also @ TechSpot: Bill Gates is once again the richest person in the world

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Two nights ago my computer got the System Check Virus

Discussion in 'Virus and Malware Removal' started by rcmeyer99, Jan 3, 2012.

Post New Reply

Page 1 of 3

rcmeyer99 Newcomer, in training Posts: 68

I saw on here that a few others have gotten this virus also. The only things I have done is run Malwarebytes and SuperAntiSpyware

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.02.01

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Nicole :: NICOLE-PC [administrator]

Protection: Enabled

1/2/2012 3:38:55 PM
mbam-log-2012-01-02 (15-38-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 28063
Time elapsed: 8 minute(s), 25 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
--------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/02/2012 at 05:27 PM

Application Version : 5.0.1142

Core Rules Database Version : 8091
Trace Rules Database Version: 5903

Scan type : Quick Scan
Total Scan Time : 00:01:58

Operating System Information
Windows Vista Home Premium 64-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User

Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 29596
Registry threats detected : 0
File items scanned : 5031
File threats detected : 46

Adware.Tracking Cookie
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\295WHODL.txt [ /xml.happytofind.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\ZM1VK6JD.txt [ /doubleclick.net ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\TROE1G7G.txt [ /ru4.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\JNO37AX4.txt [ /247realmedia.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\GV1EV7HE.txt [ /sysufind.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\G385MUFC.txt [ /advertising.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\F3BZCYA1.txt [ /fastclick.net ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\BWF7LX0E.txt [ /adlegend.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\ICZ2T8BJ.txt [ /r1-ads.ace.advertising.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\DRQ9Y10Z.txt [ /stat.onestat.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\G17H4RMQ.txt [ /realmedia.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\PIUB24VB.txt [ /mediaplex.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\UOGVRCUF.txt [ /at.atwola.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\4T865CY6.txt [ /apmebf.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\28D35OXA.txt [ /ad.yieldmanager.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\UOUX987Y.txt [ /specificclick.net ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\DAC1EHWK.txt [ /tacoda.at.atwola.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\TX3GWO4U.txt [ /atdmt.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\LH0SBLVU.txt [ /findedclik.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\FJ47AW3Z.txt [ /adxpose.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\VZH8XOWE.txt [ /collective-media.net ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\VPAE1U43.txt [ /invitemedia.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\3YFM4XTR.txt [ /yieldmanager.net ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\ZI1S9APQ.txt [ /miva.cinomedia.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\A33N69D3.txt [ /media6degrees.com ]
C:\Users\Nicole\AppData\Roaming\Microsoft\Windows\Cookies\3YM33DFR.txt [ /network.realmedia.com ]
C:\USERS\NICOLE\Cookies\295WHODL.txt [ Cookie:nicole@xml.happytofind.com/ ]
C:\USERS\NICOLE\Cookies\ZM1VK6JD.txt [ Cookie:nicole@doubleclick.net/ ]
C:\USERS\NICOLE\Cookies\TROE1G7G.txt [ Cookie:nicole@ru4.com/ ]
C:\USERS\NICOLE\Cookies\GV1EV7HE.txt [ Cookie:nicole@sysufind.com/ ]
C:\USERS\NICOLE\Cookies\BWF7LX0E.txt [ Cookie:nicole@adlegend.com/ ]
C:\USERS\NICOLE\Cookies\ICZ2T8BJ.txt [ Cookie:nicole@r1-ads.ace.advertising.com/ ]
C:\USERS\NICOLE\Cookies\DRQ9Y10Z.txt [ Cookie:nicole@stat.onestat.com/ ]
C:\USERS\NICOLE\Cookies\G17H4RMQ.txt [ Cookie:nicole@realmedia.com/ ]
C:\USERS\NICOLE\Cookies\PIUB24VB.txt [ Cookie:nicole@mediaplex.com/ ]
C:\USERS\NICOLE\Cookies\28D35OXA.txt [ Cookie:nicole@ad.yieldmanager.com/ ]
C:\USERS\NICOLE\Cookies\DAC1EHWK.txt [ Cookie:nicole@tacoda.at.atwola.com/ ]
C:\USERS\NICOLE\Cookies\TX3GWO4U.txt [ Cookie:nicole@atdmt.com/ ]
C:\USERS\NICOLE\Cookies\LH0SBLVU.txt [ Cookie:nicole@findedclik.com/ ]
C:\USERS\NICOLE\Cookies\FJ47AW3Z.txt [ Cookie:nicole@adxpose.com/ ]
C:\USERS\NICOLE\Cookies\VZH8XOWE.txt [ Cookie:nicole@collective-media.net/ ]
C:\USERS\NICOLE\Cookies\VPAE1U43.txt [ Cookie:nicole@invitemedia.com/ ]
C:\USERS\NICOLE\Cookies\3YFM4XTR.txt [ Cookie:nicole@yieldmanager.net/ ]
C:\USERS\NICOLE\Cookies\ZI1S9APQ.txt [ Cookie:nicole@miva.cinomedia.com/ ]
C:\USERS\NICOLE\Cookies\A33N69D3.txt [ Cookie:nicole@media6degrees.com/ ]
C:\USERS\NICOLE\Cookies\3YM33DFR.txt [ Cookie:nicole@network.realmedia.com/ ]

----------

I also saw in a previous post to run unhide to try and get files back. I have run this in both normal and safe modes. Nothing happened when I ran it.

