TechSpot

Vista Ultimate 64-bit infect by WIN64/PATCHED.A

Solved
By Wayne Stemple
Jul 13, 2012
Topic Status:
Not open for further replies.
  1. My AVG is reporting that PATCHED.A has landed on my Dell Inspiron 1525. I am seeking some expert advice to get rid of it.

    Thanks,
    Wayne
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Please review the 5-Step removal instructions and post the logs back here for my review.
     
  3. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    Thanks for wanting to help me with this issue. I have followed the 5 steps and here are the log(s) from those programs:

    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.13.01

    Windows Vista Service Pack 2 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Wayne :: WAYNE-LAPTOP [administrator]

    Protection: Enabled

    7/12/2012 10:41:02 PM
    mbam-log-2012-07-12 (22-41-02).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 240233
    Time elapsed: 5 minute(s), 10 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Windows\Installer\MSI10A5.tmp (HackTool.Hiderun) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

    (end)
    There was no log from GMER
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Wayne at 13:03:38 on 2012-07-13
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1799 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Secunia\PSI\PSIA.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\SmarterTools\SmarterTrack\Web Server\STrWebSvr.exe
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Core Temp\Core Temp.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    C:\Windows\System32\WLTRAY.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Windows\System32\p2phost.exe
    C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
    C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    C:\Windows\OEM02Mon.exe
    C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files (x86)\SelectRebates\SelectRebates.exe
    C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\Wayne\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
    C:\Users\Wayne\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler64.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    "C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe
    "C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
    C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.plusnetwork.com
    uURLSearchHooks: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
    mURLSearchHooks: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    BHO: Messenger Plus! Community SmartbarEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll
    BHO: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    BHO: DeLorme Send To GPS: {fbaad182-3c7a-4bc4-a5e9-207b8e0f02fd} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
    TB: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
    TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    TB: Messenger Plus! Community Smartbar: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
    uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
    uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
    uRun: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
    uRun: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
    uRun: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [Google Update] "C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Browser Infrastructure Helper] C:\Users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe startup
    uRun: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
    uRunOnce: [Application Restart #3] C:\Users\Wayne\AppData\Local\Google\Chrome\Application\chrome.exe --flag-switches-begin --flag-switches-end --restore-last-session -- http://odo.parcom.net/cgi-bin/index...b43ea8a039fa4ec6c4&et=1340006949&locale=en_US
    mRun: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
    mRun: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
    mRun: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe"
    mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
    mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun: [SelectRebates] "C:\Program Files (x86)\SelectRebates\SelectRebates.exe"
    mRun: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
    dRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    StartupFolder: C:\Users\Wayne\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Belkin\Bluetooth Software\BTTray.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\KODAKE~1.LNK - C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
    IE: Send image to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: intuit.com\ttlc
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.3.cab
    DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 216.165.129.158 216.170.153.146
    TCP: Interfaces\{3EC58775-4044-4C87-A59C-DDBA70FC4BBC} : DhcpNameServer = 216.165.129.158 216.170.153.146
    TCP: Interfaces\{5B3EA024-7116-49C2-BBA6-FFA2F8A60CFE} : DhcpNameServer = 216.165.129.158 216.170.153.146
    TCP: Interfaces\{C5CCDEEA-3D2C-48EF-A950-31F3FF917680} : DhcpNameServer = 216.165.129.158 216.170.153.146
    TCP: Interfaces\{CCA16B59-9EB4-4542-A1D3-F8ADD003D946} : DhcpNameServer = 216.165.129.158 216.170.153.146
    Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files (x86)\Common Files\A&W\MidRadio.ocx
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    BHO-X64: AVG Do Not Track - No File
    BHO-X64: Messenger Plus! Community SmartbarEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll
    BHO-X64: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: ShopAtHomeIEHelper Class: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    BHO-X64: ShopAtHomeIEHelper - No File
    BHO-X64: DeLorme Send To GPS: {FBAAD182-3C7A-4BC4-A5E9-207B8E0F02FD} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
    BHO-X64: PNBHO - No File
    TB-X64: greatbar22022010g2 Toolbar: {36a4bdcd-d5b5-4618-b144-e335d0f3d381} - C:\Program Files (x86)\EvonyNet\tbEvo0.dll
    TB-X64: ShopAtHome.com Toolbar: {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    TB-X64: Messenger Plus! Community Smartbar: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
    mRun-x64: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
    mRun-x64: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
    mRun-x64: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun-x64: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe"
    mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
    mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun-x64: [SelectRebates] "C:\Program Files (x86)\SelectRebates\SelectRebates.exe"
    mRun-x64: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
    IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
    R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-12 655944]
    R2 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys --> C:\Windows\system32\drivers\npf.sys [?]
    R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-12 1692480]
    R2 STrWebSvr;SmarterTrack Web Server;C:\Program Files (x86)\SmarterTools\SmarterTrack\Web Server\STrWebSvr.exe [2012-3-8 98304]
