TechSpot

Hotmail hack computer 2

Resolved
By svtford4x4
May 8, 2012
Topic Status:
Not open for further replies.
  1. malware bytes scan clean

    gmer no changes found






    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
    Run by Vision2 at 23:40:05 on 2012-05-08
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.902 [GMT -4:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\spool\drivers\x64\3\EKAiO2MUI.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1 209.18.47.62
    TCP: Interfaces\{EB3FE3A4-BF52-4C9E-BCEE-EF1DEF28A1EE} : DhcpNameServer = 192.168.1.1 209.18.47.62
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Vision2\AppData\Roaming\Mozilla\Firefox\Profiles\5lzblntx.default\
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: C:\Users\Vision2\AppData\Roaming\Mozilla\Firefox\Profiles\5lzblntx.default\extensions\2020Player_IKEA@2020Technologies.com\plugins\NP_2020Player_IKEA.dll
    FF - plugin: C:\Users\Vision2\AppData\Roaming\Mozilla\Firefox\Profiles\5lzblntx.default\extensions\2020Player_WEB@2020Technologies.com\plugins\NP_2020Player_WEB.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-05-08 17:16:45 -------- d-----w- C:\Users\Vision2\AppData\Roaming\Malwarebytes
    2012-05-08 17:16:30 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-05-08 17:16:30 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-05-08 17:16:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-05-07 18:52:45 -------- d-----w- C:\Program Files (x86)\ESET
    2012-04-27 23:32:02 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
    2012-04-27 23:31:59 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-27 23:31:59 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
    2012-04-12 07:02:34 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-04-12 07:02:34 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-04-12 07:02:33 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-04-12 07:01:09 81408 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-04-12 07:01:09 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-04-12 07:01:09 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-04-12 07:01:08 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-04-12 07:01:08 5120 ----a-w- C:\Windows\System32\wmi.dll
    2012-04-12 07:01:08 220672 ----a-w- C:\Windows\System32\wintrust.dll
    2012-04-12 07:01:08 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-04-11 01:42:30 -------- d-----w- C:\Program Files (x86)\CCleaner2
    .
    ==================== Find3M ====================
    .
    2012-03-16 22:53:16 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-03-15 08:19:09 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2012-03-11 06:11:49 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2012-03-11 06:11:49 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2012-02-28 06:39:37 1188864 ----a-w- C:\Windows\System32\wininet.dll
    2012-02-28 05:38:52 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-02-28 04:31:38 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-02-28 03:52:27 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-02-17 06:38:27 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
    2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    .
    ============= FINISH: 23:40:45.09 ===============










    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/11/2012 1:50:10 AM
    System Uptime: 5/7/2012 12:21:17 PM (35 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5Q PRO TURBO
    Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | LGA 775 | 2560/321mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 185.346 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP22: 5/5/2012 1:01:29 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe Reader X (10.1.3)
    Apple Application Support
    Apple Software Update
    ConvertXtoDVD 4.1.19.365
    ESET Online Scanner v3
    FrostWire 5.3.3
    Java Auto Updater
    Java(TM) 6 Update 31
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Visual Studio 2008 x64 Redistributables
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/4/2012 11:24:44 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR8.
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're lucky I happen to be the one to pick up this thread! There is another person helping and he wouldn't have known what the problem was!

    Did you just add this system to the network or do a reinstall? Install date shows 3/11/2012. So far I still don't see anything to account for the Hotmail problem. I do, however, see another file sharing program, Frostwire in addition to uTorrent which you have on the other system.

    We'll go ahead with these scans to see if they pickup anything:
    ---------------------------------------------------
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemoverand save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HEREand save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ------------------------------------------
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    ========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.


    Edit: I noticed these are pretty new systems:
    Comp. 1 >> Install Date: 2/3/2012
    Comp. 2 >> Install Date: 3/11/2012

    Are you using a flash drive between them? Or one that has been used on some other system? If yes, is the flash drive clean-do you know it's clean?
  3. svtford4x4

    svtford4x4 TS Rookie Topic Starter

    install date is when windows was installed? I'm usually quick to reformat which I plan to do with computer 1, computer 2 is the computer everyone else uses that why it has frostwire on it, I suspect that computer is cause of issues. unless it could be a network issue? if both computers were to be reformatted should that fix the problem?