rcmeyer99, Jan 3, 2012

#1
rcmeyer99 Newcomer, in training Posts: 68

realized I didn't send original Maleware log

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.24.05

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Nicole :: NICOLE-PC [administrator]

Protection: Enabled

1/2/2012 2:48:30 PM
mbam-log-2012-01-02 (14-19-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 177851
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|gyjAEPulVY.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\gyjAEPulVY.exe -> Quarantined and deleted successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

rcmeyer99, Jan 3, 2012

#2
rcmeyer99 Newcomer, in training Posts: 68

Still need help

I believe I was successful in removing the System Check virus partially, but I think some of it is still there. I still have hidden files, My desktop is black and when I try to use any search engine I get redirected to different sites all the time.

rcmeyer99, Jan 3, 2012

#3
rcmeyer99 Newcomer, in training Posts: 68

aswMBR log

aswMBR version 0.9.9.1156 Copyright(c) 2011 AVAST Software
Run date: 2012-01-03 19:12:39
-----------------------------
19:12:39.696 OS Version: Windows x64 6.0.6002 Service Pack 2
19:12:39.697 Number of processors: 4 586 0x170A
19:12:39.697 ComputerName: NICOLE-PC UserName: Nicole
19:12:41.902 Initialize success
19:12:42.008 AVAST engine defs: 12010301
19:12:49.652 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:12:49.655 Disk 0 Vendor: ST375063 DE13 Size: 715404MB BusType: 3
19:12:49.665 Disk 0 MBR read successfully
19:12:49.668 Disk 0 MBR scan
19:12:49.672 Disk 0 Windows VISTA default MBR code
19:12:49.675 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
19:12:49.688 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
19:12:49.701 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 699980 MB offset 31586304
19:12:49.706 Service scanning
19:12:50.965 Modules scanning
19:12:50.969 Disk 0 trace - called modules:
19:12:51.005 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8007ed0334]<<
19:12:51.010 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b67790]
19:12:51.016 3 CLASSPNP.SYS[fffffa60009c0c33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800638d050]
19:12:51.022 \Driver\iaStorV[0xfffffa8005841ae0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8007ed0334
19:12:54.396 AVAST engine scan C:\Windows
19:12:57.681 AVAST engine scan C:\Windows\system32
19:15:00.187 AVAST engine scan C:\Windows\system32\drivers
19:15:20.718 AVAST engine scan C:\Users\Nicole
19:15:44.764 File: C:\Users\Nicole\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
19:16:58.766 Disk 0 MBR has been saved successfully to "C:\Users\Nicole\Documents\MBR.dat"
19:16:58.774 The log file has been saved successfully to "C:\Users\Nicole\Documents\aswMBR.txt"

rcmeyer99, Jan 3, 2012

#4
rcmeyer99 Newcomer, in training Posts: 68

gmer log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-03 18:26:25
Windows 6.0.6002 Service Pack 2
Running: 4i9b70yh.exe

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}@haikbfdjheonepap 0x6B 0x61 0x6E 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}@iacklbokghlgbnjplp 0x6A 0x61 0x6F 0x70 ...

---- EOF - GMER 1.0.15 ----

rcmeyer99, Jan 3, 2012

#5

Broni Malware Annihilator Posts: 39,199 +175

Welcome aboard

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

Broni, Jan 3, 2012

#6

rcmeyer99 Newcomer, in training Posts: 68

Hello

I tried running the dds and all I get is notepad opening up. nothing else.

rcmeyer99, Jan 3, 2012

#7
Broni Malware Annihilator Posts: 39,199 +175
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Jan 3, 2012

#8
rcmeyer99 Newcomer, in training Posts: 68

Combofix

I ran Combofix, but before I could get a log Avast popped on and interrupted after restarting and before I was able to stop avast again.

rcmeyer99, Jan 4, 2012

#9
Broni Malware Annihilator Posts: 39,199 +175

Avast gives you an option to disable it permanently.
Do so, re-run Combofix and re-enable Avast,

