TechSpot

Norton problems, possible virus or Malware (BFE Service)

Solved
By JWW2012
Apr 18, 2012
Topic Status:
Not open for further replies.
  1. Hi all,

    Ive had a weird thing happen, started PC this morning and notice a 5013,3 problem with the service. So I went to the troubleshoot section and it advised to turn a part of Norton off, then try to start the BFE service (It didnt work). Thats the most Norton offers. So I reinstalled the BFE registry key, it then appeared in services.msc but when I tried to start it I got Error 05: Access is denied. I tried to go to the windows firewall pages and I get 'windows could not locate firewall settings error ox8007042c.

    Its odd, Norton appeared to notice an intrusion and block it, but the Norton log file doesnt reveal anything else, doesnt even reveal any trojans but I noticed before I had this problem a version of flash tried to install and as a result Norton tried to block it.

    So I have run a full norton scan, it deleted 26 tracking cookies shown as low risk.

    Other logs are below.

    Many Thanks for any help received, I think Norton has stopped the harm that something may have caused if it installed fully, but it has clearly managed to do something to the security elements of the MS security centre!

    Malwarebytes Log

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.04.18.05
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Michelle :: MICHELLE-PC [administrator]
    18/04/2012 19:18:04
    mbam-log-2012-04-18 (19-23-17).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 224042
    Time elapsed: 4 minute(s), 57 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 1
    C:\Users\Michelle\AppData\Local\Temp\skxanvcprsrnfskyes.exe (Backdoor.Agent.RCGen) -> Quarentined and Deleted.
    (end)
    GMER:

    Did not produce log

    DDS:

