TechSpot

Vista 64-bit Sirefef via Adobe update

Inactive
By lj2387
Aug 21, 2012
  1. I am experiencing the same issues as many others on this forum seem to have been experiencing lately. For a couple of weeks, I have been hearing strange music on my computer and audio ads. Malwarebytes and other malware scanners cannot detect an infection, and I have had to uninstall Microsoft Security Essentials as it was forcing my computer to restart. Thank you ahead of time for the assistance and willingness to help.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure to download the 64-bit version.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there (if necessary)
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
  3. lj2387

    lj2387 TS Rookie Topic Starter

    Thank you for the quick response. Here is the log:

    Scan result of Farbar Recovery Scan Tool Version: 19-08-2012
    Ran by SYSTEM at 21-08-2012 13:56:40
    Running from F:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5}] C:\Windows\test.bat [x]
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-12] (Realtek Semiconductor)
    HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [896032 2010-03-12] (Realtek Semiconductor)
    HKLM\...\Run: [EloConfigDlg] C:\Program Files\Elo TouchSystems\EloConfig64.exe /_StarterRegRun [4771408 2010-05-10] (Tyco Electronics)
    HKLM\...\Run: [] [x]
    HKLM\...\Run: [Verigesture] C:\Program Files (x86)\Lenovo\Lenovo VeriTouch\Verigesture Dashboard.exe [1199520 2010-04-30] (Lenovo)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-03-02] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe [225280 2009-08-25] (JME)
    HKLM-x32\...\Run: [YouCam Mirror Tray icon] "C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe" /s [171104 2010-03-16] (CyberLink Corp.)
    HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [103720 2009-06-03] (CyberLink)
    HKLM-x32\...\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" [222504 2009-05-19] (CyberLink Corp.)
    HKLM-x32\...\Run: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1 [1298944 2010-05-20] (Lenovo)
    HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1 [1303552 2010-05-20] (Lenovo)
    HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
    HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [35736 2011-01-30] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-11-10] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
    HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default\...\RunOnce: [themeset] C:\Users\Default\AppData\Local\lenovo\SetWindow.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default\...\RunOnce: [WLStart] "C:\Program Files (x86)\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [themeset] C:\Users\Default\AppData\Local\lenovo\SetWindow.exe [1475072 2009-07-13] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [WLStart] "C:\Program Files (x86)\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage [1475072 2009-07-13] (Microsoft Corporation)
    HKU\LJ\...\Run: [Google Update] "C:\Users\LJ\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-12-22] (Google Inc.)
    HKU\LJ\...\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe" [495616 2007-09-02] ()
    HKU\LJ\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    HKU\LJ\...\Run: [MusicManager] "C:\Users\LJ\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [13806592 2012-06-01] (Google Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Lsa: [Notification Packages] scecli
    OctopusCredentialPlugin
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
    Startup: C:\Users\LJ\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\LJ\Start Menu\Programs\Startup\EvernoteClipper.lnk
    ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

    ==================== Services (Whitelisted) ======

    2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2015504 2011-05-16] (Blue Coat Systems, Inc.)
    2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [899360 2010-04-14] (Broadcom Corporation.)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    2 OddLedSrv; C:\Program Files (x86)\Lenovo\OddSrv\OddLedSrv.exe [221184 2010-03-19] (Wistron Corporation)
    2 OddSrv; C:\Program Files (x86)\Lenovo\OddSrv\OddSrv.exe [221184 2009-12-28] (Wistron Corporation)
    2 SSUService; C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [370504 2012-03-14] (Splashtop Inc.)
    2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [2320920 2010-02-04] (Intel Corporation)