Broni, Jan 4, 2012

#10
rcmeyer99 Newcomer, in training Posts: 68

Finally got it

ComboFix 12-01-03.08 - Nicole 01/04/2012 4:04.5.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4047 [GMT -6:00]
Running from: c:\users\Nicole\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 10:40 . 2012-01-04 10:52 -------- d-----w- c:\users\Nicole\AppData\Local\temp
2012-01-04 10:40 . 2012-01-04 10:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-04 09:05 . 2012-01-04 09:05 -------- d-----w- C:\f57976069260d26b1cae261f45ca
2012-01-04 08:23 . 2012-01-04 08:23 -------- d-----w- C:\6c3d4801ac2b96a6b866387472
2012-01-04 06:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-04 06:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-04 06:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-04 06:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-04 06:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-04 06:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-04 06:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-04 06:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-01-03 20:23 . 2012-01-03 20:23 -------- d-----w- c:\windows\system32\Macromed
2012-01-03 18:10 . 2012-01-03 18:10 -------- d-----w- C:\eb99211563fb9e909585b8ec
2012-01-02 22:32 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2012-01-02 22:30 . 2012-01-04 06:11 -------- d-----w- c:\programdata\AVAST Software
2012-01-02 22:30 . 2012-01-02 22:30 -------- d-----w- c:\program files\AVAST Software
2012-01-02 20:27 . 2012-01-02 20:27 -------- d-----w- C:\bd07de0ba843d8a2ccea7ad2771d
2012-01-02 05:45 . 2012-01-02 23:55 -------- d-----w- c:\programdata\Lavasoft
2012-01-02 05:45 . 2012-01-02 05:45 -------- d-----w- c:\users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
2012-01-02 05:44 . 2012-01-02 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-02 05:44 . 2012-01-02 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-02 04:47 . 2012-01-02 04:47 -------- d-----w- C:\a8bdd53a4f3715258e
2012-01-02 03:29 . 2012-01-02 03:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-02 03:29 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\users\Nicole\AppData\Roaming\Malwarebytes
2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 21:48 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 21:48 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 21:48 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-15 21:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 21:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-15 21:48 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-12-14 04:13 . 2011-12-14 04:14 -------- d-----w- c:\users\Nicole\AppData\Roaming\Apple Computer
2011-12-14 04:13 . 2011-12-14 04:13 -------- d-----w- c:\users\Nicole\AppData\Local\Apple Computer
2011-12-14 04:12 . 2009-05-18 19:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-14 04:12 . 2008-04-17 18:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-12-14 04:12 . 2008-04-17 18:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-12-14 04:12 . 2012-01-02 23:55 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\program files\iPod
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files\iTunes
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files (x86)\iTunes
2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\programdata\Apple Computer
2011-12-14 04:10 . 2011-12-14 04:10 -------- d-----w- c:\users\Nicole\AppData\Local\Apple
2011-12-14 04:09 . 2011-12-14 04:09 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Common Files\Apple
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Bonjour
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files (x86)\Bonjour
2011-12-14 04:06 . 2011-12-14 04:11 -------- d-----w- c:\program files (x86)\Common Files\Apple
2011-12-14 04:06 . 2011-12-14 04:09 -------- d-----w- c:\programdata\Apple
2011-12-11 14:36 . 2011-12-11 14:36 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 10:49 . 2012-01-04 08:53 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\offreg.dll
2012-01-04 08:15 . 2011-04-30 16:28 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2012-01-03 20:23 . 2011-07-14 15:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-30 08:21 . 2012-01-03 07:39 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\mpengine.dll
2011-11-15 20:29 . 2011-01-17 07:35 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-04_05.38.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2012-01-04 10:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-01-04 04:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-01-04 04:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-04 10:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-01-04 04:22 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-04 10:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-01-04 08:55 45626 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-01-04 10:51 71170 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-04 08:19 . 2011-12-27 02:51 43280 c:\windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe
+ 2012-01-04 08:19 . 2011-12-27 02:51 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2012-01-04 08:22 . 2012-01-04 08:22 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2011-12-17 09:02 . 2011-12-17 09:02 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2011-12-17 09:02 . 2011-12-17 09:02 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-01-04 08:23 . 2012-01-04 08:23 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-09-23 10:47 . 2010-09-23 10:47 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe
