TechSpot

Need some help making sure a couple trojans are gone for good

Solved
By R2D2B9
Apr 29, 2012
Topic Status:
Not open for further replies.
  1. Hi ran Malewarebytes Anti-maleware and came up with a couple hits. Want to make sure they are cleaned. GMER came back clean so nothing here to post.

    Logs-MBAM
    =========================
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.04.28.09

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Lisa :: TEAMREIDY [administrator]

    4/29/2012 9:30:04 AM
    mbam-log-2012-04-29 (09-30-04).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 359038
    Time elapsed: 43 minute(s), 54 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\ProgramData\HjLoCTYovD.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Lisa\AppData\Local\Temp\aXS2fW6O1mfjS3.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Lisa\AppData\Local\Temp\0.4262756733180054 (Exploit.Drop.9) -> Quarantined and deleted successfully.

    (end)
    ==================================
    DDS
    ==================================
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32
    Run by Lisa at 10:42:59 on 2012-04-29
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.1744 [GMT -4:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
    FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    C:\Windows\system32\dleacoms.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
    C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\SysWOW64\ctfmon.exe
    c:\program files\windows defender\MpCmdRun.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit=userinit.exe,
    BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - C:\Program Files\Dell Printable Web\toolband.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - C:\Program Files\Dell Printable Web\toolband.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
    mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
    StartupFolder: C:\Users\Lisa\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{0DF9CCF7-3ED1-483F-ADBC-D4F1572A4273} : DhcpNameServer = 209.18.47.61 209.18.47.62
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
    BHO-X64: Dell Toolbar: {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Printable Web\toolband.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: Dell Toolbar: {09B71986-2AC5-482d-B6CB-42EA34F4F85B} - C:\Program Files\Dell Printable Web\toolband.dll
    TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
    mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
    AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Lisa\AppData\Roaming\Mozilla\Firefox\Profiles\ioyouugj.default\
    FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Lisa\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
    R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-6-27 365568]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-3-22 44768]
    R2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
    R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
    R2 dlea_device;dlea_device;C:\Windows\system32\dleacoms.exe -service --> C:\Windows\system32\dleacoms.exe -service [?]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-8-24 1692480]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
    R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-13 136176]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-13 136176]
    S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-27 129976]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-04-29 14:40:54 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A63C3EAF-A157-458A-9D41-27F40DB4E1F4}\offreg.dll
    2012-04-29 03:52:32 -------- d-----w- C:\Program Files (x86)\AMD APP
    2012-04-29 03:52:27 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
    2012-04-29 03:51:15 46136 ----a-w- C:\Windows\System32\drivers\amdiox64.sys
    2012-04-29 03:51:14 -------- d-----w- C:\ProgramData\AMD
    2012-04-29 03:50:03 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
    2012-04-29 03:47:31 -------- d-----w- C:\Program Files\ATI
    2012-04-29 03:47:00 -------- d-----w- C:\Program Files\ATI Technologies
    2012-04-29 03:45:46 -------- d-----w- C:\AMD
    2012-04-29 03:44:43 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-04-29 03:44:42 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-04-28 22:40:37 476960 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
    2012-04-28 22:39:44 14744 ----a-w- C:\Users\Lisa\AppData\Roaming\Microsoft\IdentityCRL\Production\ppcrlconfig.dll
    2012-04-28 22:39:02 -------- d-----w- C:\Windows\System32\SPReview
    2012-04-28 22:38:00 -------- d-----w- C:\Windows\System32\EventProviders
    2012-04-28 02:13:11 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
    2012-04-28 02:13:05 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-28 02:13:05 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
    2012-04-27 21:16:34 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A63C3EAF-A157-458A-9D41-27F40DB4E1F4}\mpengine.dll
    2012-04-21 21:40:21 -------- d-----w- C:\Users\Lisa\AppData\Roaming\Unity
    2012-04-13 15:29:58 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-04-13 15:29:57 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-04-13 15:29:39 81408 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-04-13 15:29:39 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-04-13 15:29:37 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-04-13 15:29:37 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-04-13 15:29:36 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-04-13 15:29:36 5120 ----a-w- C:\Windows\System32\wmi.dll
    2012-04-13 15:29:36 220672 ----a-w- C:\Windows\System32\wintrust.dll
    2012-04-10 14:36:30 -------- d-----w- C:\Users\Lisa\AppData\Local\Unity
    2012-04-01 14:36:18 -------- d-----w- C:\Windows\SysWow64\Adobe
    .
    ==================== Find3M ====================
    .
    2012-04-28 22:48:42 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2012-04-28 22:48:42 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2012-04-28 22:40:28 472864 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-03-11 21:13:41 43248 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
    2012-03-11 21:13:40 577824 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
    2012-03-11 21:13:38 22696 ----a-w- C:\Windows\System32\drivers\cmderd.sys
    2012-03-11 21:13:20 41200 ----a-w- C:\Windows\System32\cmdcsr.dll
    2012-03-11 21:13:18 301224 ----a-w- C:\Windows\SysWow64\guard32.dll
    2012-03-11 21:13:17 389840 ----a-w- C:\Windows\System32\guard64.dll
    2012-03-06 23:15:19 41184 ----a-w- C:\Windows\avastSS.scr
    2012-03-06 23:04:06 819032 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-03-06 23:02:20 53080 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-03-06 23:01:52 69976 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-03-06 06:53:37 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
    2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-02-16 23:05:44 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
    2012-02-16 23:05:44 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll
    2012-02-16 23:05:44 1060864 ----a-w- C:\Windows\SysWow64\mfc71.dll
    2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
    .
    ============= FINISH: 10:43:39.11 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/11/2010 8:16:11 AM
    System Uptime: 4/29/2012 10:27:47 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 04GJJT
    Processor: AMD Athlon(tm) II X2 240 Processor | CPU 1 | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 456 GiB total, 422.183 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP136: 4/28/2012 6:38:53 PM - Windows 7 Service Pack 1
    RP137: 4/28/2012 11:48:20 PM - Device Driver Package Install: ATI Technologies Inc. Display adapters
    RP138: 4/29/2012 3:00:12 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    ABBYY FineReader 6.0 Sprint
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1.2
    Adobe Shockwave Player 11.6
    AMD VISION Engine Control Center
    Arcade Games
    ATI Catalyst Control Center
    avast! Free Antivirus
    Bing Bar
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Consumer In-Home Service Agreement
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell DataSafe Online
    Dell Dock
    Dell Getting Started Guide
    Dell Toolbar
    Google Chrome
    Google Earth Plug-in
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToAssist 8.0.0.514
    HydraVision
    Java Auto Updater
    Java(TM) 6 Update 32
    Junk Mail filter update
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft Choice Guard
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Starter 2010 - English
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    Realtek High Definition Audio Driver
    Roxio Burn
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Skins
    Skype Toolbars
    Skype™ 4.1
    swMSM
    Unity Web Player
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/29/2012 10:35:03 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.
    4/28/2012 6:57:31 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: %%-2147024882
    4/28/2012 6:44:03 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Windows 7 Service Pack 1 for x64-based Systems (KB976932).
    .
    ==== End Of File ===========================
  2. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    Any suggeestions on this one? It doesn't look too bad to me, but you guys are the experts. This is hopefully the last machine I'm fixing for a while, then I can get back to playing with my Ubuntu box. You fix one relatives computer and they all line up with problems! At least Windows 7 has better UAC setup out of the box then XP did.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You marked the thread Active. That's not your job. When Broni or I pick up a thread, then we mark it Active so the other one will know it's being handled. That's why it wasn't picked up! Give me a few minutes to look over these logs. Didn't we just finish a thread?
    ===========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The system was clean 4 days ago.
    http://www.techspot.com/community/t...ups-mcafee-damaged.179792/page-2#post-1172173
    [Solved] Redirecting on search results, popups, McAfee damaged