    ========================== Drivers (Whitelisted) =============

    3 applewtp; C:\Windows\System32\Drivers\applewtp.sys [53760 2010-10-14] (Apple Inc.)
    3 ATIAVPCI; C:\Windows\System32\DRIVERS\Yatinavrr.SYS [1447424 2010-04-06] (ATI Technologies Inc.)
    1 bckd; C:\Windows\System32\Drivers\bckd.sys [107280 2011-05-16] (Blue Coat Systems, Inc.)
    3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [293552 2009-11-05] (Intel Corporation)
    3 EloMTUsb; C:\Windows\System32\Drivers\EloMTUsb.sys [56400 2010-02-08] ()
    3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
    3 NAL; \??\C:\windows\system32\Drivers\iqvw64e.sys [34472 2009-10-14] (Intel Corporation )
    3 PQAWRwa; \??\C:\Program Files (x86)\Lenovo\OddSrv\PQAWDrv.sys [12384 2008-02-29] ()
    3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-10] (Realtek Semiconductor Corporation )
    3 VIACRX64; C:\Windows\System32\DRIVERS\viacr64.sys [75776 2010-05-03] (VIA Technologies, Inc. )
    3 VMC412; C:\Windows\System32\Drivers\VMC412.sys [237824 2010-01-26] (Vimicro Corporation)
    0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
    3 dump_wmimmc; \??\C:\ijji\ENGLISH\AVA\Binaries\GameGuard\dump_wmimmc.sys [x]
    3 NPPTNT2; \??\C:\windows\system32\npptNT2.sys [x]
    3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-21 11:02 - 2012-08-21 13:52 - 00000000 ____D C:\FRST
    2012-08-21 11:01 - 2012-08-21 11:01 - 01443955 ____A (Farbar) C:\Users\LJ\Downloads\FRST64.exe
    2012-08-21 08:06 - 2012-08-21 08:07 - 00000000 ____D C:\Users\All Users\AVAST Software
    2012-08-21 08:06 - 2012-08-21 08:07 - 00000000 ____D C:\Program Files\AVAST Software
    2012-08-21 07:55 - 2012-08-21 07:57 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-21 07:55 - 2012-08-21 07:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-08-21 07:55 - 2012-07-03 11:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-21 07:52 - 2012-08-21 07:58 - 89340632 ____A C:\Users\LJ\Downloads\avast_free_antivirus_setup.exe
    2012-08-21 07:45 - 2012-08-21 07:45 - 00000368 ____A C:\Windows\System32\Drivers\kgpcpy.cfg
    2012-08-21 07:34 - 2012-08-21 07:35 - 02005560 ____A C:\Windows\System32\Drivers\Cat.DB
    2012-08-21 07:33 - 2012-08-21 07:33 - 04165584 ____A (PC Tools) C:\Users\LJ\Downloads\SD_Online_aff_GenericRevenueWire_207(1).exe
    2012-08-21 07:33 - 2012-08-21 07:33 - 00000000 ____D C:\Users\LJ\AppData\Roaming\TestApp
    2012-08-21 07:33 - 2012-08-21 07:33 - 00000000 ____D C:\Users\All Users\PC Tools
    2012-08-21 07:33 - 2012-06-22 13:35 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
    2012-08-21 07:32 - 2012-08-21 07:32 - 04165584 ____A (PC Tools) C:\Users\LJ\Downloads\SD_Online_aff_GenericRevenueWire_207.exe
    2012-08-21 07:32 - 2012-08-21 07:32 - 00509440 ____A (iS3, Inc.) C:\Users\LJ\Downloads\STOPzilla_Setup.exe
    2012-08-21 07:11 - 2012-08-21 07:13 - 16409960 ____A (Safer Networking Limited ) C:\Users\LJ\Downloads\spybotsd162.exe
    2012-08-21 07:02 - 2012-08-21 07:02 - 00000000 ____A C:\Users\LJ\Desktop\sfcdetails.txt
    2012-08-21 06:39 - 2012-08-21 06:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.41D18933C7FCAFB2
    2012-08-21 06:35 - 2012-08-21 06:35 - 00317200 ____A (AVAST Software) C:\Users\LJ\Downloads\aswclear6.exe
    2012-08-21 06:28 - 2012-08-21 06:28 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(5).exe
    2012-08-20 16:17 - 2012-08-20 16:18 - 00000000 ____D C:\Users\LJ\AppData\Roaming\QuickScan
    2012-08-20 08:25 - 2012-08-20 08:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.576C4EF8A9D12C8B
    2012-08-20 08:25 - 2012-08-20 08:25 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gudpktob.sys
    2012-08-20 08:19 - 2012-08-20 08:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.83ABB9E37995F377
    2012-08-20 08:13 - 2012-08-20 08:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9E5D2957C1F444D9
    2012-08-20 07:47 - 2012-08-20 07:48 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(4).exe
    2012-08-19 17:30 - 2012-08-19 17:30 - 00000000 ____D C:\Users\LJ\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    2012-08-19 17:30 - 2012-08-19 17:30 - 00000000 ____D C:\Users\LJ\AppData\Roaming\Adobe Mini Bridge CS5
    2012-08-19 13:22 - 2012-08-21 11:37 - 00000000 ___RD C:\Users\LJ\Dropbox
    2012-08-19 13:16 - 2012-08-21 11:37 - 00000000 ____D C:\Users\LJ\AppData\Roaming\Dropbox
    2012-08-19 13:10 - 2012-08-19 13:11 - 17798272 ____A (Dropbox, Inc.) C:\Users\LJ\Downloads\Dropbox 1.4.12.exe
    2012-08-13 07:54 - 2012-08-13 07:54 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(3).exe
    2012-07-29 18:09 - 2012-07-29 18:09 - 00000132 ____A C:\Users\LJ\AppData\Roaming\Adobe AIFF Format CS5 Prefs
    2012-07-26 08:52 - 2012-07-26 08:52 - 00000816 ____A C:\Users\LJ\Downloads\sa_cool_actions_1_05__by_sa_cool-d127byl.rar
    2012-07-24 06:33 - 2012-07-24 06:33 - 00169544 ____A C:\Users\LJ\Downloads\Photo_Coloring_11_by_iconmaker91.rar
    2012-07-23 08:57 - 2012-07-23 08:57 - 00000000 ____D C:\Windows\New folder