+ 2010-09-23 09:03 . 2010-09-23 09:03 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe
+ 2010-09-21 05:07 . 2010-09-21 05:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll
+ 2010-09-23 08:52 . 2010-09-23 08:52 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe
+ 2010-09-23 00:12 . 2010-09-23 00:12 15800 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe
+ 2009-02-26 19:06 . 2009-02-26 19:06 16712 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6612\PXBPROXY.DLL
+ 2009-02-26 19:06 . 2009-02-26 19:06 68488 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6612\PXBCOM.EXE
+ 2009-02-26 19:06 . 2009-02-26 19:06 16712 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\PXBPROXY.DLL
+ 2009-02-26 19:06 . 2009-02-26 19:06 68488 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\PXBCOM.EXE
+ 2012-01-04 10:13 . 2012-01-04 10:13 54784 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\32988c989fec0b0a6ea7420b687847f0\System.Web.DynamicData.Design.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\45904e3cf3a3043ade103996f8a89a5b\System.Web.DynamicData.Design.ni.dll
+ 2011-01-17 04:22 . 2012-01-04 10:51 8828 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1475235829-1360834442-158596274-1000_UserData.bin
- 2012-01-04 05:36 . 2012-01-04 05:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-04 05:36 . 2012-01-04 05:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 12:46 . 2012-01-04 07:52 640620 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-01-04 04:28 640620 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-01-04 04:28 118872 c:\windows\system32\perfc009.dat
+ 2006-11-02 12:46 . 2012-01-04 07:52 118872 c:\windows\system32\perfc009.dat
+ 2011-04-16 08:26 . 2012-01-04 08:52 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-04-16 08:26 . 2012-01-04 05:35 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-04 08:19 . 2011-12-27 02:51 744720 c:\windows\Microsoft.NET\Framework64\v2.0.50727\webengine.dll
+ 2012-01-04 08:19 . 2011-12-27 02:51 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2012-01-04 08:09 . 2012-01-04 08:09 488448 c:\windows\Installer\175833.msi
+ 2010-09-21 05:07 . 2010-09-21 05:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe
+ 2010-09-23 00:10 . 2010-09-23 00:10 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\nppdf32.dll
+ 2010-09-11 00:17 . 2010-09-11 00:17 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll
+ 2010-09-23 02:41 . 2010-09-23 02:41 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe
+ 2010-09-21 05:07 . 2010-09-21 05:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe
+ 2010-09-23 10:47 . 2010-09-23 10:47 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe
+ 2010-09-23 00:04 . 2010-09-23 00:04 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll
+ 2010-09-23 01:39 . 2010-09-23 01:39 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe
+ 2010-09-21 05:07 . 2010-09-21 05:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe
+ 2010-09-23 00:50 . 2010-09-23 00:50 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe
+ 2012-01-04 10:13 . 2012-01-04 10:13 187392 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\305bff6f5396544a7bfc56e84bfa1e87\System.Web.Routing.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 449536 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity\0e0a0efe9ab9642700a8f57a4edbe976\System.Web.Entity.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 398848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\d5d13f24e51a4fa41be09b8d2241f600\System.Web.Entity.Design.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 754176 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\86f7d8a68c51823d89921f55ff7e2603\System.Web.DynamicData.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 204800 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\40994da02056e19475c5958f64195807\System.Web.Abstractions.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 438784 c:\windows\assembly\NativeImages_v2.0.50727_64\ServiceModelReg\6ba06b090714e51e8a92499ade057045\ServiceModelReg.ni.exe
+ 2012-01-04 10:31 . 2012-01-04 10:31 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\1d3da9468a4b3eaf6e2ea9def503d888\System.Web.Routing.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\dba78af9f778d38117fe4ccf5f4c76f7\System.Web.Extensions.Design.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\fcd6fda81cab3ace8b9d77887a01e892\System.Web.Entity.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\337de84cce8fc2bcbbf7900132abbc2f\System.Web.Entity.Design.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d8313ac5d702f0ffc0e77ea9d945cfd2\System.Web.DynamicData.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\0de7bfc89e883f66f872c1158e06d5cb\System.Web.Abstractions.ni.dll
+ 2012-01-04 10:29 . 2012-01-04 10:29 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\311bc26c3ed83409589eb6bae0eeb86e\System.Runtime.Remoting.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\c60afe58108cefe6b558996f0d9a1c11\System.Data.Entity.Design.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\050c7465e7222cdab000294af3131403\ServiceModelReg.ni.exe