    MY first comment on that thread was: "There is an abundance of malware on this system!"

    1.One of the infections was caused by a Backdoor. I left you extensive documentation about the possible dangers from a Backdoor.
    2.I had you disinfect the flash drive.
    3. Java was updated. Malware entries were removed from the Java cache.
    4. I replaced and infected system file
    5. I left a screen full of tips for you to apply what you wanted to help the security.
    =================================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HEREand save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =============================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =============================================
    Please leave logs in your next reply.
  5. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    Different System Bobbey, XP machine was my Uncles. This machine is my Aunts (running Windows 7). As I said, when you clean one relatives machine, the others seem to line up and ask if you can do theirs. I'd recommend they create their own accounts on here and go through the process with you, but that would be far more painful for all parties involved, yourself included.

    I hope this is the last one for a while because I really want to play around with some video editing on my Ubuntu box, but there is only enough space on the desk and inputs to the monitor for two machines (My regular XP Desktop and the Linux Box usually).

    Sorry about the confusion with the Active thread thing, I'm not used to all the bells and whistles on these new forums. I knew I messed something up today when I was poking around on the forums. I wish I could do something to help you guys out, but I'm afraid I would cause more harm then good.

    I like Starwars, but oddly enough the reference is actually to robots. I'm a EE.

    Anyhow, scans are running, will post as soon as they finish.
  6. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    I keep getting this "Catalyst Control Center Host Application has stopped working" warning on startup. I suspect this is a driver related issue. I will resolve it once we are done getting rid of any infections. Just figured I'd mention this in case you have ever seen this related to an infection.
  7. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    Combofix Log. Eset is running...will post when complete.
    --------------------------------------------------------------