    R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-1-22 92592]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
    R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
    R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
    S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate1c9bf00c803d790;Google Update Service (gupdate1c9bf00c803d790);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-16 133104]
    S2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-14 250056]
    S3 btnetBUs;Bluetooth PAN Bus Service;C:\Windows\system32\Drivers\btnetBus.sys --> C:\Windows\system32\Drivers\btnetBus.sys [?]
    S3 dc3d;USBCCGP filter driver (dc3d);C:\Windows\system32\DRIVERS\dc3d.sys --> C:\Windows\system32\DRIVERS\dc3d.sys [?]
    S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-16 133104]
    S3 netr7364;Wireless-G USB Network Adapter with RangeBooster Driver for Vista;C:\Windows\system32\DRIVERS\WUSB54GRx64.sys --> C:\Windows\system32\DRIVERS\WUSB54GRx64.sys [?]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;C:\Windows\system32\DRIVERS\silabenm.sys --> C:\Windows\system32\DRIVERS\silabenm.sys [?]
    S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;C:\Windows\system32\DRIVERS\silabser.sys --> C:\Windows\system32\DRIVERS\silabser.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
    S3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
    .
    =============== File Associations ===============
    .
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2012-07-13 17:44:14--------d-----w-C:\Users\Wayne\AppData\Local\{84828F34-931A-490F-A242-65171193B536}
    2012-07-13 17:43:42--------d-----w-C:\Users\Wayne\AppData\Local\{4662A4E0-D7AB-4EF9-9722-4F856815449A}
    2012-07-13 03:39:51--------d-----w-C:\Users\Wayne\AppData\Roaming\Malwarebytes
    2012-07-13 03:39:11--------d-----w-C:\ProgramData\Malwarebytes
    2012-07-13 03:39:1024904----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-07-13 03:39:10--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 01:43:44--------d-----w-C:\Users\Wayne\AppData\Local\{B71E2A2B-A7C1-407D-A7BE-1BEE20D36069}
    2012-07-12 11:56:18--------d-----w-C:\Users\Wayne\AppData\Local\{12D81F13-F765-4729-A71E-604027F7124F}
    2012-07-12 11:56:14--------d-----w-C:\Users\Wayne\AppData\Local\{818C2590-7AC7-46C6-8DDF-8EFFF9F96678}
    2012-07-12 04:48:37--------d-sh--w-C:\Windows\SysWow64\%APPDATA%
    2012-07-11 11:54:31--------d-----w-C:\Users\Wayne\AppData\Local\{F26048F9-4ACA-4A5D-BF9E-325C505E1B9D}
    2012-07-11 11:54:30--------d-----w-C:\Users\Wayne\AppData\Local\{7510CEC1-0FEA-4013-8EAD-5DA7CF53863C}
    2012-07-11 00:58:44974848----a-w-C:\Program Files\Common Files\System\ado\msado15.dll
    2012-07-10 11:59:50--------d-----w-C:\Users\Wayne\AppData\Local\{C19ABDB5-324C-4A25-9A94-6AD1B9B8CE9B}
    2012-07-06 02:40:08--------d-----w-C:\Users\Wayne\AppData\Local\{66A14379-25F8-4F31-A5CD-CED625716A98}
    2012-07-06 02:40:05--------d-----w-C:\Users\Wayne\AppData\Local\{E5052C14-B34D-4016-AAAE-7561274DE4A1}
    2012-07-05 07:52:41--------d-----w-C:\Users\Wayne\AppData\Local\{A04D0DF2-0435-4D25-A45E-5E438005D45B}
    2012-07-05 07:31:33--------d-----w-C:\Users\Wayne\AppData\Local\{0A620493-A9E6-4586-9B93-D4208364138C}
    2012-07-04 04:22:17476936----a-w-C:\Windows\SysWow64\npdeployJava1.dll
    2012-06-29 13:58:24--------d-----w-C:\Users\Wayne\AppData\Local\{53157048-2EFF-4CB5-A878-2157E7E534DD}
    2012-06-29 13:57:19--------d-----w-C:\Users\Wayne\AppData\Local\{86E59D4E-A266-45CA-8ED6-29BA3A472E2C}
    2012-06-14 11:01:10--------d-----w-C:\Users\Wayne\AppData\Local\{8DEBE35A-F785-408E-A392-C0C3147BB920}
    2012-06-14 11:01:09--------d-----w-C:\Users\Wayne\AppData\Local\{38A48453-5A4A-4B3A-A185-3F3B3299C373}
    2012-06-14 00:53:40209920----a-w-C:\Windows\System32\drivers\rdpwd.sys
    2012-06-14 00:53:15984064----a-w-C:\Windows\SysWow64\crypt32.dll
    2012-06-14 00:53:15174592----a-w-C:\Windows\System32\cryptsvc.dll
    2012-06-14 00:53:15133120----a-w-C:\Windows\SysWow64\cryptsvc.dll
    2012-06-14 00:53:15132096----a-w-C:\Windows\System32\cryptnet.dll
    2012-06-14 00:53:151267200----a-w-C:\Windows\System32\crypt32.dll
    2012-06-14 00:53:1498304----a-w-C:\Windows\SysWow64\cryptnet.dll
    .
    ==================== Find3M ====================
    .
    2012-07-12 02:59:0170344----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-12 02:59:01426184----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-04 04:21:36472840----a-w-C:\Windows\SysWow64\deployJava1.dll
    2012-06-13 13:58:272769408----a-w-C:\Windows\System32\win32k.sys
    2012-06-05 16:47:281401856----a-w-C:\Windows\SysWow64\msxml6.dll
    2012-06-05 16:47:271248768----a-w-C:\Windows\SysWow64\msxml3.dll
    2012-06-05 16:22:471797120----a-w-C:\Windows\System32\msxml6.dll
    2012-06-05 16:22:461869824----a-w-C:\Windows\System32\msxml3.dll
    2012-06-04 15:29:59516480----a-w-C:\Windows\System32\drivers\ksecdd.sys
    2012-06-02 22:15:312622464----a-w-C:\Windows\System32\wucltux.dll
    2012-06-02 22:15:0899840----a-w-C:\Windows\System32\wudriver.dll
    2012-06-02 22:12:1388576----a-w-C:\Windows\SysWow64\wudriver.dll
    2012-06-02 20:19:42186752----a-w-C:\Windows\System32\wuwebv.dll
    2012-06-02 20:19:42171904----a-w-C:\Windows\SysWow64\wuwebv.dll
    2012-06-02 20:15:1236864----a-w-C:\Windows\System32\wuapp.exe
    2012-06-02 20:12:2033792----a-w-C:\Windows\SysWow64\wuapp.exe
    2012-06-02 12:12:172311680----a-w-C:\Windows\System32\jscript9.dll
    2012-06-02 12:05:281392128----a-w-C:\Windows\System32\wininet.dll
    2012-06-02 12:04:501494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-06-02 12:01:40173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-06-02 11:57:082382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-06-02 08:33:251800192----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-06-02 08:25:081129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-06-02 08:25:031427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20:33142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16:522382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-06-02 00:22:56347136----a-w-C:\Windows\System32\schannel.dll
    2012-06-02 00:22:10254464----a-w-C:\Windows\System32\ncrypt.dll
    2012-06-02 00:05:1177312----a-w-C:\Windows\SysWow64\secur32.dll
    2012-06-02 00:04:25278528----a-w-C:\Windows\SysWow64\schannel.dll
    2012-06-02 00:03:42204288----a-w-C:\Windows\SysWow64\ncrypt.dll
    2012-04-19 09:50:2628480----a-w-C:\Windows\System32\drivers\avgidsha.sys
    .
    ============= FINISH: 13:04:24.37 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Ultimate
    Boot Device: \Device\HarddiskVolume3
    Install Date: 12/24/2008 12:22:58 PM
    System Uptime: 7/13/2012 12:15:14 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0U990C
    Processor: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz | Microprocessor | 2000/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 221 GiB total, 56.969 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 3.451 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    .
    Acrobat.com