+ 2012-01-04 08:19 . 2011-12-27 02:51 5259264 c:\windows\Microsoft.NET\Framework64\v2.0.50727\System.Web.dll
+ 2012-01-04 08:19 . 2011-12-27 02:51 5251072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-09-07 23:36 . 2011-09-07 23:36 6069248 c:\windows\Installer\1ffe6.msp
+ 2011-12-13 07:10 . 2011-12-13 07:10 4703232 c:\windows\Installer\1ffe5.msp
+ 2011-12-25 11:48 . 2011-12-25 11:48 1505792 c:\windows\Installer\17583b.msp
+ 2010-09-23 00:05 . 2010-09-23 00:05 2405784 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll
+ 2010-09-16 09:08 . 2010-09-16 09:08 6210560 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\authplay.dll
+ 2010-06-19 23:51 . 2010-06-19 23:51 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll
+ 2011-07-07 08:58 . 2011-07-07 08:58 1616240 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\OGL.DLL
+ 2011-08-03 06:14 . 2011-08-03 06:14 8579448 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\OARTCONV.DLL
+ 2012-01-04 10:13 . 2012-01-04 10:13 1754112 c:\windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\4223600dc6133441b1898abaf12031ca\System.WorkflowServices.ni.dll
+ 2012-01-04 08:27 . 2012-01-04 08:27 2702848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\afbeeaf9c41f39886704cbf181b1feb2\System.Workflow.Runtime.ni.dll
+ 2012-01-04 08:27 . 2012-01-04 08:27 5956608 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Com#\ac5a3688b743358aa5b24b9efd971d9d\System.Workflow.ComponentModel.ni.dll
+ 2012-01-04 08:26 . 2012-01-04 08:26 3893248 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Act#\007c8c2f4141fd472da7d3558efba598\System.Workflow.Activities.ni.dll
+ 2012-01-04 10:11 . 2012-01-04 10:11 2291712 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Services\f3222dbcdeebd53ee1c3f88c9ebf6c94\System.Web.Services.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 3335680 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\525e8846136415d472c2e7ba482ccd54\System.Web.Mobile.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 1154560 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\cedfd9b90274b017d11ed50abe8634e8\System.Web.Extensions.Design.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 3046912 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\c0d2bc2e2357ed023b85d18b96e21d60\System.Web.Extensions.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 2239488 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel#\cb5200c2d67ebf37333bdd57a06e7a11\System.ServiceModel.Web.ni.dll
+ 2012-01-04 10:10 . 2012-01-04 10:10 1022464 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\a0a442c47ac0b846bb886aa405a10138\System.Runtime.Remoting.ni.dll
+ 2012-01-04 10:11 . 2012-01-04 10:11 1428992 c:\windows\assembly\NativeImages_v2.0.50727_64\System.IdentityModel\74f5ddf803f50c428293fe6115d6eea7\System.IdentityModel.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 1845248 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\3a35cfdccde13bc82cad2d185cbf499b\System.Data.Services.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 1078272 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity.#\31ea0ae493a84f5f9fdb53ac2ea0ef5e\System.Data.Entity.Design.ni.dll
+ 2012-01-04 10:12 . 2012-01-04 10:12 7836672 c:\windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\6029a4ca1be3d971d470eb2c1ff627e0\MIGUIControls.ni.dll
+ 2012-01-04 10:13 . 2012-01-04 10:13 2173952 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\7fe40682a4f2f30ddb25da3a8796d282\Microsoft.VisualBasic.ni.dll
+ 2012-01-04 10:12 . 2012-01-04 10:12 2101248 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\23408f67b7fddc32d03fa6d8deeafcd7\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-01-04 10:12 . 2012-01-04 10:12 7721472 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\3894a5164ae656639bed7f6270f97182\Microsoft.MediaCenter.UI.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 1316864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\32a67054a82cf24c011e116e94d11864\System.WorkflowServices.ni.dll
+ 2012-01-04 08:25 . 2012-01-04 08:25 1911296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\8bfc3619e3848592a4924cba58a00459\System.Workflow.Runtime.ni.dll
+ 2012-01-04 08:25 . 2012-01-04 08:25 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\3721ccdfdca60443a32ca9f8a937f315\System.Workflow.ComponentModel.ni.dll
+ 2012-01-04 08:24 . 2012-01-04 08:24 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\79e0fe6c014999d64e7cf9717624013f\System.Workflow.Activities.ni.dll
+ 2012-01-04 10:29 . 2012-01-04 10:29 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2cf510e07b605923c496b1ae3c31335f\System.Web.Services.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\800af0d5c4bcd9b600a229050b22d6bd\System.Web.Mobile.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c759aa20f1f012c1dc5dd7076d0816f7\System.Web.Extensions.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 1651200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\3c93a9b25482a56053eb509a58860dbf\System.ServiceModel.Web.ni.dll
+ 2012-01-04 10:30 . 2012-01-04 10:30 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\6a1e2938633d08d9d97c6940a537b1ff\System.IdentityModel.ni.dll
+ 2012-01-04 10:31 . 2012-01-04 10:31 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\d75b561b3c22f68af985785352660022\System.Data.Services.ni.dll