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Michelle at 19:48:54 on 2012-04-18
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4094.2528 [GMT 1:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\O2\bin\sprtsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\System32\spool\drivers\x64\3\ADAiO2MUI.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\Norton Utilities 14\RMTray.exe
    C:\Program Files (x86)\Steam\steam.exe
    C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
    C:\Program Files (x86)\O2\bin\sprtcmd.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = Preserve
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\IPS\IPSBHO.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: BHO Class: {dd92de22-ed91-4560-b788-dee2b26612e6} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\IEHelper.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [Google Update] "C:\Users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [NortonUtilities] C:\Program Files (x86)\Norton Utilities 14\RMTray.exe /H
    uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
    mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
    mRun: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
    mRun: [O2] "C:\Program Files (x86)\O2\bin\sprtcmd.exe" /P O2
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [Connection Manager] "C:\Program Files (x86)\O2\Connection Manager\emmsn.exe" -dock
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    Trusted Zone: microsoft.com\oas.support
    Trusted Zone: microsoft.com\support
    Trusted Zone: o2.co.uk\*.broadband
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20101202072159
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://www.connect2ea.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1BA0A4F8-338E-4E02-995C-065DF3FB38D1} : NameServer = 193.113.200.200 193.113.200.201
    TCP: Interfaces\{EC7DD8B2-723F-432C-979B-8E962FA44D66} : DhcpNameServer = 192.168.1.254
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll
    BHO-X64: Symantec NCO BHO - No File
    BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\IPS\IPSBHO.DLL
    BHO-X64: Symantec Intrusion Prevention - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: BHO Class: {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\IEHelper.dll
    BHO-X64: CStat - No File
    TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\coIEPlg.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    mRun-x64: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
    mRun-x64: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
    mRun-x64: [O2] "C:\Program Files (x86)\O2\bin\sprtcmd.exe" /P O2
    mRun-x64: [Conime] %windir%\system32\conime.exe
    mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [Connection Manager] "C:\Program Files (x86)\O2\Connection Manager\emmsn.exe" -dock
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    Hosts: 94.63.147.16 www.google.com
    Hosts: 94.63.147.17 www.bing.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\gxpstas8.default\
    FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn_2011_7_4_3\components\coFFPlgn.dll
    FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Program Files (x86)\Virtools\3D Life Player\npvirtools.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Michelle\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS [?]
    R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS [?]
    R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120402.001\BHDrvx64.sys [2012-4-3 1160824]
    R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120417.001\IDSviA64.sys [2012-4-18 488568]
    R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS [?]
    R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1207010.003\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1207010.003\SYMNETS.SYS [?]
    R2 Advent AIO Network Discovery Service;Advent AIO Network Discovery Service;C:\Program Files (x86)\Advent\AIO\Center\ADAIOHostService.exe [2011-10-14 361904]
    R2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-12-8 212232]
    R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2009-12-8 68136]
    R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.7.1.3\ccsvchst.exe [2012-4-4 130008]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-9-15 2253120]
    R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);C:\Program Files (x86)\O2\bin\sprtsvc.exe [2009-3-4 202016]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
    R2 TGCM_ImportWiFiSvc;TGCM_ImportWiFiSvc;C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe [2011-6-14 201080]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-2-5 138360]
    R3 huawei_enumerator;huawei_enumerator;C:\Windows\system32\DRIVERS\ew_jubusenum.sys --> C:\Windows\system32\DRIVERS\ew_jubusenum.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-24 135664]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-6 253600]
    S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\system32\DRIVERS\ew_hwusbdev.sys --> C:\Windows\system32\DRIVERS\ew_hwusbdev.sys [?]
    S3 ewusbmbb;HUAWEI USB-WWAN miniport;C:\Windows\system32\DRIVERS\ewusbwwan.sys --> C:\Windows\system32\DRIVERS\ewusbwwan.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-24 135664]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-04-18 18:33:42 -------- d-----w- C:\Users\Michelle\AppData\Local\{0BB0D3D9-71C8-4E96-B6EC-BA8186CD7F18}
    2012-04-18 18:33:31 -------- d-----w- C:\Users\Michelle\AppData\Local\{43352A46-04F6-4394-95B0-257BA3388A32}
    2012-04-18 18:17:30 -------- d-----w- C:\Users\Michelle\AppData\Roaming\Malwarebytes
    2012-04-18 18:17:25 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-04-18 18:17:25 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-04-18 18:17:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-04-18 18:05:43 -------- d-----w- C:\Users\Michelle\AppData\Local\{23D8C503-AECD-4BC6-83CE-7C216CA3EF7C}
    2012-04-18 18:05:32 -------- d-----w- C:\Users\Michelle\AppData\Local\{FAA19BF6-63B2-4985-9086-8A8BF4B81B0F}
    2012-04-17 19:18:02 -------- d-----w- C:\Users\Michelle\AppData\Local\{B93D02A3-2881-4965-91CA-35116BFADD17}
    2012-04-17 19:17:50 -------- d-----w- C:\Users\Michelle\AppData\Local\{F48D4994-7F81-445A-9261-5E4D4644BF0C}
    2012-04-17 18:48:20 -------- d-----w- C:\Users\Michelle\AppData\Local\{E8A4AB4F-78E2-4BBE-BEC8-69C58F607D53}
    2012-04-17 18:48:08 -------- d-----w- C:\Users\Michelle\AppData\Local\{154832C5-AF6A-44CC-8F36-8B432EF8ABA1}
    2012-04-17 18:21:24 -------- d-----w- C:\Users\Michelle\AppData\Local\{E40E4EA5-62C8-4470-8857-65D852C98D15}
    2012-04-17 18:21:08 -------- d-----w- C:\Users\Michelle\AppData\Local\{991F6C25-D389-4A04-9253-87B9DC40E6F1}
    2012-04-15 21:59:50 -------- d-----w- C:\Users\Michelle\AppData\Local\{B4816929-E2EA-410C-8267-92E0A6A1E87D}
    2012-04-15 21:59:39 -------- d-----w- C:\Users\Michelle\AppData\Local\{FE61B46D-74B4-4FDB-AD45-0752874C9917}
    2012-04-15 17:19:29 -------- d-----w- C:\Users\Michelle\AppData\Local\{02FB3EF5-5632-4865-8B27-8F32FB2F56A7}
    2012-04-15 17:19:17 -------- d-----w- C:\Users\Michelle\AppData\Local\{A8C93197-DF20-4254-8C0C-B13FF61A4EA4}