    ============ 3 Months Modified Files ========================

    2012-08-21 11:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-21 11:45 - 2009-07-13 20:51 - 00099470 ____A C:\Windows\setupact.log
    2012-08-21 11:43 - 2009-07-13 20:45 - 00017952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-21 11:43 - 2009-07-13 20:45 - 00017952 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-21 11:40 - 2012-04-16 04:53 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-21 11:40 - 2009-07-13 21:13 - 00713714 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-21 11:35 - 2012-04-30 04:18 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-21 11:27 - 2010-12-22 14:44 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212497501-856445064-3574903371-1001UA.job
    2012-08-21 11:14 - 2010-07-23 11:24 - 00562420 ____A C:\Windows\PFRO.log
    2012-08-21 11:01 - 2012-08-21 11:01 - 01443955 ____A (Farbar) C:\Users\LJ\Downloads\FRST64.exe
    2012-08-21 10:28 - 2012-04-30 04:18 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-21 07:58 - 2012-08-21 07:52 - 89340632 ____A C:\Users\LJ\Downloads\avast_free_antivirus_setup.exe
    2012-08-21 07:57 - 2012-08-21 07:55 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-21 07:45 - 2012-08-21 07:45 - 00000368 ____A C:\Windows\System32\Drivers\kgpcpy.cfg
    2012-08-21 07:35 - 2012-08-21 07:34 - 02005560 ____A C:\Windows\System32\Drivers\Cat.DB
    2012-08-21 07:33 - 2012-08-21 07:33 - 04165584 ____A (PC Tools) C:\Users\LJ\Downloads\SD_Online_aff_GenericRevenueWire_207(1).exe
    2012-08-21 07:32 - 2012-08-21 07:32 - 04165584 ____A (PC Tools) C:\Users\LJ\Downloads\SD_Online_aff_GenericRevenueWire_207.exe
    2012-08-21 07:32 - 2012-08-21 07:32 - 00509440 ____A (iS3, Inc.) C:\Users\LJ\Downloads\STOPzilla_Setup.exe
    2012-08-21 07:13 - 2012-08-21 07:11 - 16409960 ____A (Safer Networking Limited ) C:\Users\LJ\Downloads\spybotsd162.exe
    2012-08-21 07:02 - 2012-08-21 07:02 - 00000000 ____A C:\Users\LJ\Desktop\sfcdetails.txt
    2012-08-21 06:46 - 2010-12-22 14:59 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-21 06:39 - 2012-08-21 06:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.41D18933C7FCAFB2
    2012-08-21 06:37 - 2010-07-23 10:50 - 01277498 ____A C:\Windows\WindowsUpdate.log
    2012-08-21 06:35 - 2012-08-21 06:35 - 00317200 ____A (AVAST Software) C:\Users\LJ\Downloads\aswclear6.exe
    2012-08-21 06:31 - 2010-12-22 14:58 - 00730464 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-21 06:28 - 2012-08-21 06:28 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(5).exe
    2012-08-20 08:25 - 2012-08-20 08:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.576C4EF8A9D12C8B
    2012-08-20 08:25 - 2012-08-20 08:25 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gudpktob.sys
    2012-08-20 08:19 - 2012-08-20 08:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.83ABB9E37995F377
    2012-08-20 08:13 - 2012-08-20 08:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.9E5D2957C1F444D9
    2012-08-20 07:48 - 2012-08-20 07:47 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(4).exe
    2012-08-19 13:11 - 2012-08-19 13:10 - 17798272 ____A (Dropbox, Inc.) C:\Users\LJ\Downloads\Dropbox 1.4.12.exe
    2012-08-19 04:27 - 2010-12-22 14:44 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212497501-856445064-3574903371-1001Core.job
    2012-08-15 09:40 - 2012-04-16 04:53 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-15 09:40 - 2011-05-19 05:16 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-13 07:54 - 2012-08-13 07:54 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(3).exe
    2012-07-29 18:09 - 2012-07-29 18:09 - 00000132 ____A C:\Users\LJ\AppData\Roaming\Adobe AIFF Format CS5 Prefs
    2012-07-26 08:52 - 2012-07-26 08:52 - 00000816 ____A C:\Users\LJ\Downloads\sa_cool_actions_1_05__by_sa_cool-d127byl.rar
    2012-07-24 12:54 - 2010-12-23 02:39 - 00126840 ____A C:\Users\LJ\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-24 12:54 - 2009-07-13 20:45 - 05015024 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-24 06:33 - 2012-07-24 06:33 - 00169544 ____A C:\Users\LJ\Downloads\Photo_Coloring_11_by_iconmaker91.rar
    2012-07-20 16:01 - 2012-07-20 16:01 - 00274728 ____A C:\Windows\Minidump\072012-25396-01.dmp
    2012-07-20 16:01 - 2011-01-23 16:00 - 588790314 ____A C:\Windows\MEMORY.DMP
    2012-07-15 22:14 - 2012-07-15 22:14 - 01735578 ____A C:\Users\LJ\Downloads\3. Test Bank.zip
    2012-07-04 06:18 - 2012-07-04 06:08 - 164377208 ____A (Lenovo Group ) C:\Users\LJ\Downloads\ID3BTH25WW5(1).exe
    2012-07-03 11:46 - 2012-08-21 07:55 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-23 06:36 - 2012-06-23 04:32 - 00000434 ____A C:\rkill.log