    ComboFix 12-05-09.01 - Vision2 05/09/2012 11:11:59.2.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1167 [GMT -4:00]
    Running from: c:\users\Vision2\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Vision2\AppData\Roaming\vso_ts_preview.xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-09 to 2012-05-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-09 15:17 . 2012-05-09 15:17 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-05-08 17:16 . 2012-05-08 17:16 -------- d-----w- c:\users\Vision2\AppData\Roaming\Malwarebytes
    2012-05-08 17:16 . 2012-05-08 17:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-05-08 17:16 . 2012-05-08 17:16 -------- d-----w- c:\programdata\Malwarebytes
    2012-05-08 17:16 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-07 18:52 . 2012-05-07 18:52 -------- d-----w- c:\program files (x86)\ESET
    2012-04-27 23:32 . 2012-04-27 23:32 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-04-27 23:31 . 2012-04-27 23:31 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-27 23:31 . 2012-04-27 23:31 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
    2012-04-12 07:02 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-12 07:02 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-04-12 07:02 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-04-12 07:01 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-04-12 07:01 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-04-12 07:01 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-04-12 07:01 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-04-12 07:01 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-04-12 07:01 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-04-12 07:01 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-04-11 01:42 . 2012-05-05 21:47 -------- d-----w- c:\program files (x86)\CCleaner2
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-16 22:53 . 2012-03-11 06:23 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-03-15 08:19 . 2012-03-13 17:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-03-11 06:11 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2012-03-11 06:11 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2012-03-01 18:21 . 2012-03-11 03:17 8643640 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21E04F95-2030-4A6F-A197-F1FF0E5750D9}\mpengine.dll
    2012-02-23 14:18 . 2012-03-11 03:30 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-17 06:38 . 2012-03-13 18:20 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
    2012-02-17 06:38 . 2012-03-13 18:20 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-02-17 05:34 . 2012-03-13 18:20 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-02-17 04:58 . 2012-03-13 18:20 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-02-17 04:57 . 2012-03-13 18:20 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-02-10 06:36 . 2012-03-13 19:41 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-02-10 05:38 . 2012-03-13 19:41 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-28 4786048]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-27 129976]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKAiO2MUI.exe" [2011-12-11 3240448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1 209.18.47.62
    FF - ProfilePath - c:\users\Vision2\AppData\Roaming\Mozilla\Firefox\Profiles\5lzblntx.default\
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-09 11:23:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-09 15:23
    .
    Pre-Run: 199,050,948,608 bytes free
    Post-Run: 198,537,838,592 bytes free
    .
    - - End Of File - - D654E0B2F81AE3D845CECECA359234E6














    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.VRAPWC
    ----- EOF -----
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please allow me to make a few comments:

    1. A reformat and reinstall should only be done if a problem cannot be handled otherwise.
    2. The 2 dates I gave you indicate that Windows was installed on those dates> but here you are barely 4-6 weeks later, with another reformat planned!
    3. If it was a 'network issue', there would be some indications in the logs
    4. If you plan to reformat and reinstall-again- why are we trying to clean the computer?
    5. If the Hotmail problem did not originate from some malware on either of the systems, then a reformat/reinstall will not fix the issue.
    6. Do you know that someone else's email who had your email address could have been hacked and that can be the source of the spam showing your email address?
    6. It has been my experience that users who reformat/reinstall do so because they don't know how to trouble shoot.

    Close the Hotmail account, change all of your passwords, then set up a new email account- consider using a different web-based email- Yahoo for instance. This will then make your current email address invalid, so if the source of the problem is #6, email with that address will not be delivered. Hotmail is the most hacked web-based email I know of.
  5. svtford4x4

    svtford4x4 TS Rookie Topic Starter

    I've heard yahoo was easier to hack, hotmail has been good to me, thats strange there isn't malware, the main reason for wanting to reformat is that there seems to have been a lot of changes to this computer and I feel a fresh instal would be better data is already backed up. the 2nd computer is going back to windows xp. its also odd that the hotmail tech that looked at the system said there was a lot of issues and registry problems and that the network was the likely cause. the tech also recommended that the computer be professionally cleaned at least once a month, is there any validity to that or any other maintenance that should be done to a pc?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Things you didn't share with me- but should have:

    Such as?

