Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Malware or Virus  (Read 8898 times)

0 Members and 1 Guest are viewing this topic.

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Malware or Virus
« on: September 16, 2011, 12:00:01 AM »
Alright, so I run Windows 7 Home Premium (or something home-edition-y, I forget), and I mostly just play world of warcraft and browse facebook, occasionally stumble (which may be the problem)
Not running much anti-software, was running Rising but it apparently doesn't work, because I have a virus. I talked to a few guys in the live chat and they said to post here. I got a bunch of errors saying that my C drive was unreadable, my disc drive was shot, files were being deleted, blah blah buncha other stuff I freaked out about and started running scans on.

After restarting, I found that I couldn't access anything inside my folders or the C drive, although I managed to get around that and get on the web, because I'm still using the laptop now, running in safe mode with networking. I'm not too good with computers, but I'm smart enough to know there's probably nothing wrong with my disk. What is this and how can I fix it?

geek hoodlum



    Apprentice
  • Thanked: 25
    • Yes
  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #1 on: September 16, 2011, 12:09:00 AM »
Hi and welcome to Computer Hope!

Virus is a kind of Malware (short for malicious software). Read this before requesting malware removal help

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #2 on: September 16, 2011, 12:17:46 AM »
Alright yeah I read most of that already, in the process of scanning my computer for viruses with Avast!.

I guess I should have also posted another problem I'm having. I'm trying to get into the task manager right now but the virus has disabled it. I need to close a process that is potentially preventing me from uninstalling unnecessary programs from my add/remove programs list, saying "wait until the program is finished uninstalling" when there is currently no program uninstalling.

Still running in safe mode but I'm hoping for a way to fix this while the antivirus is running to handle multiple things at a time. I still have to uninstall Rising and a few other potentially harmful programs that I overlooked in the past.

SuperDave

  • Malware Removal Specialist


  • Sage
  • Thanked: 847
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Malware or Virus
« Reply #3 on: September 16, 2011, 04:48:31 PM »
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download and run MBAM while in Safe mode with NetWorking. Try to boot in Normal mode and run all the scans and post the logs.

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
***********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #4 on: September 16, 2011, 10:00:03 PM »
I know most of this looks bad, but I use stumble a lot and a lot of this comes from pop-ups from just clicking. I usually delete my history whenever I close firefox but.. I guess this is the kinda stuff that doesn't get deleted...

Also, I did the two antivirus things, but I'm not sure how that DDS thing works. I think your post is outdated and doesn't explain the new format, or Windows 7 does something differently.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/16/2011 at 10:46 PM

Application Version : 5.0.1118

Core Rules Database Version : 7705
Trace Rules Database Version: 5517

Scan type       : Complete Scan
Total Scan Time : 01:32:53

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC On - Limited User

Memory items scanned      : 543
Memory threats detected   : 0
Registry items scanned    : 70834
Registry threats detected : 0
File items scanned        : 230261
File threats detected     : 117

Adware.Tracking Cookie
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@atdmt[2].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@casalemedia[2].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@doubleclick[1].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@fastclick[1].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@imrworldwide[2].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@msadcenter.112.2o7[1].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@statse.webtrendslive[1].txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\DGGVKV2P.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\ID5KLEKO.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\WQ06XNAJ.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\3K6M89XB.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\0WXWG21M.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\UI051Z2R.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\T2YFSYPN.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\OQ3R6H3H.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\KG9OMX1H.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\2LOKY26S.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\RT4U3IED.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\WUJF0GHD.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\HCM49VJR.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\DTJG05JF.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\K9M7RMJG.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\23PPR8UX.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\LES4QPBV.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\EMVYN7X7.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\OC8JW6DM.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\Z0S0V86F.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\ZL8MAE0R.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\WEUIVRW4.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\9T6H6Z7T.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\8SN3TCOM.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\J6XIGEPC.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\B1MMGHES.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\O4JX5CO3.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\ZBMOCGA6.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\3K6N974Z.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\RPMVVOF7.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\R6RBT2FC.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\WATEDB2J.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\C3JM117A.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\PMA1ML2R.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\SZXT9F15.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\NJ519SEV.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\PJ6PQKVK.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\GT7ZQHC5.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\FV8X9EZL.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\2Y96HTOF.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\49YTGKDP.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\ZWE75PDF.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\SFL20DGG.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\KWJ4B9JP.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\1ZT3ZAMX.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\RA8PQ1SJ.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\3GQ8PNBV.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\8PNXTEN3.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\DZF1B91X.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\VM41X1W5.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\WMNMQEQS.txt
   C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\561Z9ZLQ.txt
   C:\USERS\JOHN\APPDATA\LOCAL\TEMP\LOW\COOKIES\JOHN@DOUBLECLICK[1].TXT
   8tracks.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   ad.insightexpressai.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   banners.securedataimages.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   cdn.eyewonder.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   cdn.tremormedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   cdn2.themis-media.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   cdn4.specificclick.net [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   cloud.video.unrulymedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   content.oddcast.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   content.yieldmanager.edgesuite.net [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   convoad.technoratimedia.net [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   core.insightexpressai.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   demos.immersivemedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   freecamsexposed.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   fuckmusic.fm [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   i.*adult URL* [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   ia.media-imdb.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.cnbc.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.crooksandliars.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.entertonement.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.heavy.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.ign.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.loc.gov [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.movieweb.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.mtvnservices.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.nbcchicago.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.noob.us [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.rockstargames.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.scanscout.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.socialvi.be [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.socialvibe.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.theonion.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.wah.fm [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media.yb.nl [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media1.break.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media1.clubpenguin.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media2.wah.fm [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   media2.wearehunted.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   msnbcmedia.msn.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   objects.tremormedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   s0.2mdn.net [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   secure-us.imrworldwide.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   sexier.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   speed.pointroll.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   static.discoverymedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   static.freecamsexposed.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   static.xxxmatch.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   tweetcracker.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   us.media.blizzard.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   viewster.us-host.hiro-media-farm.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   www.99counters.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   www.naiadsystems.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   www.nakedonthestreets.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   www.pornhub.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   www.stayteen.org [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   www.yourdailymedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]
   yourdailymedia.com [ C:\USERS\JOHN\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\XKBVQTEV ]