+ 2012-01-04 10:30 . 2012-01-04 10:30 6340096 c:\windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\6e0b0d4d67c760e1e2f6cfd7cd6a8492\MIGUIControls.ni.dll
+ 2012-01-04 10:30 . 2012-01-04 10:30 1711616 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\902ba03598b46f478f3d7561ece592e6\Microsoft.VisualBasic.ni.dll
+ 2012-01-04 10:30 . 2012-01-04 10:30 1609728 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3732b9e409000beda05e878d02da1813\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-01-04 10:30 . 2012-01-04 10:30 5486080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\bb28192d6fcdca44077406c2bf1ad37c\Microsoft.MediaCenter.UI.ni.dll
- 2011-01-20 09:04 . 2011-01-20 09:04 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-04 08:11 . 2012-01-04 08:11 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-04 08:19 . 2011-12-27 02:51 5259264 c:\windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2012-01-04 08:19 . 2011-12-27 02:51 5251072 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2006-11-02 12:33 . 2012-01-04 08:10 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 12:33 . 2012-01-02 06:28 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 12:35 . 2012-01-04 08:12 54867776 c:\windows\system32\mrt.exe
+ 2011-04-16 08:26 . 2012-01-04 08:52 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
- 2011-04-16 08:26 . 2012-01-04 05:35 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
+ 2011-03-04 19:28 . 2011-03-04 19:28 23081472 c:\windows\Installer\bb6e7.msp
+ 2011-03-04 19:28 . 2011-03-04 19:28 23081472 c:\windows\Installer\bb6e0.msp
+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\windows\Installer\1ffe8.msp
+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\1ffe7.msp
+ 2011-03-04 19:28 . 2011-03-04 19:28 23081472 c:\windows\Installer\175875.msp
+ 2011-09-16 00:37 . 2011-09-16 00:37 38176256 c:\windows\Installer\175873.msp
+ 2011-09-16 00:37 . 2011-09-16 00:37 37148160 c:\windows\Installer\175857.msp
+ 2010-09-23 09:03 . 2010-09-23 09:03 20460984 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll
+ 2011-08-04 01:53 . 2011-08-04 01:53 17324928 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\MSO.DLL
- 2012-01-02 21:25 . 2012-01-02 21:25 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
+ 2012-01-04 10:47 . 2012-01-04 10:47 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
+ 2012-01-04 10:10 . 2012-01-04 10:11 15245824 c:\windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFB8E.tmp\System.Web.dll
+ 2012-01-04 10:11 . 2012-01-04 10:12 15245824 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web\0a2ea7a9a9d9fd9ae47468adbdee2e05\System.Web.ni.dll
+ 2012-01-04 10:11 . 2012-01-04 10:11 23813632 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel\efc60b11b649ed506c64172b3373f936\System.ServiceModel.ni.dll
+ 2012-01-04 08:26 . 2012-01-04 08:26 13718528 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Design\c41b930b44ddfaef2faf314f690bb35e\System.Design.ni.dll
+ 2012-01-04 10:12 . 2012-01-04 10:12 15825920 c:\windows\assembly\NativeImages_v2.0.50727_64\ehshell\b8a06c151452395f513aaa5d730fb5a4\ehshell.ni.dll
+ 2012-01-04 10:29 . 2012-01-04 10:29 11820032 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\fecd1103dd16dc1192402770caf56575\System.Web.ni.dll
+ 2012-01-04 10:30 . 2012-01-04 10:30 17404416 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\a2046fbb45b00425d083cc8706b75479\System.ServiceModel.ni.dll
+ 2012-01-04 08:23 . 2012-01-04 08:23 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\30a87086e78b69d17416bfb74aab355f\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}]
c:\program files (x86)\simppulltoolbar\auxi\simppulltoolbAu.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-27 39408]
"ChromeFrameHelper"="c:\users\Nicole\AppData\Local\Google\Chrome\Application\17.0.963.12\chrome_frame_helper.exe" [2011-12-15 97336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-02 5486464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctMTE1MjE5NzEwOC1GTDEwKzEtVFVHKzMtU1VQKzQtRERUKzMzMjEtU1AxUzQrMS1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQU4rMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GMTBNMTJCKzEtRjEwVEIrMi1TVDEwVEJGKzE&prod=55&ver=10.0.1416" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-23 113664]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
- c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
- c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
.
2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\3x9vtm12.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30305&client_id=1868eed49cc815d83f5c97b8&camp_id=3534&install_time=2012-01-02T06:15Z&pr=auto&tb_version=1.0.14000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368} - (no file)
BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{9565115D-C7D6-46D3-BD63-B67B481A4368} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1475235829-1360834442-158596274-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}*]
"haikbfdjheonepap"=hex:6b,61,6e,70,62,63,6a,6b,61,6d,63,6b,6a,67,6a,69,68,6c,
6d,63,61,6e,00,00
"iacklbokghlgbnjplp"=hex:6a,61,6f,70,63,63,61,65,66,69,68,6e,6c,61,6c,6d,6a,61,
68,64,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2012-01-04 05:29:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 11:29
.
Pre-Run: 408,256,532,480 bytes free
Post-Run: 410,406,588,416 bytes free
.
- - End Of File - - 41A99943E5636D3F5895242BE29055C5

