/06/11 16:30];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-03-19 09:54 146928]
    S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2008-09-26 804864]


    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000Core.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139329902-3773949464-2642598458-1000UA.job
    - c:\users\Seano\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-07 02:39]

    2011-01-07 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
    "SmartMenu"="%ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ie&c=93&bd=Pavilion&pf=cndt
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-IE\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
    "ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
    @SACL=
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @SACL=
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @SACL=
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @SACL=
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @SACL=
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @SACL=
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @SACL=
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @="IFlashBroker2"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
    @SACL=
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
    @SACL=
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @SACL=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @SACL=
    @="Shockwave Flash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @SACL=
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @SACL=
    @="FlashBroker"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    Completion time: 2011-01-12 05:38:21
    ComboFix-quarantined-files.txt 2011-01-12 05:38
    ComboFix2.txt 2011-01-09 05:50
    ComboFix3.txt 2011-01-09 04:22
    ComboFix4.txt 2011-01-07 05:35
    ComboFix5.txt 2011-01-12 05:31

    Pre-Run: 443,192,426,496 bytes free
    Post-Run: 443,164,323,840 bytes free

    - - End Of File - - A2A01C60A05B5ED4AD503945B37D6448
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please take a look at the Registry keys in the Combofix log and tell me why they are all using SACL
    Example:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
    @SACL=


    Access Control: http://msdn.microsoft.com/en-us/library/aa374860(v=VS.85).aspx

    What SACL is: http://msdn.microsoft.com/en-us/library/aa379321(v=vs.85).aspx
    ===========================================
    About File Sharing: no one needs to try and infect you system. When you share files, you share whatever comes with them:
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
  25. bobbygeorge

    bobbygeorge TS Rookie Topic Starter Posts: 23

    thanks for your reply.

    I am not using, or have not downloaded a P2P program. I heeded your warning about this from earlier.

    The answer to your question is, is simply do not know. I am kind of tired right now as I have been awake for quite awhile so, sorry, but what i have read in the links is like double dutch to me right now.

    Files, as in links to photos and music(on youtube) have been shared with me on facebook. They are the only files I have opened.

    So, have I got a serious problem again?

    And do you think those links on facebook could be the source?

    I'm getting kind of sick of the intrusion into my personal space, so want to get to the bottom of this once and for all.

    The above line is me just blowing off steam.

    Thanks Bobbye again for your time and awesome support :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...