    ComboFix 12-05-01.02 - Lisa 05/01/2012 20:07:19.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2815.1536 [GMT -4:00]
    Running from: c:\users\Lisa\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-02 00:12 . 2012-05-02 00:12 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-29 03:52 . 2012-04-29 03:52 -------- d-----w- c:\program files (x86)\AMD APP
    2012-04-29 03:52 . 2012-04-29 03:52 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
    2012-04-29 03:51 . 2010-02-18 13:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
    2012-04-29 03:51 . 2012-04-29 03:51 -------- d-----w- c:\programdata\AMD
    2012-04-29 03:50 . 2012-04-29 03:50 -------- d-----w- c:\program files\Common Files\ATI Technologies
    2012-04-29 03:47 . 2012-04-29 03:47 -------- d-----w- c:\program files\ATI
    2012-04-29 03:47 . 2012-04-29 03:51 -------- d-----w- c:\program files\ATI Technologies
    2012-04-29 03:45 . 2012-04-29 03:45 -------- d-----w- C:\AMD
    2012-04-29 03:44 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-04-29 03:44 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-04-28 22:40 . 2012-04-28 22:40 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-04-28 22:40 . 2012-04-28 22:40 -------- d-----w- c:\program files (x86)\Java
    2012-04-28 22:39 . 2012-04-28 22:39 -------- d-----w- c:\windows\system32\SPReview
    2012-04-28 22:38 . 2012-04-28 22:38 -------- d-----w- c:\windows\system32\EventProviders
    2012-04-28 02:13 . 2012-04-28 02:13 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-04-28 02:13 . 2012-04-28 02:13 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-28 02:13 . 2012-04-28 02:13 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
    2012-04-27 21:16 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A63C3EAF-A157-458A-9D41-27F40DB4E1F4}\mpengine.dll
    2012-04-21 21:40 . 2012-04-21 21:40 -------- d-----w- c:\users\Lisa\AppData\Roaming\Unity
    2012-04-13 15:29 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-04-13 15:29 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-04-13 15:29 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-04-13 15:29 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-04-13 15:29 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-04-13 15:29 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-04-13 15:29 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-04-13 15:29 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-04-13 15:29 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-04-10 14:36 . 2012-04-10 14:36 -------- d-----w- c:\users\Lisa\AppData\Local\Unity
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-28 22:48 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2012-04-28 22:48 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2012-04-28 22:40 . 2010-08-25 02:44 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-04-04 19:56 . 2012-02-16 23:14 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-11 21:13 . 2011-12-19 23:59 43248 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2012-03-11 21:13 . 2012-01-18 02:00 577824 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2012-03-11 21:13 . 2011-12-19 23:59 22696 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2012-03-11 21:13 . 2011-12-19 23:58 41200 ----a-w- c:\windows\system32\cmdcsr.dll
    2012-03-11 21:13 . 2011-12-19 23:58 301224 ----a-w- c:\windows\SysWow64\guard32.dll
    2012-03-11 21:13 . 2011-12-19 23:58 389840 ----a-w- c:\windows\system32\guard64.dll
    2012-03-06 23:15 . 2012-02-16 23:16 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-06 23:15 . 2012-02-16 23:16 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-03-06 23:15 . 2012-02-16 23:16 258520 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-06 23:04 . 2012-02-16 23:16 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-06 23:04 . 2012-02-16 23:16 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-06 23:02 . 2012-03-23 01:12 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-03-06 23:01 . 2012-02-16 23:16 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-06 23:01 . 2012-02-16 23:16 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-03-06 23:01 . 2012-02-16 23:16 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-02-25 17:41 . 2012-02-25 17:41 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-02-25 17:41 . 2012-02-25 17:41 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-02-25 17:41 . 2012-02-25 17:41 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
    2012-02-25 17:41 . 2012-02-25 17:41 85504 ----a-w- c:\windows\system32\iesetup.dll
    2012-02-25 17:41 . 2012-02-25 17:41 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
    2012-02-25 17:41 . 2012-02-25 17:41 76800 ----a-w- c:\windows\system32\tdc.ocx
    2012-02-25 17:41 . 2012-02-25 17:41 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