    2012-04-14 08:38:54 -------- d-----w- C:\Users\Michelle\AppData\Local\{DC4EDD34-2C87-4636-8D0A-D3912352514C}
    2012-04-14 08:38:44 -------- d-----w- C:\Users\Michelle\AppData\Local\{04C04BC2-649C-4680-884C-CF0031085DEB}
    2012-04-13 18:03:11 -------- d-----w- C:\Users\Michelle\AppData\Local\{E10E08CF-0788-44BB-BE01-4176586EC518}
    2012-04-12 08:41:56 -------- d-----w- C:\Program Files\iPod
    2012-04-12 08:41:55 -------- d-----w- C:\Program Files\iTunes
    2012-04-12 08:41:55 -------- d-----w- C:\Program Files (x86)\iTunes
    2012-04-12 08:11:39 -------- d-----w- C:\Users\Michelle\AppData\Local\{7053F932-EAB9-4D6F-BE7B-EC703888669E}
    2012-04-11 18:22:58 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-04-11 18:22:58 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-04-11 18:22:57 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-04-11 18:20:14 81408 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-04-11 18:20:14 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-04-11 18:20:14 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-04-11 18:20:13 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-04-11 18:20:13 5120 ----a-w- C:\Windows\System32\wmi.dll
    2012-04-11 18:20:13 220672 ----a-w- C:\Windows\System32\wintrust.dll
    2012-04-11 18:20:13 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-04-11 17:23:06 -------- d-----w- C:\Users\Michelle\AppData\Local\{0548EE3E-4775-476B-97B2-9356E4911355}
    2012-04-10 17:29:50 -------- d-----w- C:\Users\Michelle\AppData\Local\{856FD9D0-59EC-4D2E-97AD-DFE4E557D69E}
    2012-04-09 21:31:01 -------- d-----w- C:\Users\Michelle\AppData\Local\{C4927C7E-6B9D-4532-B41C-B01B89C49343}
    2012-04-09 09:30:50 -------- d-----w- C:\Users\Michelle\AppData\Local\{EBF2174B-8953-4AD6-9605-2EC37915023D}
    2012-04-07 12:41:45 -------- d-----w- C:\Users\Michelle\AppData\Local\Chromium
    2012-04-07 12:37:57 -------- d-----w- C:\Users\Michelle\AppData\Roaming\Sports Interactive
    2012-04-07 12:37:57 -------- d-----w- C:\Users\Michelle\AppData\Local\Sports Interactive
    2012-04-07 12:20:16 -------- d-----w- C:\Users\Michelle\AppData\Local\{E44E37F4-2318-41A4-BBBD-C448C711753A}
    2012-04-06 23:38:10 -------- d-----w- C:\Users\Michelle\AppData\Local\{52BBFA9F-ACD3-4E8C-AC7B-0BE542D9D58B}
    2012-04-06 11:00:18 -------- d-----w- C:\Users\Michelle\AppData\Local\{19773C5B-43CB-4406-AF87-E3733A329DAF}
    2012-04-05 23:57:57 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-04-05 17:01:50 -------- d-----w- C:\Users\Michelle\AppData\Local\{14856DDD-2F8A-40A1-B67A-D5CFAC205D92}
    2012-04-04 17:37:55 386168 ----a-w- C:\Windows\System32\drivers\NISx64\1207010.003\symnets.sys
    2012-04-04 17:37:54 912504 ----a-w- C:\Windows\System32\drivers\NISx64\1207010.003\symefa64.sys
    2012-04-04 17:37:54 744568 ----a-w- C:\Windows\System32\drivers\NISx64\1207010.003\srtsp64.sys
    2012-04-04 17:37:54 450680 ----a-w- C:\Windows\System32\drivers\NISx64\1207010.003\symds64.sys
    2012-04-04 17:37:54 40568 ----a-w- C:\Windows\System32\drivers\NISx64\1207010.003\srtspx64.sys
    2012-04-04 17:37:54 171128 ----a-w- C:\Windows\System32\drivers\NISx64\1207010.003\ironx64.sys
    2012-04-04 17:37:47 -------- d-----w- C:\Windows\System32\drivers\NISx64\1207010.003
    2012-04-04 17:18:12 -------- d-----w- C:\Users\Michelle\AppData\Local\{AFA0B33C-D593-4CC5-AE19-633EB7414B60}
    2012-04-03 18:06:55 -------- d-----w- C:\Users\Michelle\AppData\Local\{C3982DB2-2D53-48A4-8A9D-156E8FF33F81}
    2012-04-02 17:41:15 -------- d-----w- C:\Users\Michelle\AppData\Local\{8BD7FF55-7727-41F4-BB7A-EF498C141231}
    2012-04-01 11:04:32 -------- d-----w- C:\Users\Michelle\AppData\Local\{BC543E14-12E1-4648-8B04-8E793B017BD7}
    2012-04-01 02:12:58 -------- d-----w- C:\Users\Michelle\AppData\Local\{E446E827-C004-4829-8A63-DD17B200A697}
    2012-03-31 14:12:05 -------- d-----w- C:\Users\Michelle\AppData\Local\{23D3DA23-C9CC-4E86-B5D7-7A355EEAD338}
    2012-03-30 22:40:28 -------- d-----w- C:\Users\Michelle\AppData\Local\{D07AF7CC-DBBF-4434-A9B6-5E599150A7D4}
    2012-03-30 08:45:10 -------- d-----w- C:\Users\Michelle\AppData\Local\{E705A8ED-D692-46ED-972C-AAD9DDAB3E87}
    2012-03-29 19:04:18 -------- d-----w- C:\Users\Michelle\AppData\Local\{00B95A4F-1443-4ABF-97D7-89935ACB3DB2}
    2012-03-29 18:59:45 -------- d-----w- C:\Users\Michelle\AppData\Local\{5C5B83C7-FC79-4BDF-96B1-0B8722BBD11E}
    2012-03-29 17:32:37 -------- d-----w- C:\ProgramData\Telefónica
    2012-03-29 17:32:35 -------- d-----w- C:\Users\Michelle\AppData\Roaming\Telefónica
    2012-03-29 17:32:34 -------- d-----w- C:\Users\Michelle\AppData\Roaming\TGCMLog
    2012-03-29 17:29:57 -------- d-----w- C:\Users\Michelle\AppData\Local\{62E2C6B2-0345-4EAB-B205-E036FB5ADB9E}
    2012-03-28 17:06:38 -------- d-----w- C:\Users\Michelle\AppData\Local\{14E059FC-6A6C-43FD-8866-0326D6B0E0A9}
    2012-03-27 18:10:31 -------- d-----w- C:\Users\Michelle\AppData\Local\{BF8C7E61-3312-4855-957F-88FFA1370AE2}
    2012-03-26 16:40:00 -------- d-----w- C:\Users\Michelle\AppData\Local\{D66786C1-6D98-4228-B60D-1BABE0BB5013}
    2012-03-26 15:41:34 103864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2012-03-26 15:41:34 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2012-03-26 11:18:32 -------- d-----w- C:\Users\Michelle\AppData\Local\{76DAA1D5-EE65-4EFF-A3F5-59667BE580FF}
    2012-03-26 10:53:15 -------- d-----w- C:\Users\Michelle\AppData\Local\{B6B6108E-26AE-4F15-B98F-9A9424B622D0}
    2012-03-25 22:34:06 -------- d-----w- C:\Users\Michelle\AppData\Local\{1E60CF87-F0C6-45AA-919D-A609179E4D7B}
    2012-03-23 08:30:20 -------- d-----w- C:\Users\Michelle\AppData\Local\{8E32F531-0D10-4435-BDC3-6883A8FECE9A}
    2012-03-23 08:30:10 -------- d-----w- C:\Users\Michelle\AppData\Local\{CC185094-C5BC-46BA-8E75-E328221B9D0C}
    2012-03-21 18:02:34 -------- d-----w- C:\Users\Michelle\AppData\Local\{4BD74363-8C5C-46D8-BD8E-CDDA81879ED0}
    2012-03-21 18:02:20 -------- d-----w- C:\Users\Michelle\AppData\Local\{58CBE202-4085-451F-B483-369D0CAFF25B}
    2012-03-20 19:52:00 -------- d-----w- C:\Users\Michelle\AppData\Local\{D1E3CF95-B83D-48BD-9D84-32E0913F2C79}
    2012-03-20 19:51:47 -------- d-----w- C:\Users\Michelle\AppData\Local\{D0087E9A-0CD7-4CAA-A671-A7EA8C8CC2B3}
    2012-03-19 20:02:00 -------- d-----w- C:\Users\Michelle\AppData\Local\{5156CD13-795D-4A82-9CC8-B94F151E7A0F}
    2012-03-19 20:01:50 -------- d-----w- C:\Users\Michelle\AppData\Local\{C6FB8CAC-2B28-4F57-BED6-82958EBE7EA0}
    .
    ==================== Find3M ====================
    .
    2012-04-18 18:32:12 25640 ----a-w- C:\Windows\gdrv.sys
    2012-04-05 23:57:57 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
    2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-02-15 10:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
    2012-02-15 10:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
    2012-02-14 11:09:44 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
    2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-01-25 06:38:39 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-01-25 06:38:38 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-01-25 06:33:30 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    .
    ============= FINISH: 19:49:59.36 ===============
    DDS ATTACH