    2012-06-23 06:31 - 2012-06-23 06:31 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7726F398D1CB739B
    2012-06-23 06:28 - 2012-06-23 06:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.0CEA79C026BAFC84
    2012-06-23 06:19 - 2012-06-23 06:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.A9E8AACEEF2A5B12
    2012-06-23 06:15 - 2012-06-23 06:15 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E546C1E0E6A5FD84
    2012-06-23 06:11 - 2012-06-23 06:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DA1CF5E88255789B
    2012-06-23 06:08 - 2012-06-23 06:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5A16E40960336797
    2012-06-23 06:04 - 2012-06-23 06:04 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D5F35A10CADFC682
    2012-06-23 06:00 - 2012-06-23 06:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F1CC68F5D4E369B1
    2012-06-23 05:57 - 2012-06-23 05:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DFE5E1D43815E87E
    2012-06-23 05:53 - 2012-06-23 05:53 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.771D4E748E7648CB
    2012-06-23 05:50 - 2012-06-23 05:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6BAFFB95B30D7F3D
    2012-06-23 05:46 - 2012-06-23 05:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.643B3B12EE49923D
    2012-06-23 05:42 - 2012-06-23 05:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F37577F2E2D2F6DA
    2012-06-23 05:39 - 2012-06-23 05:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.50249E2FB932353F
    2012-06-23 05:35 - 2012-06-23 05:35 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.91538AD7DE69AAC1
    2012-06-23 05:32 - 2012-06-23 05:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8BAEF84E32F24ADC
    2012-06-23 05:29 - 2012-06-23 05:29 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D6980E53730652AF
    2012-06-23 05:25 - 2012-06-23 05:25 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.1B1BB833E54040B5
    2012-06-23 05:22 - 2012-06-23 05:22 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.C8882DBCEBD258F7
    2012-06-23 05:18 - 2012-06-23 05:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B63613AC3C3EEE72
    2012-06-23 05:14 - 2012-06-23 05:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8B8D9E32B0E388D4
    2012-06-23 05:10 - 2012-06-23 05:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.135BF530B57AD182
    2012-06-23 04:56 - 2012-06-23 04:56 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(2).exe
    2012-06-23 04:51 - 2012-06-23 04:51 - 00980480 ____A C:\Users\LJ\Downloads\MicrosoftFixit50267.msi
    2012-06-23 04:38 - 2012-06-23 04:38 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\LJ\Downloads\mbam-setup-1.61.0.1400.exe
    2012-06-23 04:31 - 2012-06-23 04:31 - 01012656 ____A C:\Users\LJ\Downloads\rkill.exe
    2012-06-23 04:25 - 2012-06-23 04:25 - 12621696 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\mseinstall(1).exe
    2012-06-22 15:37 - 2012-06-22 15:37 - 00539011 ____A C:\Users\LJ\Downloads\star_jedi.zip
    2012-06-22 13:35 - 2012-08-21 07:33 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\PCTSD64.sys
    2012-06-14 01:03 - 2011-02-20 04:42 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-06-13 09:18 - 2012-06-05 04:56 - 00167936 ____A C:\Users\LJ\Windows 8.vdi
    2012-06-11 17:13 - 2012-06-11 17:07 - 00662840 ____A C:\Users\LJ\Downloads\setup.exe
    2012-06-09 05:02 - 2012-06-09 05:01 - 01116968 ____A C:\Windows\Minidump\060912-21340-01.dmp
    2012-06-06 14:53 - 2012-06-06 14:53 - 00007606 ____A C:\Users\LJ\AppData\Local\Resmon.ResmonCfg
    2012-06-04 21:06 - 2012-06-05 05:09 - 3515703296 ___RA C:\Users\LJ\Windows8-ReleasePreview-64bit-English.iso
    2012-06-04 17:28 - 2012-06-04 17:28 - 05350616 ____A (Microsoft Corporation) C:\Users\LJ\Downloads\Windows8-ReleasePreview-UpgradeAssistant.exe
    2012-06-04 15:40 - 2012-06-04 15:37 - 95273304 ____A (Oracle Corporation) C:\Users\LJ\Downloads\VirtualBox-4.1.16-78094-Win.exe
    2012-06-02 14:19 - 2012-06-19 06:34 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-19 06:34 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-19 06:34 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-19 06:34 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-19 06:34 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:15 - 2012-06-19 06:34 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-19 06:34 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 13:19 - 2012-06-19 06:34 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 13:15 - 2012-06-19 06:34 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe


    ZeroAccess:
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\@
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\L
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\U
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\U\00000001.@
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\U\80000000.@
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\U\800000cb.@

    ZeroAccess:
    C:\Users\LJ\AppData\Local\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}
    C:\Users\LJ\AppData\Local\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\@
    C:\Users\LJ\AppData\Local\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\L
    C:\Users\LJ\AppData\Local\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 18%
    Total physical RAM: 3958.5 MB
    Available physical RAM: 3208.45 MB
    Total Pagefile: 3956.65 MB
    Available Pagefile: 3211.03 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:571 GB) (Free:279.74 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive f: () (Removable) (Total:7.45 GB) (Free:7.4 GB) FAT32
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 596 GB 0 B
    Disk 1 Online 7633 MB 0 B
    Disk 2 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 571 GB 101 MB
    Partition 3 OEM 25 GB 571 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 571 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 12
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 LENOVO_PART NTFS Partition 25 GB Healthy Hidden

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7633 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 7633 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-16 22:57

    ======================= End Of Log ==========================
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  5. lj2387

    lj2387 TS Rookie Topic Starter

    Seemed pretty simple to run. Here are the results. Thank you again for your help!


    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 19-08-2012
    Ran by SYSTEM at 2012-08-22 20:01:17 Run:1
    Running from F:\

    ==============================================

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Unattend0000000001{BFA3D12B-66DD-4617-923A-E864BC7D20B5} Value deleted successfully.
    C:\Users\LJ\Downloads\STOPzilla_Setup.exe moved successfully.
    C:\Users\LJ\Downloads\spybotsd162.exe moved successfully.
    C:\Windows\Installer\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36} moved successfully.
    C:\Users\LJ\AppData\Local\{6d2c1f07-8b86-4ba4-c29d-b3f394918d36} moved successfully.

    ==== End of Fixlog ====
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  7. lj2387

    lj2387 TS Rookie Topic Starter

    It ran smoothly. Here's the log.