    2012-02-25 17:41 . 2012-02-25 17:41 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
    2012-02-25 17:41 . 2012-02-25 17:41 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
    2012-02-25 17:41 . 2012-02-25 17:41 603648 ----a-w- c:\windows\system32\vbscript.dll
    2012-02-25 17:41 . 2012-02-25 17:41 49664 ----a-w- c:\windows\system32\imgutil.dll
    2012-02-25 17:41 . 2012-02-25 17:41 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
    2012-02-25 17:41 . 2012-02-25 17:41 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-02-25 17:41 . 2012-02-25 17:41 448512 ----a-w- c:\windows\system32\html.iec
    2012-02-25 17:41 . 2012-02-25 17:41 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
    2012-02-25 17:41 . 2012-02-25 17:41 367104 ----a-w- c:\windows\SysWow64\html.iec
    2012-02-25 17:41 . 2012-02-25 17:41 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
    2012-02-25 17:41 . 2012-02-25 17:41 30720 ----a-w- c:\windows\system32\licmgr10.dll
    2012-02-25 17:41 . 2012-02-25 17:41 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
    2012-02-25 17:41 . 2012-02-25 17:41 222208 ----a-w- c:\windows\system32\msls31.dll
    2012-02-25 17:41 . 2012-02-25 17:41 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-02-25 17:41 . 2012-02-25 17:41 165888 ----a-w- c:\windows\system32\iexpress.exe
    2012-02-25 17:41 . 2012-02-25 17:41 161792 ----a-w- c:\windows\SysWow64\msls31.dll
    2012-02-25 17:41 . 2012-02-25 17:41 160256 ----a-w- c:\windows\system32\wextract.exe
    2012-02-25 17:41 . 2012-02-25 17:41 152064 ----a-w- c:\windows\SysWow64\wextract.exe
    2012-02-25 17:41 . 2012-02-25 17:41 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
    2012-02-25 17:41 . 2012-02-25 17:41 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-02-25 17:41 . 2012-02-25 17:41 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-02-25 17:41 . 2012-02-25 17:41 12288 ----a-w- c:\windows\system32\mshta.exe
    2012-02-25 17:41 . 2012-02-25 17:41 11776 ----a-w- c:\windows\SysWow64\mshta.exe
    2012-02-25 17:41 . 2012-02-25 17:41 114176 ----a-w- c:\windows\system32\admparse.dll
    2012-02-25 17:41 . 2012-02-25 17:41 111616 ----a-w- c:\windows\system32\iesysprep.dll
    2012-02-25 17:41 . 2012-02-25 17:41 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
    2012-02-25 17:41 . 2012-02-25 17:41 101888 ----a-w- c:\windows\SysWow64\admparse.dll
    2012-02-23 14:18 . 2012-02-15 21:31 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-17 06:38 . 2012-03-15 01:08 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-02-17 05:34 . 2012-03-15 01:08 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-02-17 04:58 . 2012-03-15 01:08 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-02-17 04:57 . 2012-03-15 01:08 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-02-16 23:05 . 2012-02-16 23:05 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
    2012-02-16 23:05 . 2012-02-16 23:05 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
    2012-02-16 23:05 . 2012-02-16 23:05 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
    2012-02-10 06:36 . 2012-03-15 01:09 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-02-10 05:38 . 2012-03-15 01:09 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-02-03 04:34 . 2012-03-15 01:09 3145728 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-13 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-06-27 336384]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-12 559616]
    .
    c:\users\Lisa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-13 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-13 136176]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-28 129976]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-06-27 365568]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
    S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2010-01-07 1052328]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-13 17:03]
    .
    2012-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-13 17:03]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-10 8321568]
    "dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-01-18 770728]
    "EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-01-18 139944]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 9569096]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    "AppInit_DLLs"=c:\windows\System32\guard64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\users\Lisa\AppData\Roaming\Mozilla\Firefox\Profiles\ioyouugj.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-01 20:17:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-02 00:17
    .
    Pre-Run: 452,958,973,952 bytes free
    Post-Run: 452,605,272,064 bytes free
    .
    - - End Of File - - 3A54BE5CE1B0EB98A73CAE3B9AFCADDA
  8. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    Eset Log