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 08/12/2009 01:55:29
    System Uptime: 18/04/2012 19:31:39 (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA790GPT-UD3H
    Processor: AMD Phenom(tm) II X4 925 Processor | Socket M2 | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 267.448 GiB free.
    D: is CDROM (CDFS)
    E: is FIXED (NTFS) - 186 GiB total, 128.574 GiB free.
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP242: 27/03/2012 19:34:46 - Scheduled Checkpoint
    RP243: 04/04/2012 19:09:51 - Scheduled Checkpoint
    RP244: 07/04/2012 13:36:43 - Installed DirectX
    RP245: 08/04/2012 16:08:45 - Installed DirectX
    RP246: 11/04/2012 19:19:17 - Windows Update
    .
    ==== Installed Programs ======================
    .
    3DVIA player 5.0
    Acrobat.com
    AdC4USelfUpdater
    Adobe AIR
    Adobe Reader 9.5.1
    ADVENT AIO Printer
    Advent Essentials
    aioscnnr
    Airport Design Editor 9x Version 1.47.7.0
    Any DWG to Image Converter 2010
    Apple Application Support
    Apple Software Update
    Browser Configuration Utility
    BufferChm
    Capsule
    Citrix Presentation Server Client - Web Only
    Connection Manager
    D3DX10
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    DivX Plus Web Player
    DJ_AIO_06_F2400_SW_Min
    DMIView B8.0717.01
    Dynamic Photo Manager
    EasySaver B9.0610.1
    EasyScreenCaptureVideo
    Euro Truck Simulator 1.3
    F2400
    Farm Frenzy: Pizza Party
    Flight Simulator 2004 Traffic Toolbox SDK
    Football Manager 2012
    FS9 Configurator
    FSNavigator
    Glary Utilities 2.29.0.1032
    Google Chrome
    Google Quick Search Box
    Google SketchUp 8
    Google SketchUp Pro 7
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hospital Hustle
    HPPhotoGadget
    hpWLPGInstaller
    HUAWEI DataCard Driver 4.22.10.00
    InterpOSe for Digimap v4.6 From Dotted Eyes
    Java Auto Updater
    Java(TM) 6 Update 29
    JDownloader
    Juniper Networks Cache Cleaner 5.5.0
    Juniper Networks Cache Cleaner 6.4.0
    Juniper Networks Cache Cleaner 6.5.0
    Juniper Networks Host Checker
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Junk Mail filter update
    Just Flight Traffic 2005 v1.00
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft Flight Simulator 2004 A Century of Flight
    Microsoft Flight Simulator X
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft WSE 3.0 Runtime
    MostFun.com Games - Farm Frenzy: Pizza Party (remove only)
    MostFun.com Games - Hospital Hustle (remove only)
    Mozilla Firefox (3.6)
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Navigraph nDAC 3
    Norton Internet Security
    Norton Utilities
    NVIDIA 3D Vision Controller Driver
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    O2 Broadband Assistant
    OpenAL
    Origin
    OSM2MIF Version 2.0
    Photo Transport
    PreReq
    QuickTime
    Railroad Tycoon 3
    RCT3 Soaked
    Realtek High Definition Audio Driver
    RollerCoaster Tycoon® 3
    Scan
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
    Sid Meier's Civilization IV
    Sid Meier's Civilization IV: Beyond the Sword
    Sid Meier's Civilization IV: Colonization
    Sid Meier's Civilization IV: Warlords
    Sid Meier's Civilization V
    SimCity 4 Deluxe
    Steam
    Super Flight Planner 4.0 RC 5
    System Requirements Lab
    The Sims™ 3
    The Sims™ 3 Ambitions
    The Sims™ 3 Generations
    The Sims™ 3 Outdoor Living Stuff
    The Sims™ 3 Pets
    The Sims™ 3 Town Life Stuff
    The Sims™ 3 World Adventures
    Toolbox
    UK Roads
    UK2000 Heathrow Xtreme FS9 (FS2004) DEMO VERSION
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    Update Manager B08.1027.1
    VC80CRTRedist - 8.0.50727.4053
    Virtual DJ - Atomix Productions
    VLC media player 1.1.5
    vroute.info
    Vuze
    WebReg
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Yahoo! Messenger
    Yahoo! Software Update
    .
    ==== Event Viewer Messages From Past Week ========
    .
    18/04/2012 19:32:13, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    18/04/2012 19:32:12, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    18/04/2012 19:32:10, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
    18/04/2012 19:32:10, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    18/04/2012 08:19:15, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    17/04/2012 19:47:16, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    17/04/2012 19:20:13, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    17/04/2012 19:20:12, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    12/04/2012 09:39:40, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you mark this thread Active? Only Broni and I are suppose to do that- so that's why you haven't gotten a reply.