    ComboFix 12-08-22.03 - LJ 08/23/2012 8:07.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3958.2223 [GMT -6:00]
    Running from: c:\users\LJ\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\LJ\AppData\Roaming\cacaoweb
    c:\users\LJ\AppData\Roaming\cacaoweb\npdfile.dat
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating1084EBE7BE695296E5D5150069690CF1.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating1AF7FEA09189F6643AC92F05AA2552F1.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating21CD615F57C11FD1B1DB9C09A78270A9.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating30D45CF0CD31D752393FB9D6CB629830.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating4129663F418E6CC6ECFF645DE4B41DBE.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating41CDC8EF02003DD139F0E08AD375BF11.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating4E06598F676D83AC9F5DFB8478EA1C7F.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating54DE8AF2B28515C77B71A94BFC404883.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating6B65A1116139B3FC2DA5D8ECE037CCA4.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating83A4192211D12D8CA0BD2667C26249E8.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating84B1F3A2DD930BD0976A9374C23FEAF3.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating89DE88B1FDF40FE95FBF642056828DCB.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicating8C79614CA820C42E4B686C263924E7BA.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingA1AA663B95F3B84F3F0EAACF24E8E950.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingA5CC3F7E5E588021C847A2B76F3AD136.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingAC84D789C1B773A59F1D11185EEAAECA.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingC39149A9778BD1B50A1F9358C4333505.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingCBE22BF167D331CE636E60E9A3359202.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingD828AD23374A94B6701FC205C8FA9AC5.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingEDE359B9BF17BD57CC11F49013D81436.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingF23B1AD410BECBEC288CDAE9ECCEEC1E.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\replicatingF632AA6F2608790AE42C1E3AC084864C.cacao
    c:\users\LJ\AppData\Roaming\cacaoweb\storage.db
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-23 to 2012-08-23 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-21 19:02 . 2012-08-21 21:52 -------- d-----w- C:\FRST
    2012-08-21 16:06 . 2012-08-21 16:07 -------- d-----w- c:\programdata\AVAST Software
    2012-08-21 16:06 . 2012-08-21 16:07 -------- d-----w- c:\program files\AVAST Software
    2012-08-21 15:55 . 2012-08-21 15:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-08-21 15:55 . 2012-07-03 19:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-21 15:33 . 2012-08-21 19:14 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
    2012-08-21 15:33 . 2012-06-22 21:35 251560 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
    2012-08-21 15:33 . 2012-08-21 15:33 -------- d-----w- c:\users\LJ\AppData\Roaming\TestApp
    2012-08-21 15:33 . 2012-08-21 15:33 -------- d-----w- c:\programdata\PC Tools
    2012-08-21 14:39 . 2012-08-21 14:39 328704 ----a-w- c:\windows\system32\services.exe.41D18933C7FCAFB2
    2012-08-21 00:17 . 2012-08-21 00:18 -------- d-----w- c:\users\LJ\AppData\Roaming\QuickScan
    2012-08-20 16:25 . 2012-08-20 16:25 50392 ----a-w- c:\windows\system32\drivers\gudpktob.sys
    2012-08-20 16:25 . 2012-08-20 16:25 328704 ----a-w- c:\windows\system32\services.exe.576C4EF8A9D12C8B
    2012-08-20 16:19 . 2012-08-20 16:19 328704 ----a-w- c:\windows\system32\services.exe.83ABB9E37995F377
    2012-08-20 16:13 . 2012-08-20 16:13 328704 ----a-w- c:\windows\system32\services.exe.9E5D2957C1F444D9
    2012-08-20 01:30 . 2012-08-20 01:30 -------- d-----w- c:\users\LJ\AppData\Roaming\Adobe Mini Bridge CS5
    2012-08-20 01:30 . 2012-08-20 01:30 -------- d-----w- c:\users\LJ\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    2012-08-19 21:22 . 2012-08-23 14:19 -------- d-----r- c:\users\LJ\Dropbox
    2012-08-19 21:16 . 2012-08-23 14:19 -------- d-----w- c:\users\LJ\AppData\Roaming\Dropbox
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-22 00:31 . 2011-01-03 20:00 952 --sha-w- c:\programdata\KGyGaAvL.sys
    2012-08-15 17:40 . 2012-04-16 12:53 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-15 17:40 . 2011-05-19 13:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-23 14:31 . 2012-06-23 14:31 328704 ----a-w- c:\windows\system32\services.exe.7726F398D1CB739B
    2012-06-23 14:28 . 2012-06-23 14:28 328704 ----a-w- c:\windows\system32\services.exe.0CEA79C026BAFC84
    2012-06-23 14:19 . 2012-06-23 14:19 328704 ----a-w- c:\windows\system32\services.exe.A9E8AACEEF2A5B12
    2012-06-23 14:15 . 2012-06-23 14:15 328704 ----a-w- c:\windows\system32\services.exe.E546C1E0E6A5FD84
    2012-06-23 14:11 . 2012-06-23 14:11 328704 ----a-w- c:\windows\system32\services.exe.DA1CF5E88255789B
    2012-06-23 14:08 . 2012-06-23 14:08 328704 ----a-w- c:\windows\system32\services.exe.5A16E40960336797
    2012-06-23 14:04 . 2012-06-23 14:04 328704 ----a-w- c:\windows\system32\services.exe.D5F35A10CADFC682
    2012-06-23 14:00 . 2012-06-23 14:00 328704 ----a-w- c:\windows\system32\services.exe.F1CC68F5D4E369B1
    2012-06-23 13:57 . 2012-06-23 13:57 328704 ----a-w- c:\windows\system32\services.exe.DFE5E1D43815E87E
    2012-06-23 13:53 . 2012-06-23 13:53 328704 ----a-w- c:\windows\system32\services.exe.771D4E748E7648CB
    2012-06-23 13:50 . 2012-06-23 13:50 328704 ----a-w- c:\windows\system32\services.exe.6BAFFB95B30D7F3D
    2012-06-23 13:46 . 2012-06-23 13:46 328704 ----a-w- c:\windows\system32\services.exe.643B3B12EE49923D
    2012-06-23 13:42 . 2012-06-23 13:42 328704 ----a-w- c:\windows\system32\services.exe.F37577F2E2D2F6DA
    2012-06-23 13:39 . 2012-06-23 13:39 328704 ----a-w- c:\windows\system32\services.exe.50249E2FB932353F
    2012-06-23 13:35 . 2012-06-23 13:35 328704 ----a-w- c:\windows\system32\services.exe.91538AD7DE69AAC1
    2012-06-23 13:32 . 2012-06-23 13:32 328704 ----a-w- c:\windows\system32\services.exe.8BAEF84E32F24ADC
    2012-06-23 13:29 . 2012-06-23 13:29 328704 ----a-w- c:\windows\system32\services.exe.D6980E53730652AF
    2012-06-23 13:25 . 2012-06-23 13:25 328704 ----a-w- c:\windows\system32\services.exe.1B1BB833E54040B5
    2012-06-23 13:22 . 2012-06-23 13:22 328704 ----a-w- c:\windows\system32\services.exe.C8882DBCEBD258F7
    2012-06-23 13:18 . 2012-06-23 13:18 328704 ----a-w- c:\windows\system32\services.exe.B63613AC3C3EEE72
    2012-06-23 13:14 . 2012-06-23 13:14 328704 ----a-w- c:\windows\system32\services.exe.8B8D9E32B0E388D4
    2012-06-23 13:10 . 2012-06-23 13:10 328704 ----a-w- c:\windows\system32\services.exe.135BF530B57AD182
    2012-06-14 09:03 . 2011-02-20 12:42 58957832 ----a-w- c:\windows\system32\MRT.exe