    What were the 'problems? Issues? Registry? Did it do a remote assistance on the computer? Hotmail isn't going to give you any reliable support because it's free web-based email. In my experience, when I had both Hotmail and Yahoo mail in addition to my personal mail, Hotmail got so much trash on it regularly that I closed the account.

    What did he base this on? What about the network was the 'likely cause?

    'Professionally' means you pay for it. He is doing nothing but trying to drum up business to make you pay someone what you can do. The Windows OS has everything within it to keep it 'clean' and running well. But you have to use it.

    Maintenance, Absolutely!!!!

    1. Delete temporary internet files and Cookies. Use the following to help:
    Run this once in a while so the files don't pile up:TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Also Internet Options in the Control Panel
    =============================================
    2. Disc Cleanup: Use Windows Explorer to access Local Drive(C)> right click> Properties> General tab> Disccleanup

    3. Error Check: After Disc Cleanup> Select Tools tab> Error Check> Check both boxes> Apply> OK> Close nag message> Reboot to start.

    4. Defrag: Tools tab> Defrag

    These are all free for you to do yourself. Frequency depends on use> #1 at least weekly, #2 monthly, #3 monthy and/or anytime you have an unexplained 'glitch, #4, monthly
    ------------------------------
    Security:
    1. Keep Windows, Java and Adobe Reader current
    2. Run your antimalware programs once a week> have both prevent and find/remove antimalware programs
    3. Keep antivirus updated, run scan once a week
    4. Use a firewall and don't open random ports
    ===============================================
    You may find the following helpful: (Links are Bold Blue)
    Tips for added security and safer browsing:
    1. Browser Security
      [o]Make Internet Explorer safer
      [o] Use a Site Advisor..
      Have layered Security:
    2. Antivirus Software(only one):
      [o]Microsoft Security Essentials
      [o]Comodo AV
      [o]Avast! Free Antivirus
      =============================
    3. Firewall (only one)
      [o] Zone Alarm Free
      [o]Comodo Firewall Free
    4. Antispyware/Security: I recommend all of the following:
      [o]Spywareblaster:Protects against bad ActiveX.
      [o]IE/Spyad Restricts bad domains.
      [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Popup Stopper
    5. Stay current on updates:
      [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
      [o] Adobe Reade. Uninstall old.
      [o]Java Uninstall old.
    6. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
      (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    7. Do regular Maintenance
      [o]To include Disc Cleanup, Defrag, Error Check/
    8. Remove Temporary Internet Files regularly:
      [o]TFC
    9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
      [*] Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.
    Please let me know if you find any bad links.

    ALL free, ALL easily doable. These are not bloated- they are small apps or utilities that you can add if you want.

    And a note: Most techs don't know how to troubleshoot. That's why they reformat/reinstall. I did not see anything in these logs to indicate a "network" problem. But you can check the network settings, make sure the router is working. 'Network' covers a lot of territory- is there a problem with your home network that you have set up between the computers through a router? Or is the 'network' your connection to the internet through the ISP?
  7. svtford4x4

    svtford4x4 TS Rookie Topic Starter

    the tech looked through event viewer, and cmd prompt, *.* was messing with the network apparently by sending packets that would gather information. I usualy use avg and ccleaner, I've never used additional shields other than firewalls occasionally. I've used the other tools if I have had issues. network is through a router then to high speed cable, youtube videos only partially load which made me think it was network issue.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have 2 processes showing related to .cmd:​

    C:\Windows\SysWOW64\cmd.exe >> this the command line shell

    C:\Windows\SysWOW64\cscript.exe >> command-line version of the Windows Script Host that provides command-line options for setting script properties.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think there may be a glitch here. I actually started the post above, #8 yesterday and somehow it posted before I finished.
    You can look in the Event Viewer yourself:

    Click on Start> Run> type in eventvwr.msc> Enter. Open the System log and App logs and look for Information or Error Events.
    ============================================
    Since you're waiting to reformat/reinstall, I don't see any point in continuing, so I'm going to close the thread.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.