    Give me a few minutes to look over the logs and I'll be back.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I see some malware processes to be removed and Combofix will find more, so let's go ahead with that: Read my guidelines carefully and do not make any changes in the registry yourself. We will also check the Services.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop.
    • Double click[​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ===========================================
    Please download Farbar Service Scanner
    • Check ALL boxes to include all files.
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
    ==========================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  4. JWW2012

    JWW2012 TS Rookie Topic Starter Posts: 49

    Hi bobbye,
    I didnt intentionally mark the thread as active, so sorry if that appeared on there.
    Combofix got stuck at stage 48 the first time it ran though I think that may have been because the computer went in to sleep mode. I turned off norton live protect firewall and virus while it ran, although combofix still put up the dialogue box to say they were running, they were not.

    So here are the requested logs

    Combofix:

    ComboFix 12-04-19.01 - Michelle 19/04/2012 23:32:06.4.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4094.2689 [GMT 1:00]
    Running from: c:\users\Michelle\Desktop\ComboFix.exe
    AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Michelle\Documents\~WRL2872.tmp
    c:\windows\assembly\temp\@
    c:\windows\assembly\temp\cfg.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-19 22:41 . 2012-04-19 22:41 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-04-19 22:41 . 2012-04-19 22:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-18 18:17 . 2012-04-18 18:17 -------- d-----w- c:\users\Michelle\AppData\Roaming\Malwarebytes
    2012-04-18 18:17 . 2012-04-18 18:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-04-18 18:17 . 2012-04-18 18:17 -------- d-----w- c:\programdata\Malwarebytes
    2012-04-18 18:17 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-12 08:41 . 2012-04-12 08:41 -------- d-----w- c:\program files\iPod
    2012-04-12 08:41 . 2012-04-12 08:42 -------- d-----w- c:\program files\iTunes
    2012-04-12 08:41 . 2012-04-12 08:42 -------- d-----w- c:\program files (x86)\iTunes
    2012-04-11 18:22 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 18:22 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-04-11 18:22 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-04-11 18:20 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-04-11 18:20 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-04-11 18:20 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-04-11 18:20 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-04-11 18:20 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-04-11 18:20 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-04-11 18:20 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-04-07 12:41 . 2012-04-07 12:41 -------- d-----w- c:\users\Michelle\AppData\Local\Chromium
    2012-04-07 12:37 . 2012-04-07 12:37 -------- d-----w- c:\users\Michelle\AppData\Roaming\Sports Interactive
    2012-04-07 12:37 . 2012-04-07 12:37 -------- d-----w- c:\users\Michelle\AppData\Local\Sports Interactive
    2012-04-05 23:57 . 2012-04-05 23:57 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-04-04 17:37 . 2012-04-04 22:54 -------- d-----w- c:\windows\system32\drivers\NISx64\1207010.003
    2012-03-29 17:32 . 2012-03-29 17:32 -------- d-----w- c:\programdata\Telefónica
    2012-03-29 17:32 . 2012-03-29 17:32 -------- d-----w- c:\users\Michelle\AppData\Roaming\Telefónica
    2012-03-29 17:32 . 2012-03-29 17:32 -------- d-----w- c:\users\Michelle\AppData\Roaming\TGCMLog
    2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-19 22:42 . 2010-04-04 01:59 25640 ----a-w- c:\windows\gdrv.sys
    2012-04-05 23:57 . 2011-07-26 10:59 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-17 06:38 . 2012-03-14 18:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-02-17 05:34 . 2012-03-14 18:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-02-17 04:58 . 2012-03-14 18:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-02-17 04:57 . 2012-03-14 18:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-02-15 10:01 . 2012-02-15 10:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
    2012-02-15 10:01 . 2012-02-15 10:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-14 11:09 . 2012-02-14 11:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2012-02-10 06:36 . 2012-03-14 18:30 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-02-10 05:38 . 2012-03-14 18:30 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-02-03 04:34 . 2012-03-14 18:30 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-01-25 06:38 . 2012-03-14 18:29 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-01-25 06:38 . 2012-03-14 18:29 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-01-25 06:33 . 2012-03-14 18:29 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-12 39408]
    "NortonUtilities"="c:\program files (x86)\Norton Utilities 14\RMTray.exe" [2009-09-14 279912]
    "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-02-11 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
    "Google Quick Search Box"="c:\program files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-12 122880]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "Connection Manager"="c:\program files (x86)\O2\Connection Manager\emmsn.exe" [2011-06-15 4220792]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 135664]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 253600]
    R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
    R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 135664]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS [x]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS [x]
    S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120413.001\BHDrvx64.sys [2012-04-02 1160824]
    S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120418.001\IDSvia64.sys [2012-03-06 488568]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS [x]
    S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207010.003\SYMNETS.SYS [x]
    S2 Advent AIO Network Discovery Service;Advent AIO Network Discovery Service;c:\program files (x86)\Advent\AIO\Center\ADAIOHostService.exe [2011-10-14 361904]
    S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-06-22 212232]
    S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 68136]
    S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe [2011-04-17 130008]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
    S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files (x86)\O2\bin\sprtsvc.exe [2009-03-04 202016]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
    S2 TGCM_ImportWiFiSvc;TGCM_ImportWiFiSvc;c:\program files (x86)\O2\Connection Manager\ImpWiFiSvc.exe [2011-06-14 201080]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 138360]
    S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 23:57]
    .
    2012-04-19 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files (x86)\Glary Utilities\initialize.exe [2010-11-07 21:55]
    .
    2012-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 21:37]
    .
    2012-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 21:37]
    .
    2012-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1811582728-2950762797-483866320-1001Core.job
    - c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-20 23:54]
    .
    2012-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1811582728-2950762797-483866320-1001UA.job
    - c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-20 23:54]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-02 7834656]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-02 1833504]
    "ADAiO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\ADAiO2MUI.exe" [2010-12-09 2779136]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: microsoft.com\oas.support
    Trusted Zone: microsoft.com\support
    Trusted Zone: o2.co.uk\*.broadband
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1BA0A4F8-338E-4E02-995C-065DF3FB38D1}: NameServer = 193.113.200.200 193.113.200.201
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20101202072159
    FF - ProfilePath - c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\gxpstas8.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-Conime - c:\windows\system32\conime.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.1.3\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1811582728-2950762797-483866320-1001\Software\SecuROM\License information*]
    "datasecu"=hex:d8,d1,d9,8f,4a,16,8a,90,5f,9a,b3,aa,8d,55,05,4d,3a,91,cc,57,15,
    0f,65,88,e2,05,ae,28,8b,74,f3,12,05,63,a1,21,58,cf,bb,9f,b1,1e,04,61,53,2a,\
    "rkeysecu"=hex:ff,8b,0e,40,e7,f1,c4,a6,65,a9,46,63,a6,be,c3,f9
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\09\05\17\16\"0?"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-19 23:48:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-19 22:48
    .
    Pre-Run: 318,348,148,736 bytes free
    Post-Run: 319,247,048,704 bytes free
    .
    - - End Of File - - 63E70C5BEAB56BCA1EC3BE62F676898B
    FSS