rcmeyer99, Jan 4, 2012

#11
Broni Malware Annihilator Posts: 39,199 +175
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

RegNull:: [HKEY_USERS\S-1-5-21-1475235829-1360834442-158596274-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}*] Folder:: c:\program files (x86)\Common Files\AVG Secure Search Driver:: Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"=- ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
Broni, Jan 4, 2012

#12
rcmeyer99 Newcomer, in training Posts: 68

latest combofix

Did as you said, but would it matter if the combofix updated?

ComboFix 12-01-04.02 - Nicole 01/04/2012 11:56:01.6.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4127 [GMT -6:00]
Running from: c:\users\Nicole\Desktop\ComboFix.exe
Command switches used :: c:\users\Nicole\Desktop\CFScript.lnk
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 18:34 . 2012-01-04 18:34 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\offreg.dll
2012-01-04 18:31 . 2012-01-04 18:40 -------- d-----w- c:\users\Nicole\AppData\Local\temp
2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-01-04 18:31 . 2012-01-04 18:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-04 09:05 . 2012-01-04 09:05 -------- d-----w- C:\f57976069260d26b1cae261f45ca
2012-01-04 08:23 . 2012-01-04 08:23 -------- d-----w- C:\6c3d4801ac2b96a6b866387472
2012-01-04 06:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-04 06:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-04 06:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-04 06:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-04 06:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-04 06:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-04 06:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-04 06:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-01-03 20:23 . 2012-01-03 20:23 -------- d-----w- c:\windows\system32\Macromed
2012-01-03 18:10 . 2012-01-03 18:10 -------- d-----w- C:\eb99211563fb9e909585b8ec
2012-01-03 07:39 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\mpengine.dll
2012-01-02 22:32 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2012-01-02 22:30 . 2012-01-04 06:11 -------- d-----w- c:\programdata\AVAST Software
2012-01-02 22:30 . 2012-01-02 22:30 -------- d-----w- c:\program files\AVAST Software
2012-01-02 20:27 . 2012-01-02 20:27 -------- d-----w- C:\bd07de0ba843d8a2ccea7ad2771d
2012-01-02 05:45 . 2012-01-02 23:55 -------- d-----w- c:\programdata\Lavasoft
2012-01-02 05:45 . 2012-01-02 05:45 -------- d-----w- c:\users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
2012-01-02 05:44 . 2012-01-02 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-02 05:44 . 2012-01-02 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-02 04:47 . 2012-01-02 04:47 -------- d-----w- C:\a8bdd53a4f3715258e
2012-01-02 03:29 . 2012-01-02 03:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-02 03:29 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\users\Nicole\AppData\Roaming\Malwarebytes
2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 21:48 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 21:48 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 21:48 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-15 21:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 21:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-15 21:48 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-12-14 04:13 . 2011-12-14 04:14 -------- d-----w- c:\users\Nicole\AppData\Roaming\Apple Computer
2011-12-14 04:13 . 2011-12-14 04:13 -------- d-----w- c:\users\Nicole\AppData\Local\Apple Computer
2011-12-14 04:12 . 2009-05-18 19:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-14 04:12 . 2008-04-17 18:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-12-14 04:12 . 2008-04-17 18:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-12-14 04:12 . 2012-01-02 23:55 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\program files\iPod
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files\iTunes
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files (x86)\iTunes
2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\programdata\Apple Computer
2011-12-14 04:10 . 2011-12-14 04:10 -------- d-----w- c:\users\Nicole\AppData\Local\Apple
2011-12-14 04:09 . 2011-12-14 04:09 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Common Files\Apple
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Bonjour
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files (x86)\Bonjour
2011-12-14 04:06 . 2011-12-14 04:11 -------- d-----w- c:\program files (x86)\Common Files\Apple
2011-12-14 04:06 . 2011-12-14 04:09 -------- d-----w- c:\programdata\Apple
2011-12-11 14:36 . 2011-12-11 14:36 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 08:15 . 2011-04-30 16:28 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2012-01-03 20:23 . 2011-07-14 15:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-15 20:29 . 2011-01-17 07:35 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-04_10.53.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2012-01-04 10:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-01-04 18:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-01-04 18:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-01-04 10:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-04 18:35 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-01-04 10:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-01-04 18:38 45970 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-01-04 18:38 71392 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-17 04:22 . 2012-01-04 18:38 8892 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1475235829-1360834442-158596274-1000_UserData.bin
- 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 18:34 . 2012-01-04 18:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-04 18:34 . 2012-01-04 18:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-04-16 08:26 . 2012-01-04 18:33 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-04-16 08:26 . 2012-01-04 08:52 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-04-16 08:26 . 2012-01-04 18:33 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
- 2011-04-16 08:26 . 2012-01-04 08:52 50188182 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
- 2012-01-04 10:47 . 2012-01-04 10:47 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
+ 2012-01-04 18:33 . 2012-01-04 18:33 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}]
c:\program files (x86)\simppulltoolbar\auxi\simppulltoolbAu.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-27 39408]
"ChromeFrameHelper"="c:\users\Nicole\AppData\Local\Google\Chrome\Application\17.0.963.12\chrome_frame_helper.exe" [2011-12-15 97336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-02 5486464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-lsf?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT&inst=NzctMTE1MjE5NzEwOC1GTDEwKzEtVFVHKzMtU1VQKzQtRERUKzMzMjEtU1AxUzQrMS1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQU4rMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GMTBNMTJCKzEtRjEwVEIrMi1TVDEwVEJGKzE&prod=55&ver=10.0.1416" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-23 113664]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
- c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
- c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
.
2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\3x9vtm12.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30305&client_id=1868eed49cc815d83f5c97b8&camp_id=3534&install_time=2012-01-02T06:15Z&pr=auto&tb_version=1.0.14000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1475235829-1360834442-158596274-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{39B5EDF8-6943-63A2-E761-309780A92C92}*]
"haikbfdjheonepap"=hex:6b,61,6e,70,62,63,6a,6b,61,6d,63,6b,6a,67,6a,69,68,6c,
6d,63,61,6e,00,00
"iacklbokghlgbnjplp"=hex:6a,61,6f,70,63,63,61,65,66,69,68,6e,6c,61,6c,6d,6a,61,
68,64,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2012-01-04 13:12:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 19:12
ComboFix2.txt 2012-01-04 11:29
.
Pre-Run: 410,243,457,024 bytes free
Post-Run: 410,218,098,688 bytes free
.
- - End Of File - - 9D73229ACBE45AB391A31B44F4A4472F