    Adobe AIR
    Adobe ConnectNow Add-in
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.3)
    Advanced Audio FX Engine
    Advanced PDF Password Recovery
    Advanced Video FX Engine
    Apple Application Support
    Apple Software Update
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    AVerMedia MCE Encoder x64 3.0.1.0
    AVG PC Tuneup
    Belarc Advisor 7.2
    Bing Rewards Client Installer
    CCScore
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    D3DX10
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell Driver Download Manager
    Dell Resource CD
    Dell Webcam Center
    Dell Webcam Manager
    DeLorme Cache Register 2.0
    DeLorme Send To GPS 1.2
    DeLorme Street Atlas USA 2009
    DeLorme Topo North America 9.0
    DeLorme Topo USA 8.0
    DFX for Windows Media Player
    Dynex mini card reader
    EasyGPS 4.45
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    EvonyNet Toolbar
    Feedback Tool
    Garmin Communicator Plugin
    Garmin USB Drivers
    GCTool
    GeoGet 2.6.4.671
    Geomate.Jr Software Kit
    Google Chrome
    Google Earth
    Google Update Helper
    Google Updater
    Highlight Viewer (Windows Live Toolbar)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ieSpell
    Ipswitch WS_FTP LE
    iSEEK AnswerWorks English Runtime
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 33
    Java(TM) 6 Update 7
    Junk Mail filter update
    Kixtarter
    Kodak EasyShare software
    Live! Cam Avatar Creator
    Live! Cam Avatar v1.0
    Logic Circuit Designer
    Loki ActiveX Control
    Loki Browser Plugin
    Malwarebytes Anti-Malware version 1.62.0.1300
    Map Button (Windows Live Toolbar)
    MediaDirect
    Messenger Plus! 5
    Messenger Plus! Community Smartbar
    Microsoft Default Manager
    Microsoft Office File Validation Add-In
    Microsoft Office Live Add-in 1.5
    Microsoft Office Live Add-in Patches
    Microsoft Office Outlook Connector
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Works 6-9 Converter
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MWSnap 3
    netbrdg
    Nokia Connectivity Cable Driver
    OfotoXMI
    OkCustomMap
    OkCustomMap 1.4.4
    OkMap 10.4.0
    OpenDNS Updater 2.2.1
    OpenOffice.org 3.3
    Optimizer Pro v3.0
    OutlookAddinSetup
    PC Connectivity Solution
    PDF Password Cracker Pro v3.2
    PDF Password Unlocker 4.0.2.5
    QuickTime
    RICOH R5C83x/84x Media Driver x64 Ver.5.03.03
    Secunia PSI (2.0.0.4003)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Segoe UI
    SFR
    SHASTA
    ShopAtHome.com Toolbar
    Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
    skin0001
    SKINXSDK
    Smart Menus (Windows Live Toolbar)
    SmarterTrack
    Spelling Dictionaries Support For Adobe Reader 9
    Spotlight on Windows (freeware)
    staticcr
    Street Atlas USA 2004 Handheld
    Street Atlas USA 2004 Handheld Data
    TomTom HOME 2.8.3.2499
    TomTom HOME Visual Studio Merge Modules
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2009 wwiiper
    TurboTax 2010
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    TurboTax 2010 wwiiper
    TurboTax 2010 wwviper
    TurboTax 2011
    TurboTax 2011 WinPerFedFormset
    TurboTax 2011 WinPerReleaseEngine
    TurboTax 2011 WinPerTaxSupport
    TurboTax 2011 wrapper
    TurboTax 2011 wwiiper
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update Installer for WildTangent Games App
    Urwigo
    Vhd Resizer
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    VPRINTOL
    WildTangent Games App (Dell Games)
    WinCachebox
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Favorites for Windows Live Toolbar
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    WinPcap 4.1.1
    WIRELESS
    Workspace Macro 4.6
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/13/2012 12:56:13 PM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service has not been started.
    7/13/2012 12:41:35 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.
    7/13/2012 12:18:31 PM, Error: Microsoft-Windows-WMPNSS-Service [14329] - Service 'WMPNetworkSvc' did not start correctly because the registry could not be updated due to error '0x80070006'. If possible, reinstall Windows Media Player.
    7/13/2012 12:18:00 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP LaserJet 4050 Series PCL 5 with shared resource name NAIMIS. Error 1753. The printer cannot be used by others on the network.
    7/13/2012 12:18:00 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP LaserJet 4 Plus with shared resource name HP LaserJet 4 Plus. Error 1753. The printer cannot be used by others on the network.
    7/13/2012 12:17:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BtHidBus
    7/13/2012 12:17:13 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    7/13/2012 12:17:13 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    7/13/2012 12:17:13 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    7/13/2012 12:17:04 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    7/13/2012 12:01:41 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the WLAN AutoConfig service, but this action failed with the following error: An instance of the service is already running.
    7/13/2012 11:58:28 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DHCP Client service, but this action failed with the following error: An instance of the service is already running.
    7/13/2012 11:57:41 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio Endpoint Builder service, but this action failed with the following error: An instance of the service is already running.
    7/13/2012 11:54:10 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    7/13/2012 11:52:10 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    7/13/2012 11:51:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
    7/13/2012 11:51:29 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    7/13/2012 11:50:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    7/13/2012 11:36:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
    7/13/2012 11:35:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
    7/13/2012 11:35:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EMDMgmt service.
    7/13/2012 11:34:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CscService service.
    7/13/2012 11:33:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
    7/13/2012 11:32:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UxSms service.
    7/13/2012 11:31:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TabletInputService service.
    7/13/2012 11:30:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the hidserv service.
    7/13/2012 11:28:38 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.15 for the Network Card with network address 00234E35ED5A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    7/13/2012 1:05:12 PM, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The system cannot find the file specified.
    7/13/2012 1:05:12 PM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
    Thanks for you help and I await your next set of instructions.
    Wayne
     