    Farbar Service Scanner Version: 16-04-2012
    Ran by Michelle (administrator) on 20-04-2012 at 16:11:33
    Running from "C:\Users\Michelle\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:

    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****

    eset

    C:\Users\Michelle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\4b4aa54a-7f8690a0 a variant of Java/Exploit.Agent.NAC trojan
    E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm
    E:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application
    E:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application

    Thats it, I would say the E; drive is a very old one, literally the only reason i have it is my old data, i.e. nothing boots or runs from it, the main drive is the C:

    Thanks
    John
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Services look okay. You have some malware in the Java cache. That wil continue until you update Java to the current version and remove the old. (hold a minute on that.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Users\Michelle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\4b4aa54a-7f8690a0 
      E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
      E:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL 
      E:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL 
      :Commands
      [purity]
      [emptytemp]
      [clearjavacache]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    About the E Drive:
    At some point, you had ZoneAlarm, probably the firewall. There is an oprion (READ: pre-checked on the download screen which sould be unchecked before download!) to add ZoneAlarm Spy Blocker Toolbar And it uses the the Ask.com searchenginesomething we do not encourage. Additionally, this supposed "spyblocker" allowed the MyWebSearch Toolbar on the system when you added a plugin.

    It looks like you may have set up a recovery using Spybot S&D which contained MyWebSearch, MyWay and the Bagel Worm and wuarantined the entries, but you never deleted the quarantine entries in Spybot S&D
    ===============================================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    ===============================================
    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Note: Do not leave this log.
    ===========================================
    After you have run Java Ra, and rebooted, open Firefox> Tools> Addons> check both Extensions and Plugins and uninstall all Java except v6u31 if there. You do NOT need to do a sepatrate update download for Firefox.
    ===========================================
    Please run this Custom CFScript:
    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
     
    DDS::
    Trusted Zone: microsoft.com\oas.support
    Trusted Zone: microsoft.com\support
    Trusted Zone: o2.co.uk\*.broadband
    mRun: [Conime] %windir%\system32\conime.exe
    Hosts: 94.63.147.16 www.google.com
    Hosts: 94.63.147.17 www.bing.com
     
    RegNull::
    [HKEY_USERS\S-1-5-21-1811582728-2950762797-483866320-1001\Software\SecuROM\License information*]
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
     
    Clearjavacache::
    Resethosts::
    CreteRestorePoint::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.

    Please give me an update on the system when finished.
  6. JWW2012

    JWW2012 TS Rookie Topic Starter Posts: 49

    Hi bobbye.

    I noticed that Norton is no longer reporting problems, the BFE service is running and the firewall problems seem resolved. Comp is back running how I expect it to.