    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EELVFDSN\ros[6].htm HTML/Iframe.B.Gen virus
    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EELVFDSN\ros[7].htm HTML/Iframe.B.Gen virus
    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P8DDW8XS\ros[9].htm HTML/ScrInject.B.Gen virus
    C:\Users\Lisa\Downloads\DownloadManager_Setup.exe.part a variant of Win32/Adware.iBryte.B application
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Combofix looks good. A few entries in Eset to remove:

    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files
      C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EELVFDSN\ros[6].htm 
      C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EELVFDSN\ros[7].htm 
      C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P8DDW8XS\ros[9].htm 
      C:\Users\Lisa\Downloads\DownloadManager_Setup.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ================================================
    The above are temporary internet files and one for adware in a setup. No Trojans here.
    ================================================
    About Bing: I'm finding that some downloads are putting the Bing Bar on the system. The Bing Bar then adds an updater, which comes in the form of a new Service. Unless you downloaded these specifically, I have been recommending that the Bing Bar and related entries be removed. One of the downloads includes Zugo with Bing and that is adware. If you want to use Bing to search, you don't need the bundle to do it!

    I can remove these with script for you to run through Combofix. Would you like me to do that?
    ================================================
    Sorry- forgot about othe system being Uncle's. Congrats for doing such great job so Aunt wants help now!;)
    Please tell me what an EE is.
  10. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    Hi Bobbye,

    =====================
    I believe that the Bing Bar was probably just installed as an add-on with some other software. My Aunt primarily uses Chrome, which does not have the Bing Bar. Can I just remove it through the standard windows Add/Remove programs on Control Panel.
    ======================
    EE, read "double E", stands for Electrical Engineer.
    My background is primarily digital systems so I have some programming experience, but I tend to focus more on the hardware side of things. I program only as required to make my life easier, I like to work smarter, not harder!
    ======================
    On to the OTM Log.

    All processes killed
    ========== FILES ==========
    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EELVFDSN\ros[6].htm moved successfully.
    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EELVFDSN\ros[7].htm moved successfully.
    C:\Users\Lisa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P8DDW8XS\ros[9].htm moved successfully.
    File/Folder C:\Users\Lisa\Downloads\DownloadManager_Setup.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Lisa
    ->Temp folder emptied: 1822720 bytes
    ->Temporary Internet Files folder emptied: 73673439 bytes
    ->Java cache emptied: 99106 bytes
    ->FireFox cache emptied: 1105792407 bytes
    ->Google Chrome cache emptied: 6832503 bytes
    ->Flash cache emptied: 108659 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 12128 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 370013 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,134.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 05042012_213452

    Files moved on Reboot...
    C:\Users\Lisa\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Being an EE makes you a lot smarter than I am!

    You might want to set up some kind of maintenance program for your aunt: From OTM: Total Files Cleaned = 1,134.00 mb! That's a lot of excess files for the system to be carrying around. Have her use this occasionally: (I've embedded the link in Disc Cleanup. There are instructions, screen shots and also a video that might help her)
    Delete temporary files and free up disk space using the Disk Cleanup utility in Windows 7

    And if she doesn't need to do the full cleanup, she can run this occasionally instead:
    TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
    ============================================
    This will remove most of the Bing Bar entries:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
    C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
    DDS::
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
    Clearjavacache::
    Driver::
    BBSvc
    BBUpdate
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leave this log.
    ================================================
    The location of the Bing Bar is given as Program Files\Microsoft\BingBar so you may have to find the Microsoft folder, then Bing Bar in sub-folder.
    Uninstall the Bing Bar and then use Windows Explorer to access Computer> Local Drive(C)> Programs> Find the Bing bar program folder and do a tight click> Delete.

    Make sure the Service for updater is gone or disabled: Click on Start> Run> type in services.msc> Double click on BBSvc> Change Startup Type to Disabled> Stop the Service.
    ===============================================
    This should resolve all of the problems and leave a clean system:
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    ==============================================
    Looking forward to seeing you again when the next family member finds you!:D
     
  12. R2D2B9

    R2D2B9 TS Member Topic Starter Posts: 64

    OK Bobbye,

    Ran the CF Script and all the clean-ups. Now I'll go through the recommendations of proactive security improvements that Broni and yourself prescribe, as well as fix the Catalyst Control Center issue.

    Thanks for your great help. Hopefully most of the computers in my family have been locked down and secured as best as possible to prevent future issues.

    As for being smarter then you, I like to take a different stance. It's all relative, we all have our area's of expertise. I've run it no my fair share of book smart people who exhibit no amount of common sense what so ever. We should all strive for a happy balance somewhere in the middle.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. I've enjoyed helping you. Stay safe!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.