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Please make sure to download the 64-bit version.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64 and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply along with the first FRST log.
     
  5. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    When booting from the HD, Repair your computer was not an option. Since I was in my office and did not have the CD to boot from, I booted into Safe Mode w/command prompt to run the requested process. I hope that will work for you. If not, I will have to locate my CD to boot from. I have included the requested logs below:
    ========================= Memory info ======================

    Percentage of memory in use: 14%
    Total physical RAM: 4085.12 MB
    Available physical RAM: 3512.75 MB
    Total Pagefile: 8345.52 MB
    Available Pagefile: 7889.95 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:220.58 GB) (Free:55.62 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:9.77 GB) (Free:3.46 GB) NTFS
    4 Drive g: (NEW VOLUME) (Removable) (Total:7.45 GB) (Free:3.54 GB) FAT32

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B
    Disk 1 Online 7643 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 32 KB
    Partition 2 Primary 10 GB 40 MB
    Partition 3 Primary 221 GB 10 GB
    Partition 0 Extended 2559 MB 230 GB
    Partition 4 Logical 2558 MB 230 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 10 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 221 GB Healthy System (partition with boot components)

    ==================================================================================

    Disk: 0
    Partition 4
    Type : DD
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 7640 MB 32 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 G NEW VOLUME FAT32 Removable 7640 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-17 12:34

    ======================= End Of Log ==========================

    Farbar Recovery Scan Tool Version: 14-07-2012 01
    Ran by Wayne at 2012-07-17 14:02:21
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-10 22:19] - [2009-04-11 01:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 21:49] - [2008-01-20 21:49] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [2009-09-10 22:19] - [2009-04-11 02:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [2008-01-20 21:48] - [2008-01-20 21:48] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

    C:\Windows\SysWOW64\services.exe
    [2009-09-10 22:19] - [2009-04-11 01:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\services.exe
    [2009-09-10 22:19] - [2009-04-11 02:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

    ====== End Of Search ======
     
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    The system file services.exe is clearly infected.

    Let's take a different approach:

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  7. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    I was able to get this to run as you requested. Just a note that the link to the download came back with a 404. I just had to get it from them the old fashion way. Your instructions did not include a reboot after this process, but I notice in the log that it seems to be needed. Please advise.


    ComboFix 12-07-18.04 - Wayne 07/18/2012 12:55:51.2.2 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1853 [GMT -5:00]
    Running from: C:\Users\Wayne\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\1afb2d56
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\201d3dde
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\000000cb.@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000032.@
    C:\Windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@

    ---- Previous Run -------

    C:\Install.exe
    C:\Program Files (x86)\SelectRebates
    C:\Program Files (x86)\SelectRebates\FFToolbar\chrome.manifest
    C:\Program Files (x86)\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
    C:\Program Files (x86)\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
    C:\Program Files (x86)\SelectRebates\FFToolbar\install.rdf
    C:\Program Files (x86)\SelectRebates\SahImages\alert.png
    C:\Program Files (x86)\SelectRebates\SahImages\check.png
    C:\Program Files (x86)\SelectRebates\SahImages\close.png
    C:\Program Files (x86)\SelectRebates\SelectAlerts.dat
    C:\Program Files (x86)\SelectRebates\SelectRebates.exe
    C:\Program Files (x86)\SelectRebates\SelectRebates.ini
    C:\Program Files (x86)\SelectRebates\SelectRebatesA.dat
    C:\Program Files (x86)\SelectRebates\SelectRebatesApi.exe
    C:\Program Files (x86)\SelectRebates\SelectRebatesB.dat
    C:\Program Files (x86)\SelectRebates\SelectRebatesBT.dat
    C:\Program Files (x86)\SelectRebates\SelectRebatesDownload.exe
    C:\Program Files (x86)\SelectRebates\SelectRebatesH.dat
    C:\Program Files (x86)\SelectRebates\SelectRebatesUninstall.exe
    C:\Program Files (x86)\SelectRebates\SRebates.dll
    C:\Program Files (x86)\SelectRebates\SRFF3.dll
    C:\Program Files (x86)\SelectRebates\Toolbar\AddtoList.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\basis.xml
    C:\Program Files (x86)\SelectRebates\Toolbar\Basis.xml.dym
    C:\Program Files (x86)\SelectRebates\Toolbar\Blank.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\CashBack.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\Coupons.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\GroceryCoupon.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\i_magnifying.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\icons.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\logo.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\logo_24.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\logo_HotSpots.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\ReviewSite.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\RightControls.dym
    C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-alert.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-go.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-icons.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-restaurant.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\sahtb-wishlist.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\Scissors.bmp
    C:\Program Files (x86)\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
    C:\Users\Wayne\AppData\Local\Microsoft\Windows\Temporary Internet Files\index.dat
    C:\Users\Wayne\Desktop\Setup.exe
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    D:\AUTORUN.INF

    C:\Windows\system32\services.exe . . . is infected!!