    The logs you requested are:

    OT MOVE IT

    All processes killed
    ========== FILES ==========
    C:\Users\Michelle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\4b4aa54a-7f8690a0 moved successfully.
    E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery folder moved successfully.
    DllUnregisterServer procedure not found in E:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL
    E:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL moved successfully.
    E:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Michelle
    ->Temp folder emptied: 5249584 bytes
    ->Temporary Internet Files folder emptied: 969359508 bytes
    ->Java cache emptied: 3786818 bytes
    ->FireFox cache emptied: 52481002 bytes
    ->Google Chrome cache emptied: 394387280 bytes
    ->Flash cache emptied: 623 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 270 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 101110 bytes
    RecycleBin emptied: 77751704 bytes

    Total Files Cleaned = 1,434.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 04222012_223153
    Files moved on Reboot...
    C:\Users\Michelle\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Michelle\AppData\Local\Temp\~DF06701618661FA11E.TMP moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q0HX1JBK\techspot_com[1].htm moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CU4PQYKT\dpsync[1].htm moved successfully.
    File C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CU4PQYKT\micro_videos[2].htm not found!
    File C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CU4PQYKT\opentext[1].css not found!
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CU4PQYKT\tmpageid=7&levyouruid=0[2].htm moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ANSBHCQX\openhand_8_8[1].bmp moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\45FMPTX9\dpsync[1].htm moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\45FMPTX9\virus-and-malware-removal[2].htm moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
    C:\Users\Michelle\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
    Registry entries deleted on Reboot...
    Combofix