    2012-06-02 22:19 . 2012-06-19 14:34 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-19 14:34 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-19 14:34 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-19 14:34 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 14:34 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-19 14:34 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 14:34 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 21:19 . 2012-06-19 14:34 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 21:15 . 2012-06-19 14:34 36864 ----a-w- c:\windows\system32\wuapp.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 94208 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 94208 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 94208 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "MusicManager"="c:\users\LJ\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-08-16 7316480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]
    "jmekey"="c:\program files (x86)\jmesoft\hotkey.exe" [2009-08-25 225280]
    "YouCam Mirror Tray icon"="c:\program files (x86)\Lenovo\YouCam\YouCamTray.exe" [2010-03-17 171104]
    "CLMLServer"="c:\program files (x86)\Lenovo\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
    "UpdateP2GoShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "Lenovo Eye Distance System"="c:\program files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe" [2010-05-20 1298944]
    "Lenovo Dynamic Brightness System"="c:\program files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe" [2010-05-20 1303552]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
    .
    c:\users\LJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\LJ\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-7-24 26909544]
    EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-3-29 1014112]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2010-4-14 1083168]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 116648]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
    R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\AVA\Binaries\GameGuard\dump_wmimmc.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 116648]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-30 113120]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;c:\windows\system32\DRIVERS\Rtnic64.sys [2009-06-10 51712]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-05-22 147288]
    R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-24 1255736]
    R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\DDCDrv.sys [2008-04-08 20832]
    S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2011-05-16 107280]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-03 202752]
    S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2011-05-16 2015504]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 OddLedSrv;OddLedSrv;c:\program files (x86)\Lenovo\OddSrv\OddLedSrv.exe [2010-03-19 221184]
    S2 OddSrv;OddSrv;c:\program files (x86)\Lenovo\OddSrv\OddSrv.exe [2009-12-29 221184]
    S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-03-15 370504]
    S2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [2010-11-15 5716848]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-02-05 2320920]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-03 6402560]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-03 188928]
    S3 applewtp;Apple Wireless Trackpad;c:\windows\system32\DRIVERS\applewtp.sys [2010-10-15 53760]
    S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 35104]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-11-05 293552]
    S3 EloMTUsb;Elo mt usb serv desc;c:\windows\system32\DRIVERS\EloMTUsb.sys [2010-02-09 56400]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 PQAWRwa;PQAWRwa;c:\program files (x86)\Lenovo\OddSrv\PQAWDrv.sys [2008-02-29 12384]
    S3 VIACRX64;VIACRX64;c:\windows\system32\DRIVERS\viacr64.sys [2010-05-04 75776]
    S3 VMC412;Vimicro Camera Service VMC412;c:\windows\system32\Drivers\VMC412.sys [2010-01-27 237824]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2010-11-02 13312]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 17:40]
    .
    2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 12:17]
    .
    2012-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 12:17]
    .
    2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212497501-856445064-3574903371-1001Core.job
    - c:\users\LJ\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-22 22:44]
    .
    2012-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212497501-856445064-3574903371-1001UA.job
    - c:\users\LJ\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-22 22:44]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 97792 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 97792 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 97792 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:19 97792 ----a-w- c:\users\LJ\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-12 10134560]
    "RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-12 896032]
    "EloConfigDlg"="c:\program files\Elo TouchSystems\EloConfig64.exe" [2010-05-11 4771408]
    "Verigesture"="c:\program files (x86)\Lenovo\Lenovo VeriTouch\Verigesture Dashboard.exe" [2010-05-01 1199520]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "combofix"="c:\combofix\CF8008.3XE" [2009-07-14 344576]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Free YouTube to MP3 Converter - c:\users\LJ\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\LJ\AppData\Roaming\Mozilla\Firefox\Profiles\srl5ss69.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.byui.edu/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
    Toolbar-Locked - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    Toolbar-Locked - (no file)
    WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
    ShellIconOverlayIdentifiers-{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
    ShellIconOverlayIdentifiers-{62CCD8E3-9C21-41E1-B55E-1E26DFC68511} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
    ShellIconOverlayIdentifiers-{A759AFF6-5851-457D-A540-F4ECED148351} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
    ShellIconOverlayIdentifiers-{1574C9EF-7D58-488F-B358-8B78C1538F51} - c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll
    HKLM-Run-(Default) - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
    89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
    76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
    d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
    2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:73,17,c2,bd,88,76,cd,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
    "value"="?\06\04\1e\01\17\15?"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-23 08:26:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-23 14:26
    .
    Pre-Run: 296,449,376,256 bytes free
    Post-Run: 304,906,166,272 bytes free
    .
    - - End Of File - - 671CE8F508281D9CCB0C69E9B76D3A7E
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  9. lj2387