    ((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))


    2012-07-17 18:26:28 . 2012-07-17 18:26:45--------d-----w-C:\FRST
    2012-07-13 03:39:51 . 2012-07-13 03:39:51--------d-----w-C:\Users\Wayne\AppData\Roaming\Malwarebytes
    2012-07-13 03:39:11 . 2012-07-13 03:39:11--------d-----w-C:\ProgramData\Malwarebytes
    2012-07-13 03:39:10 . 2012-07-13 03:39:14--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 03:39:10 . 2012-07-03 18:46:4424904----a-w-C:\Windows\system32\drivers\mbam.sys
    2012-07-12 04:48:37 . 2012-07-12 04:48:37--------d-sh--w-C:\Windows\SysWow64\%APPDATA%
    2012-07-11 00:58:44 . 2012-06-05 16:47:10708608----a-w-C:\Program Files (x86)\Common Files\System\ado\msado15.dll
    2012-07-06 04:01:22 . 2012-07-18 17:33:18--------d-----w-C:\Users\Wayne\AppData\Roaming\Thunderbird
    2012-07-04 04:22:17 . 2012-07-04 04:21:36476936----a-w-C:\Windows\SysWow64\npdeployJava1.dll
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2012-07-12 02:59:01 . 2012-04-15 04:21:10426184----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 02:59:01 . 2011-11-01 15:56:5370344----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-11 08:04:47 . 2006-11-02 12:35:0059701280----a-w-C:\Windows\system32\mrt.exe
    2012-07-04 04:21:36 . 2010-05-02 23:43:54472840----a-w-C:\Windows\SysWow64\deployJava1.dll
    2012-06-26 04:15:16 . 2008-12-25 18:31:54164880---ha-w-C:\Users\Wayne\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
    2012-05-01 14:29:44 . 2012-06-14 00:53:40209920----a-w-C:\Windows\system32\drivers\rdpwd.sys
    2012-04-23 16:25:30 . 2012-06-14 00:53:15174592----a-w-C:\Windows\system32\cryptsvc.dll
    2012-04-23 16:25:30 . 2012-06-14 00:53:15132096----a-w-C:\Windows\system32\cryptnet.dll
    2012-04-23 16:25:30 . 2012-06-14 00:53:151267200----a-w-C:\Windows\system32\crypt32.dll
    2012-04-23 16:00:53 . 2012-06-14 00:53:15984064----a-w-C:\Windows\SysWow64\crypt32.dll
    2012-04-23 16:00:53 . 2012-06-14 00:53:15133120----a-w-C:\Windows\SysWow64\cryptsvc.dll
    2012-04-23 16:00:53 . 2012-06-14 00:53:1498304----a-w-C:\Windows\SysWow64\cryptnet.dll


    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.

    [7] 2009-04-11 07:10:50 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005 (lh_sp2rtm.090410-1830)] .. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [7] 2008-01-21 02:48:47 . DFAC660F0F139276CC9299812DE42719 . 384512 . . [6.0.6001.18000 (longhorn_rtm.080118-1840)] .. C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [-] 2009-04-11 07:10:50 . B8844F93D2C5F1DCDB179AAA9AF134B7 . 381952 . . [6.0.6000.16386 (vista_rtm.061101-2205)] .. C:\Windows\system32\services.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "C:\Program Files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 19:24:44 2735200]

    [HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-08 15:55:32297808----a-w-C:\Windows\System32\mscoree.dll

    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    2010-09-12 19:24:442735200----a-w-C:\Program Files (x86)\EvonyNet\tbEvo0.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "C:\Program Files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 19:24:44 2735200]

    [HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 07:10:53 1555968]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:50:36 138240]
    "Speech Recognition"="C:\Windows\Speech\Common\sapisvr.exe" [2008-01-21 02:48:42 41984]
    "TomTomHOME.exe"="C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 04:43:08 247728]
    "OpenDNS Updater"="C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 21:42:58 839680]
    "swg"="C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-03 22:40:49 39408]
    "Browser Infrastructure Helper"="C:\Users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe" [2012-02-28 00:03:24 19272]
    "Optimizer Pro"="C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe" [2012-01-02 23:15:28 81912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-05-10 07:01:00 36864]
    "DELL Webcam Manager"="C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 22:43:34 118784]
    "PCMService"="C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe" [2007-12-21 16:58:06 184320]
    "ArcSoft Connection Service"="C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 01:17:52 207424]
    "Microsoft Default Manager"="C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 19:12:28 439568]
    "Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 05:53:56 35736]
    "Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
    "AVG_TRAY"="C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 10:12:34 2587008]
    "PlusService"="C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 20:43:07 801792]
    "APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
    "QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 19:28:52 421888]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 20:02:04 254696]
    "Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 18:46:44 462920]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 13:43:07 559616]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" [2012-03-08 23:50:28 4280184]

    C:\Users\Wayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2007-2-27 982320]
    Kodak EasyShare software.lnk - C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    Secunia PSI Tray.lnk - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecuteREG_MULTI_SZ autocheck autochk *\0C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 02:59:02 250056]
    S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 13:10:42 63928]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ALSYSIO
    *NewlyCreated* - WS2IFSL

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    NETSVCS REQUIRES REPAIRS - current entries shown

    Rebuilding ... You need to reboot your machine for this to take effect.

    AeLookupSvc
    AppMgmt
    AudioSrv
    BITS
    CertPropSvc
    FastUserSwitchingCompatibility
    gpsvc
    helpsvc
    Ias
    iphlpsvc
    Irmon
    lanmanserver
    LogonHours
    msiscsi
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    PCAudit
    Rasauto
    Rasman
    Remoteaccess
    schedule
    SCPolicySvc
    SENS
    SessionEnv
    Sharedaccess
    ShellHWDetection
    SRService
    Tapisrv
    TermService
    uploadmgr
    winmgmt
    WmdmPmSp
    Wmi
    wuauserv

    Contents of the 'Scheduled Tasks' folder

    2012-07-18 C:\Windows\Tasks\Adobe Flash Player Updater.job
    - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 04:21:10 . 2012-07-12 02:59:02]

    2012-07-18 C:\Windows\Tasks\Google Software Updater.job
    - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-03 22:40:46 . 2011-09-15 23:45:46]

    2012-07-18 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-04-17 02:04:02 . 2009-04-17 02:03:49]

    2012-07-18 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000Core.job
    - C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57:04 . 2010-12-01 22:57:02]

    2012-07-18 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000UA.job
    - C:\Users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57:04 . 2010-12-01 22:57:02]

    2012-07-13 C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - C:\Program Files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32:18 . 2011-10-06 20:32:18]