    ComboFix 12-04-19.01 - Michelle 23/04/2012 18:02:24.7.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4094.2363 [GMT 1:00]
    Running from: c:\users\Michelle\Desktop\ComboFix.exe
    Command switches used :: c:\users\Michelle\Desktop\CFscript.txt
    AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-23 to 2012-04-23 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-23 17:11 . 2012-04-23 17:11 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-04-23 17:11 . 2012-04-23 17:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-22 21:43 . 2012-04-22 21:43 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-04-22 21:31 . 2012-04-22 21:31 -------- d-----w- C:\_OTM
    2012-04-20 15:13 . 2012-04-20 15:13 -------- d-----w- c:\program files (x86)\ESET
    2012-04-18 18:17 . 2012-04-18 18:17 -------- d-----w- c:\users\Michelle\AppData\Roaming\Malwarebytes
    2012-04-18 18:17 . 2012-04-18 18:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-04-18 18:17 . 2012-04-18 18:17 -------- d-----w- c:\programdata\Malwarebytes
    2012-04-18 18:17 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-12 08:41 . 2012-04-12 08:41 -------- d-----w- c:\program files\iPod
    2012-04-12 08:41 . 2012-04-12 08:42 -------- d-----w- c:\program files\iTunes
    2012-04-12 08:41 . 2012-04-12 08:42 -------- d-----w- c:\program files (x86)\iTunes
    2012-04-11 18:22 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-04-11 18:22 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-04-11 18:22 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-04-11 18:20 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-04-11 18:20 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
    2012-04-11 18:20 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-04-11 18:20 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-04-11 18:20 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-04-11 18:20 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-04-11 18:20 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-04-07 12:41 . 2012-04-07 12:41 -------- d-----w- c:\users\Michelle\AppData\Local\Chromium
    2012-04-07 12:37 . 2012-04-07 12:37 -------- d-----w- c:\users\Michelle\AppData\Roaming\Sports Interactive
    2012-04-07 12:37 . 2012-04-07 12:37 -------- d-----w- c:\users\Michelle\AppData\Local\Sports Interactive
    2012-04-05 23:57 . 2012-04-05 23:57 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-04-04 17:37 . 2012-04-04 22:54 -------- d-----w- c:\windows\system32\drivers\NISx64\1207010.003
    2012-03-29 17:32 . 2012-03-29 17:32 -------- d-----w- c:\programdata\Telefónica
    2012-03-29 17:32 . 2012-03-29 17:32 -------- d-----w- c:\users\Michelle\AppData\Roaming\Telefónica
    2012-03-29 17:32 . 2012-03-29 17:32 -------- d-----w- c:\users\Michelle\AppData\Roaming\TGCMLog
    2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-23 17:12 . 2010-04-04 01:59 25640 ----a-w- c:\windows\gdrv.sys
    2012-04-22 21:42 . 2010-06-12 10:31 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-04-05 23:57 . 2011-07-26 10:59 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-17 06:38 . 2012-03-14 18:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-02-17 05:34 . 2012-03-14 18:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-02-17 04:58 . 2012-03-14 18:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-02-17 04:57 . 2012-03-14 18:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-02-15 10:01 . 2012-02-15 10:01 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
    2012-02-15 10:01 . 2012-02-15 10:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-14 11:09 . 2012-02-14 11:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2012-02-10 06:36 . 2012-03-14 18:30 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-02-10 05:38 . 2012-03-14 18:30 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-02-03 04:34 . 2012-03-14 18:30 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-01-25 06:38 . 2012-03-14 18:29 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-01-25 06:38 . 2012-03-14 18:29 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-01-25 06:33 . 2012-03-14 18:29 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-19_22.43.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 04:54 . 2012-04-23 17:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-04-19 22:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-04-19 22:42 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-04-23 17:12 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-04-19 22:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-04-23 17:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-08 02:28 . 2012-04-23 16:29 70024 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-04-23 16:29 36060 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-12-08 02:08 . 2012-04-23 16:29 24674 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1811582728-2950762797-483866320-1001_UserData.bin
    + 2009-12-08 08:48 . 2012-04-21 22:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-08 08:48 . 2012-04-17 21:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-04-17 21:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-04-21 22:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2012-04-19 22:42 . 2012-04-19 22:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-04-23 17:12 . 2012-04-23 17:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-04-23 17:12 . 2012-04-23 17:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-04-19 22:42 . 2012-04-19 22:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-10-29 12:56 . 2011-10-03 04:06 157472 c:\windows\SysWOW64\javaws.exe
    + 2012-04-22 21:42 . 2012-04-22 21:42 157472 c:\windows\SysWOW64\javaws.exe
    + 2012-04-22 21:42 . 2012-04-22 21:42 149280 c:\windows\SysWOW64\javaw.exe
    + 2012-04-22 21:42 . 2012-04-22 21:42 149280 c:\windows\SysWOW64\java.exe
    - 2010-03-08 20:55 . 2012-04-19 22:42 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2010-03-08 20:55 . 2012-04-23 17:12 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-07-14 02:36 . 2012-04-23 08:18 628278 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-04-15 18:35 628278 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-04-23 08:18 110598 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2012-04-15 18:35 110598 c:\windows\system32\perfc009.dat
    + 2009-07-14 05:01 . 2012-04-23 17:11 395832 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-04-19 22:41 395832 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-04-22 21:43 . 2012-04-22 21:43 207360 c:\windows\Installer\70f81.msi
    + 2010-10-23 23:55 . 2012-04-23 17:11 6767352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1811582728-2950762797-483866320-1001-8192.dat
    - 2010-10-23 23:55 . 2012-04-19 22:41 6767352 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1811582728-2950762797-483866320-1001-8192.dat
    - 2011-07-25 01:01 . 2012-04-18 18:31 3232536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1811582728-2950762797-483866320-1001-12288.dat
    + 2011-07-25 01:01 . 2012-04-21 23:54 3232536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1811582728-2950762797-483866320-1001-12288.dat
    + 2011-05-01 18:41 . 2012-04-23 17:11 64690340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1811582728-2950762797-483866320-1001-4096.dat
    + 2012-04-22 21:40 . 2012-04-22 21:40 12938752 c:\windows\Installer\70f71.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-12 39408]
    "NortonUtilities"="c:\program files (x86)\Norton Utilities 14\RMTray.exe" [2009-09-14 279912]
    "Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-02-11 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
    "Google Quick Search Box"="c:\program files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-12 122880]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "Connection Manager"="c:\program files (x86)\O2\Connection Manager\emmsn.exe" [2011-06-15 4220792]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 135664]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 253600]
    R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
    R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 135664]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207010.003\SYMDS64.SYS [x]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207010.003\SYMEFA64.SYS [x]
    S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120413.001\BHDrvx64.sys [2012-04-02 1160824]
    S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120420.001\IDSvia64.sys [2012-03-06 488568]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207010.003\Ironx64.SYS [x]
    S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207010.003\SYMNETS.SYS [x]
    S2 Advent AIO Network Discovery Service;Advent AIO Network Discovery Service;c:\program files (x86)\Advent\AIO\Center\ADAIOHostService.exe [2011-10-14 361904]
    S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-06-22 212232]
    S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 68136]
    S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe [2011-04-17 130008]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
    S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files (x86)\O2\bin\sprtsvc.exe [2009-03-04 202016]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
    S2 TGCM_ImportWiFiSvc;TGCM_ImportWiFiSvc;c:\program files (x86)\O2\Connection Manager\ImpWiFiSvc.exe [2011-06-14 201080]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 138360]
    S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 23:57]
    .
    2012-04-23 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files (x86)\Glary Utilities\initialize.exe [2010-11-07 21:55]
    .
    2012-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 21:37]
    .
    2012-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-24 21:37]
    .
    2012-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1811582728-2950762797-483866320-1001Core.job
    - c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-20 23:54]
    .
    2012-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1811582728-2950762797-483866320-1001UA.job
    - c:\users\Michelle\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-20 23:54]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-02 7834656]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-02 1833504]
    "ADAiO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\ADAiO2MUI.exe" [2010-12-09 2779136]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{1BA0A4F8-338E-4E02-995C-065DF3FB38D1}: NameServer = 193.113.200.200 193.113.200.201
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20101202072159
    FF - ProfilePath - c:\users\Michelle\AppData\Roaming\Mozilla\Firefox\Profiles\gxpstas8.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.1.3\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-23 18:26:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-23 17:25
    ComboFix2.txt 2012-04-19 22:48
    .
    Pre-Run: 322,056,429,568 bytes free
    Post-Run: 321,987,268,608 bytes free
    .
    - - End Of File - - E971CC9563DEA1E8AD02F96C8FEF188F
    Thats all of them,

    Thanks for your help on this, is there anything else I need to do?
    John
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're very welcome John. The named files and Administrator is 'Michelle'- it's good of you to help her.

    The system look good and clean. I would just like to mention this from OTM: Total Files Cleaned = 1,434.00 mb. That's a LOT of files! Might consider setting up some kind of maintenance schedule to take care of the system:
    1. Remove temporary internet files and Cookies.
    2. Disc Cleanup
    3. Error Check
    4. Defrag
    5. Review installed programs and remove any you don't use.
    6. Keep Java and the Adobe Reader current with updates. Outdated versions are vulnerabilities to the system.

    Notes:
    1. You don't need anything in the Trusted Zone.. The security is lower in that zone.
    2. You don't need anything but the antivirus, firewall if you have 3rd party firewall, process for touch-pad if on laptop and network process for Cisco or Network Magic on the Startup Menu
    ----------------------------------------------

    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin

    Stay safe and enjoy the computing! :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.