    lj2387 TS Rookie Topic Starter

    Combofix log

    ComboFix 12-08-22.03 - LJ 08/24/2012 8:23:52.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3958.2170 [GMT -6:00]
    Running from: C:\Users\LJ\Desktop\ComboFix.exe
    Command switches used :: C:\Users\LJ\Desktop\CFScript.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\ProgramData\TEMP

    C:\windows\SysWow64\sfcfiles.dll . . . is missing!!

    C:\windows\system32\drivers\ipsec.sys . . . is missing!!

    C:\windows\system32\drivers\psched.sys . . . is missing!!
  10. lj2387

    lj2387 TS Rookie Topic Starter

    AdwCleaner log:

    # AdwCleaner v1.801 - Logfile created 08/24/2012 at 09:15:20
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium (64 bits)
    # User : LJ - LJ-LJ-PC
    # Boot Mode : Normal
    # Running from : C:\Users\LJ\Downloads\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Found : C:\Users\LJ\AppData\Local\Conduit
    Folder Found : C:\Users\LJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
    Folder Found : C:\Users\LJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
    Folder Found : C:\Users\LJ\AppData\LocalLow\Conduit
    Folder Found : C:\ProgramData\splashtop
    Folder Found : C:\Program Files (x86)\splashtop

    ***** [Registry] *****

    [*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
    Key Found : HKCU\Software\cacaoweb
    Key Found : HKCU\Software\Conduit
    Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
    Key Found : HKLM\SOFTWARE\Conduit
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
    [x64] Key Found : HKCU\Software\cacaoweb
    [x64] Key Found : HKCU\Software\Conduit
    [x64] Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine

    ***** [Registre - GUID] *****

    Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v14.0.1 (en-US)

    Profile name : default
    File : C:\Users\LJ\AppData\Roaming\Mozilla\Firefox\Profiles\srl5ss69.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\LJ\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Found : "description": "The fastest way to search the web.",
    Found : "scriptable_host": [ "hxxp://*/*", "hxxp://cap1.conduit-apps.com/Apps/jdownloader/jdC[...]
    Found : "matches": [ "hxxp://cap1.conduit-apps.com/Apps/jdownloader/jdController.html*", "[...]
    Found : "path": "plugins/ConduitChromeApiPlugin.dll",
    Found : "update_url": "hxxp://autoupdate.chromewebtb.conduit-services.com/?productId=CT250409[...]

    *************************

    AdwCleaner[R1].txt - [2361 octets] - [24/08/2012 09:15:20]

    ########## EOF - C:\AdwCleaner[R1].txt - [2489 octets] ##########
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That is not a full ComboFix log. Please find the correct FULL log at c:\combofix.txt and post it in your next reply...

    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.