    2012-07-18 C:\Windows\Tasks\SystemToolsDailyTest.job
    - C:\Program Files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32:18 . 2011-10-06 20:32:18]


    --------- X64 Entries -----------

    Thanks,
    Wayne
     
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  9. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    Here is the latest log:

    ComboFix 12-07-18.04 - Wayne 07/18/2012 20:31:58.3.2 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1602 [GMT -5:00]
    Running from: c:\users\Wayne\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\000000cb.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000032.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@
    .
    ---- Previous Run -------
    .
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\00000004.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\1afb2d56
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\L\201d3dde
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000004.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\00000008.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\000000cb.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000000.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000032.@
    c:\windows\Installer\{7faaaafa-cf14-2f74-3593-878a94dc601b}\U\80000064.@
    .
    c:\windows\system32\services.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-17 18:26 . 2012-07-17 18:26--------d-----w-C:\FRST
    2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\users\Wayne\AppData\Roaming\Malwarebytes
    2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\programdata\Malwarebytes
    2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 03:39 . 2012-07-03 18:4624904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-07-12 04:48 . 2012-07-12 04:48--------d-sh--w-c:\windows\SysWow64\%APPDATA%
    2012-07-11 00:58 . 2012-06-05 16:47708608----a-w-c:\program files (x86)\Common Files\System\ado\msado15.dll
    2012-07-06 04:01 . 2012-07-19 00:16--------d-----w-c:\users\Wayne\AppData\Roaming\Thunderbird
    2012-07-04 04:22 . 2012-07-04 04:21476936----a-w-c:\windows\SysWow64\npdeployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 02:59 . 2012-04-15 04:21426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 02:59 . 2011-11-01 15:5670344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-11 08:04 . 2006-11-02 12:3559701280----a-w-c:\windows\system32\mrt.exe
    2012-07-04 04:21 . 2010-05-02 23:43472840----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-06-26 04:15 . 2008-12-25 18:31164880---ha-w-c:\users\Wayne\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
    2012-05-01 14:29 . 2012-06-14 00:53209920----a-w-c:\windows\system32\drivers\rdpwd.sys
    2012-04-23 16:25 . 2012-06-14 00:53174592----a-w-c:\windows\system32\cryptsvc.dll
    2012-04-23 16:25 . 2012-06-14 00:53132096----a-w-c:\windows\system32\cryptnet.dll
    2012-04-23 16:25 . 2012-06-14 00:531267200----a-w-c:\windows\system32\crypt32.dll
    2012-04-23 16:00 . 2012-06-14 00:53984064----a-w-c:\windows\SysWow64\crypt32.dll
    2012-04-23 16:00 . 2012-06-14 00:53133120----a-w-c:\windows\SysWow64\cryptsvc.dll
    2012-04-23 16:00 . 2012-06-14 00:5398304----a-w-c:\windows\SysWow64\cryptnet.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2009-04-11 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [7] 2008-01-21 . DFAC660F0F139276CC9299812DE42719 . 384512 . . [6.0.6001.18000] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [-] 2009-04-11 . B8844F93D2C5F1DCDB179AAA9AF134B7 . 381952 . . [6.0.6000.16386] .. c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-18_18.12.13 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-07-12 04:50 . 2012-07-18 17:4665536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
    + 2012-07-12 04:50 . 2012-07-18 20:5965536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
    + 2008-12-24 16:29 . 2012-07-18 23:1919266 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1640899211-619604783-1113738171-1000_UserData.bin
    + 2008-01-21 03:19 . 2012-07-18 23:17786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:19 . 2012-07-18 17:53786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2012-07-12 04:48 . 2012-07-18 21:00262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    - 2012-07-12 04:48 . 2012-07-18 17:45262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2008-12-25 18:18 . 2012-07-18 22:56406814 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2006-11-02 15:44 . 2012-07-18 23:19110812 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 12:46 . 2012-07-18 23:23660368 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-07-18 17:27660368 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-07-18 17:27126010 c:\windows\system32\perfc009.dat
    + 2006-11-02 12:46 . 2012-07-18 23:23126010 c:\windows\system32\perfc009.dat
    - 2008-01-21 03:19 . 2012-07-18 17:536127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:19 . 2012-07-18 23:176127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:19 . 2012-07-18 17:5316187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:19 . 2012-07-18 23:1716187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-08 15:55297808----a-w-c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    2010-09-12 19:242735200----a-w-c:\program files (x86)\EvonyNet\tbEvo0.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 41984]
    "TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]
    "CollaborationHost"="c:\windows\system32\p2phost.exe" [BU]
    "OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-03 39408]
    "Browser Infrastructure Helper"="c:\users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe" [2012-02-28 19272]
    "Optimizer Pro"="c:\program files (x86)\Optimizer Pro\OptProLauncher.exe" [2012-01-02 81912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
    "DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
    "dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [BU]
    "PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "SelectRebates"="c:\program files (x86)\SelectRebates\SelectRebates.exe" [BU]
    "PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 801792]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2012-03-08 4280184]
    .
    c:\users\Wayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2007-2-27 982320]
    Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 02:59]
    .
    2012-07-18 c:\windows\Tasks\Google Software Updater.job
    - c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-03 23:45]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-17 02:03]
    .
    2012-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000Core.job
    - c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000UA.job
    - c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
    .
    2012-07-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
    .
    2012-07-18 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-08 15:55444752----a-w-c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3863040]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 2320752]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.plusnetwork.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
    IE: Send image to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 192.168.0.200 216.165.129.157
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{36A4BDCD-D5B5-4618-B144-E335D0F3D381} - (no file)
    AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
    AddRemove-Adobe ConnectNow Add-in - c:\users\Wayne\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\acaddin.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-07-18 20:52:16
    ComboFix-quarantined-files.txt 2012-07-19 01:52
    .
    Pre-Run: 60,408,598,528 bytes free
    Post-Run: 60,475,002,880 bytes free
    .
    - - End Of File - - 0D3AA42741868526E754DA703EB90864
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      services.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    Here is the requested log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 08:47 on 19/07/2012 by Wayne
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "services.exe"
    C:\Windows\System32\services.exe--a---- 381952 bytes[03:19 11/09/2009][07:10 11/04/2009] B8844F93D2C5F1DCDB179AAA9AF134B7
    C:\Windows\SysWOW64\services.exe--a---- 279552 bytes[03:19 11/09/2009][06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe--a---- 384512 bytes[02:48 21/01/2008][02:48 21/01/2008] DFAC660F0F139276CC9299812DE42719
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe--a---- 384512 bytes[03:19 11/09/2009][07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe--a---- 279040 bytes[02:49 21/01/2008][02:49 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe--a---- 279552 bytes[03:19 11/09/2009][06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