rcmeyer99, Jan 4, 2012

#13
Broni Malware Annihilator Posts: 39,199 +175

but would it matter if the combofix updated?

Yes.

You didn't run my script.
Please redo.

Broni, Jan 4, 2012

#14
rcmeyer99 Newcomer, in training Posts: 68

Here is what you asked for

ComboFix 12-01-04.02 - Nicole 01/04/2012 15:12:18.7.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4211 [GMT -6:00]
Running from: c:\users\Nicole\Desktop\ComboFix.exe
Command switches used :: c:\users\Nicole\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\AVG Secure Search
c:\program files (x86)\Common Files\AVG Secure Search\CommonInstaller\9.0.1\CommonInstaller.exe
c:\program files (x86)\Common Files\AVG Secure Search\InstalledProducts.ini
c:\program files (x86)\Common Files\AVG Secure Search\ScriptHelperInstaller\9.0.1\ScriptHelper.exe
c:\program files (x86)\Common Files\AVG Secure Search\ToolBandTlb\9.0.1\toolband
c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\UpdaterConfig.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 21:51 . 2012-01-04 21:51 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\offreg.dll
2012-01-04 21:49 . 2012-01-04 21:53 -------- d-----w- c:\users\Nicole\AppData\Local\temp
2012-01-04 21:49 . 2012-01-04 21:49 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-01-04 21:49 . 2012-01-04 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-04 09:05 . 2012-01-04 09:05 -------- d-----w- C:\f57976069260d26b1cae261f45ca
2012-01-04 08:23 . 2012-01-04 08:23 -------- d-----w- C:\6c3d4801ac2b96a6b866387472
2012-01-04 06:12 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-04 06:12 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-04 06:12 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-04 06:12 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-04 06:12 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-04 06:12 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-04 06:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-04 06:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-01-03 20:23 . 2012-01-03 20:23 -------- d-----w- c:\windows\system32\Macromed
2012-01-03 18:10 . 2012-01-03 18:10 -------- d-----w- C:\eb99211563fb9e909585b8ec
2012-01-03 07:39 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C8188447-2391-4DCE-9261-016B9351D326}\mpengine.dll
2012-01-02 22:32 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2012-01-02 22:30 . 2012-01-04 06:11 -------- d-----w- c:\programdata\AVAST Software
2012-01-02 22:30 . 2012-01-02 22:30 -------- d-----w- c:\program files\AVAST Software
2012-01-02 20:27 . 2012-01-02 20:27 -------- d-----w- C:\bd07de0ba843d8a2ccea7ad2771d
2012-01-02 05:45 . 2012-01-02 23:55 -------- d-----w- c:\programdata\Lavasoft
2012-01-02 05:45 . 2012-01-02 05:45 -------- d-----w- c:\users\Nicole\AppData\Roaming\SUPERAntiSpyware.com
2012-01-02 05:44 . 2012-01-02 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-02 05:44 . 2012-01-02 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-02 04:47 . 2012-01-02 04:47 -------- d-----w- C:\a8bdd53a4f3715258e
2012-01-02 03:29 . 2012-01-02 03:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-02 03:29 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\users\Nicole\AppData\Roaming\Malwarebytes
2012-01-02 03:24 . 2012-01-02 03:24 -------- d-----w- c:\programdata\Malwarebytes
2011-12-15 21:48 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 21:48 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-15 21:48 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-15 21:48 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2011-12-15 21:48 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-15 21:48 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 21:48 . 2011-11-08 12:10 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-12-14 04:13 . 2011-12-14 04:14 -------- d-----w- c:\users\Nicole\AppData\Roaming\Apple Computer
2011-12-14 04:13 . 2011-12-14 04:13 -------- d-----w- c:\users\Nicole\AppData\Local\Apple Computer
2011-12-14 04:12 . 2009-05-18 19:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-14 04:12 . 2008-04-17 18:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-12-14 04:12 . 2008-04-17 18:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-12-14 04:12 . 2012-01-02 23:55 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\program files\iPod
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files\iTunes
2011-12-14 04:11 . 2011-12-14 04:12 -------- d-----w- c:\program files (x86)\iTunes
2011-12-14 04:11 . 2011-12-14 04:11 -------- d-----w- c:\programdata\Apple Computer
2011-12-14 04:10 . 2011-12-14 04:10 -------- d-----w- c:\users\Nicole\AppData\Local\Apple
2011-12-14 04:09 . 2011-12-14 04:09 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Common Files\Apple
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files\Bonjour
2011-12-14 04:07 . 2011-12-14 04:07 -------- d-----w- c:\program files (x86)\Bonjour
2011-12-14 04:06 . 2011-12-14 04:11 -------- d-----w- c:\program files (x86)\Common Files\Apple
2011-12-14 04:06 . 2011-12-14 04:09 -------- d-----w- c:\programdata\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 08:15 . 2011-04-30 16:28 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2012-01-03 20:23 . 2011-07-14 15:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-15 20:29 . 2011-01-17 07:35 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-04_10.53.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2012-01-04 10:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-01-04 21:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-01-04 10:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-04 21:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-01-04 10:50 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-01-04 21:54 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-01-04 21:53 46050 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-01-04 21:53 71480 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-17 04:22 . 2012-01-04 21:53 8916 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1475235829-1360834442-158596274-1000_UserData.bin
+ 2012-01-04 21:51 . 2012-01-04 21:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-04 08:53 . 2012-01-04 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-04 21:51 . 2012-01-04 21:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-04-16 08:26 . 2012-01-04 21:50 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-04-16 08:26 . 2012-01-04 08:52 318768 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-04-16 08:26 . 2012-01-04 21:50 50211476 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1475235829-1360834442-158596274-1000-8192.dat
+ 2012-01-04 20:37 . 2012-01-04 20:37 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
- 2012-01-04 10:47 . 2012-01-04 10:47 19348992 c:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e0e5fbe72e8813a135fc878ff32b4bee\mscorlib.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{C4B8BAB4-1667-11DF-A242-BA9455D89593}]
c:\program files (x86)\simppulltoolbar\auxi\simppulltoolbAu.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-08-22 6276408]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-27 39408]
"ChromeFrameHelper"="c:\users\Nicole\AppData\Local\Google\Chrome\Application\17.0.963.12\chrome_frame_helper.exe" [2011-12-15 97336]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-02 5486464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2010-12-09 74752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-3-23 113664]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-27 20:39]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000Core.job
- c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1475235829-1360834442-158596274-1000UA.job
- c:\users\Nicole\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-16 03:49]
.
2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 65143a21-13aa-46f3-b1d5-8cc007e9fa70.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 97af640e-5bc6-4fab-933b-0b45caf62a54.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.217.0.5 24.217.201.67 24.247.15.53
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\3x9vtm12.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30305&client_id=1868eed49cc815d83f5c97b8&camp_id=3534&install_time=2012-01-02T06:15Z&pr=auto&tb_version=1.0.14000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2012-01-04 16:27:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 22:27
ComboFix2.txt 2012-01-04 19:12
ComboFix3.txt 2012-01-04 11:29
.
Pre-Run: 410,313,568,256 bytes free
Post-Run: 410,559,840,256 bytes free
.
- - End Of File - - 751B9E030DDAEE2087756377CD7A34D6

rcmeyer99, Jan 4, 2012

#15
rcmeyer99 Newcomer, in training Posts: 68

Finally have hidden files back

I finally have my hidden files back, but I am still getting the redirect if I try to use any search engines.

rcmeyer99, Jan 4, 2012

#16
Broni Malware Annihilator Posts: 39,199 +175

Which browser is getting redirected?

Broni, Jan 4, 2012

#17
rcmeyer99 Newcomer, in training Posts: 68

Redirects

I tried Google Chrome, Internet Explorer and Fire Fox. All three were redirected when I typed in techspot then clicked on your site.

rcmeyer99, Jan 4, 2012

#18
Broni Malware Annihilator Posts: 39,199 +175
Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.

Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.
Broni, Jan 4, 2012

#19
rcmeyer99 Newcomer, in training Posts: 68

This is the output

[Combofix log removed by Broni]

rcmeyer99, Jan 4, 2012

#20

Page 1 of 3

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.