    -= EOF =-
     
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  13. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    I created the script file and used it to run ComboFix. After it finished it thing, it rebooted my system. As it is now, it will not start Windows. I have tried Safe Mode both with and without command prompt. I always just get a blank screen. The mouse cursor is visible and does respond, but that is all.

    What do I do now?
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Very strange.

    Download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
     
  15. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    Yes, it is strange as I know that you folks are good at what you do. I was hoping that I would hear back from you a little sooner and I know that you probably have a ful plate. I needed to get my system back to a state that at least windows was running and I just received your reply. To that end I pulled out the DVD and booted from it. It is at the same service pack that the machine is. Seeing that the script copied another SERVICES.EXE over to the system folder, I deduced that was the issue. I got to the command prompt and copied the file from the DVD to the HD, after renaming the current one. The system rebooted just fine and ComboFix finshed it job. There is now a log file from it

    I have not had AVG or MalwareBytes flag anything yet. I have AVG running a full scan to double check. If you wish, I can still post the ComboFix.txt file for you. I also understand that you may want to run some other process to check the system again. Please let me know if that is the case.
     
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Go ahead with ComboFix.txt then, please.
     
  17. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    ComboFix 12-07-18.04 - Wayne 07/19/2012 14:05:53.4.2 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4085.1808 [GMT -5:00]
    Running from: c:\users\Wayne\Desktop\ComboFix.exe
    Command switches used :: c:\users\Wayne\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Wayne\AppData\Local\Temp\nscFBA.tmp\newadvsplash.dll
    c:\users\Wayne\AppData\Local\Temp\nscFBA.tmp\registry.dll
    c:\users\Wayne\AppData\Local\Temp\nscFBA.tmp\System.dll
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --> c:\windows\system32\services.exe
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-20 20:05 . 2008-01-19 08:00384512----a-w-c:\windows\system32\services.exe
    2012-07-19 19:20 . 2012-07-19 19:20--------d-----w-c:\users\Default\AppData\Local\temp
    2012-07-19 19:20 . 2012-07-19 19:20--------d-----w-c:\users\Administrator\AppData\Local\temp
    2012-07-19 14:15 . 2012-07-19 14:15--------d-----w-c:\users\Wayne\AppData\Local\Thunderbird
    2012-07-17 18:26 . 2012-07-17 18:26--------d-----w-C:\FRST
    2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\users\Wayne\AppData\Roaming\Malwarebytes
    2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\programdata\Malwarebytes
    2012-07-13 03:39 . 2012-07-13 03:39--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-07-13 03:39 . 2012-07-03 18:4624904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-07-12 04:48 . 2012-07-12 04:48--------d-sh--w-c:\windows\SysWow64\%APPDATA%
    2012-07-11 00:58 . 2012-06-05 16:47708608----a-w-c:\program files (x86)\Common Files\System\ado\msado15.dll
    2012-07-06 04:01 . 2012-07-19 14:15--------d-----w-c:\users\Wayne\AppData\Roaming\Thunderbird
    2012-07-04 04:22 . 2012-07-04 04:21476936----a-w-c:\windows\SysWow64\npdeployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 02:59 . 2012-04-15 04:21426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-12 02:59 . 2011-11-01 15:5670344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-11 08:04 . 2006-11-02 12:3559701280----a-w-c:\windows\system32\mrt.exe
    2012-07-04 04:21 . 2010-05-02 23:43472840----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-06-26 04:15 . 2008-12-25 18:31164880---ha-w-c:\users\Wayne\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
    2012-05-01 14:29 . 2012-06-14 00:53209920----a-w-c:\windows\system32\drivers\rdpwd.sys
    2012-04-23 16:25 . 2012-06-14 00:53174592----a-w-c:\windows\system32\cryptsvc.dll
    2012-04-23 16:25 . 2012-06-14 00:53132096----a-w-c:\windows\system32\cryptnet.dll
    2012-04-23 16:25 . 2012-06-14 00:531267200----a-w-c:\windows\system32\crypt32.dll
    2012-04-23 16:00 . 2012-06-14 00:53984064----a-w-c:\windows\SysWow64\crypt32.dll
    2012-04-23 16:00 . 2012-06-14 00:53133120----a-w-c:\windows\SysWow64\cryptsvc.dll
    2012-04-23 16:00 . 2012-06-14 00:5398304----a-w-c:\windows\SysWow64\cryptnet.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-18_18.12.13 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-07-12 04:50 . 2012-07-18 20:5965536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
    - 2012-07-12 04:50 . 2012-07-18 17:4665536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
    + 2008-12-24 16:29 . 2012-07-20 17:0919326 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1640899211-619604783-1113738171-1000_UserData.bin
    - 2008-01-21 03:19 . 2012-07-18 17:53786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:19 . 2012-07-20 17:06786432 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2012-07-12 04:48 . 2012-07-18 17:45262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2012-07-12 04:48 . 2012-07-18 21:00262144 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2008-12-25 18:18 . 2012-07-19 13:20407286 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2006-11-02 15:44 . 2012-07-20 17:09111020 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 12:46 . 2012-07-18 17:27660368 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-07-19 16:02660368 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-07-19 16:02126010 c:\windows\system32\perfc009.dat
    - 2006-11-02 12:46 . 2012-07-18 17:27126010 c:\windows\system32\perfc009.dat
    - 2010-11-21 16:13 . 2012-07-18 17:08425268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-11-21 16:13 . 2012-07-19 19:21425268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2008-01-21 03:19 . 2012-07-20 17:066127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:19 . 2012-07-18 17:536127616 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-01-01 09:05 . 2012-07-18 17:084650384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2009-01-01 09:05 . 2012-07-19 19:214650384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2010-11-21 16:13 . 2012-07-19 19:216840766 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1640899211-619604783-1113738171-1000-8192.dat
    - 2010-11-21 16:13 . 2012-07-18 17:086840766 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1640899211-619604783-1113738171-1000-8192.dat
    + 2008-01-21 03:19 . 2012-07-20 17:0616187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:19 . 2012-07-18 17:5316187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-08 15:55297808----a-w-c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    2010-09-12 19:242735200----a-w-c:\program files (x86)\EvonyNet\tbEvo0.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{36a4bdcd-d5b5-4618-b144-e335d0f3d381}"= "c:\program files (x86)\EvonyNet\tbEvo0.dll" [2010-09-12 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{36a4bdcd-d5b5-4618-b144-e335d0f3d381}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-21 41984]
    "TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]
    "CollaborationHost"="c:\windows\system32\p2phost.exe" [BU]
    "OpenDNS Updater"="c:\program files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-03 39408]
    "Browser Infrastructure Helper"="c:\users\Wayne\AppData\Local\Smartbar\Application\Smartbar.exe" [2012-02-28 19272]
    "Optimizer Pro"="c:\program files (x86)\Optimizer Pro\OptProLauncher.exe" [2012-01-02 81912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
    "DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
    "dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [BU]
    "PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "SelectRebates"="c:\program files (x86)\SelectRebates\SelectRebates.exe" [BU]
    "PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2012-02-27 801792]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2012-03-08 4280184]
    .
    c:\users\Wayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Belkin\Bluetooth Software\BTTray.exe [2007-2-27 982320]
    Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
    Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecuteREG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 02:59]
    .
    2012-07-19 c:\windows\Tasks\Google Software Updater.job
    - c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-03 23:45]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-17 02:03]
    .
    2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000Core.job
    - c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
    .
    2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640899211-619604783-1113738171-1000UA.job
    - c:\users\Wayne\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-01 22:57]
    .
    2012-07-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
    .
    2012-07-20 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
    2009-11-08 15:55444752----a-w-c:\windows\System32\mscoree.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 3863040]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 2320752]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.plusnetwork.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
    IE: Send image to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\Belkin\Bluetooth Software\btsendto_ie.htm
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 216.165.129.158 216.170.153.146
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{36A4BDCD-D5B5-4618-B144-E335D0F3D381} - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files (x86)\Secunia\PSI\PSIA.exe
    c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
    c:\program files (x86)\AVG\AVG PC Tuneup\BoostSpeed.exe
    c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    c:\program files (x86)\Optimizer Pro\OptProSmartScan.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
    c:\program files (x86)\Optimizer Pro\OptProReminder.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
    c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\program files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-07-20 12:24:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-20 17:24
    ComboFix2.txt 2012-07-19 01:52
    .
    Pre-Run: 59,414,577,152 bytes free
    Post-Run: 59,533,750,272 bytes free
    .
    - - End Of File - - 18342A2180E2F73F6C37CB33EAC76F2C
     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  19. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
     
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
     
    Wayne Stemple likes this.
  21. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    Everything seems to be operating within "government" standards! Speed is good, no error msgs or fake alerts. All icons are what I expect. both cores are running at 5-10%, with memory at 72% of the 4 GB. No BSOD's, nor did I have any before with this issue.

    Thanks so much for lending me a hand. It is rare that I find myself in this position, but at least I know that there are people around that can help.
     
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good news. Let's do some final steps...

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Please download TFC by OldTimer to your desktop
    • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • It will close all programs when run, so make sure you have saved all your work before you begin.
    • Click the Start
      button to begin the process. Depending on how often you clean temp
      files, execution time should be anywhere from a few seconds to a minute
      or two. Let it run uninterrupted to completion.
    • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  23. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    I ran all 4 process(s) as listed above. Here is the log from the Security Check step:

    Results of screen317's Security Check version 0.99.43
    Windows Vista Service Pack 2 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    AVG Anti-Virus Free Edition 2012
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Secunia PSI (2.0.0.4003)
    Malwarebytes Anti-Malware version 1.62.0.1300
    AVG PC Tuneup
    Java(TM) 6 Update 22
    Java(TM) 6 Update 33
    Java(TM) 6 Update 7
    Java version out of Date!
    Adobe Flash Player11.3.300.268
    Adobe Reader 9 Adobe Reader out of Date!
    Adobe Reader X (10.1.3)
    Google Chrome 20.0.1132.47
    Google Chrome 20.0.1132.57
    Google Chrome plugins...
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0 %
    ````````````````````End of Log``````````````````````
    The laptop is running just fine. Can I remove Malwarebytes at this time, or is there more coming from you that will do that?

    Wayne
     
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi. Usually, I like keeping MBAM for additional scans in the future. It might help as good backup. Otherwise, you can remove it from your programs list as you wish!

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Java Update!

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
  25. Wayne Stemple

    Wayne Stemple TS Rookie Topic Starter

    I was able to address the Java part, but there is not version 9 listed for Adobe Acrobat Reader. I did find an old version 4 buried in an application sub-dir and removed it. I reran the Security program and it still reports version 9. I did a scan for the file and here is the DIR output:


    C:\>dir acrord32.exe /s/p
    Volume in drive C is OS
    Volume Serial Number is 6EDB-0B0A

    Directory of C:\Program Files (x86)\Adobe\Reader 10.0\Reader

    04/04/2012 12:53 AM 1,496,472 AcroRd32.exe
    1 File(s) 1,496,472 bytes

    Directory of C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0

    06/06/2011 12:55 PM 1,480,600 AcroRd32.exe
    1 File(s) 1,480,600 bytes

    Total Files Listed:
    2 File(s) 2,977,072 bytes
    0 Dir(s) 75,508,473,856 bytes free

    C:\>

    Both these are ver 10.x. Could Security be giving us a false positive?

    Wayne
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.