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7730

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

9/16/2011 8:56:32 PM
mbam-log-2011-09-16 (20-56-32).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 388493
Time elapsed: 48 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{19090308-636D-4e9b-A1CE-A647B6F794BF} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19090308-636D-4E9B-A1CE-A647B6F794BF} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{19090308-636D-4E9B-A1CE-A647B6F794BF} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\John\AppData\Roaming\microsoft\Windows\start menu\Programs\opencloud security (Rogue.OpenCloudSecurity) -> Quarantined and deleted successfully.

Files Infected:
c:\program files (x86)\common files\Spigot\wtxpcom\components\widgitoolbarff.dll.5 (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
c:\programdata\1kalmig2kb7fzp.exe (Trojan.FakeAlert.PeGen) -> Quarantined and deleted successfully.
c:\programdata\kwydogafxmojl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\0.0768978805424273.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\0.16698106493176446.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\0.3883298740605404.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\0.41319240553678815.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\0.9689295512868997.exe (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Roaming\microsoft\Windows\start menu\Programs\opencloud security\opencloud security.lnk (Rogue.OpenCloudSecurity) -> Quarantined and deleted successfully.



*****I also got a blue screen before I started any of this, and I'm not sure if it changes anything, but I added the log in case.

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.1.7600.2.0.0.768.3
  Locale ID:   1033

Additional information about the problem:
  BCCode:   1e
  BCP1:   FFFFFFFFC0000005
  BCP2:   FFFFFA8004A537A7
  BCP3:   0000000000000000
  BCP4:   0000000076EA0000
  OS Version:   6_1_7600
  Service Pack:   0_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\091611-29000-01.dmp
  C:\Users\John\AppData\Local\Temp\WER-48188-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt
« Last Edit: September 16, 2011, 10:18:01 PM by Bubblescoop »

SuperDave

  • Malware Removal Specialist


  • Sage
  • Thanked: 847
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Malware or Virus
« Reply #5 on: September 17, 2011, 06:54:12 PM »
Quote
I think your post is outdated and doesn't explain the new format, or Windows 7 does something differently.
It's probably outdated since Win7 came out but it's still quite straightforward. It's pretty much like Vista.
Can you boot in Normal mode? Please try to run DDS again and post the two logs.
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #6 on: September 17, 2011, 09:36:02 PM »
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_22
Run by John at 22:11:37 on 2011-09-17
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3764.2651 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Advanced System Optimizer\memtuneup.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\TimeLeft3\TimeLeft.exe
C:\Program Files (x86)\Stardock\ObjectDock\Dock64.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603105416l0488z1k5t44n1d14s
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603105416l0488z1k5t44n1d14s
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603105416l0488z1k5t44n1d14s
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603105416l0488z1k5t44n1d14s
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Systweak Memory Optimizer] c:\program files (x86)\advanced system optimizer\memtuneup.exe
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [ArcadeDeluxeAgent] C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\STARDO~1.LNK - C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TimeLeft.lnk - C:\Program Files (x86)\TimeLeft3\TimeLeft.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A}   C:\Program Files (x86)\TimeLeft3\TLIntergIE.html - c:\program files (x86)\timeleft3\tlintergie.html\inprocserver32 does not exist!
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://cas-dorms.lewisu.local/auth/taweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{079E895E-A34A-44CA-AB30-B5385D4D0B79} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6145CDF8-2EC6-43CB-9825-47F460E57879}\2375942554437343 : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{6145CDF8-2EC6-43CB-9825-47F460E57879}\2375942554532393 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6145CDF8-2EC6-43CB-9825-47F460E57879}\255444245594C444542535 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6145CDF8-2EC6-43CB-9825-47F460E57879}\75169707F62747F5143636563737 : DhcpNameServer = 192.168.5.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{6145CDF8-2EC6-43CB-9825-47F460E57879}\7594E404C454759435 : DhcpNameServer = 8.8.8.8
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64:     Ask Toolbar BHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [ArcadeDeluxeAgent] C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [NACAgentUI] C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\uluf7408.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=382950&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58808
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: XUL Cache: {9c0b4b35-0418-4b05-9889-938f63eac03b} - %profile%\extensions\{9c0b4b35-0418-4b05-9889-938f63eac03b}
FF - Ext: avast! WebRep: wrc@avast.com - C:\Program Files\AVAST Software\Avast\WebRep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [?]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [?]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-16 44768]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-11-4 2320920]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-16 366152]
S2 NACAgent;Cisco NAC Agent;"C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe" --> C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [?]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe [2009-9-11 305448]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2010-1-12 844320]
S4 Greg_Service;GRegService;C:\Program Files (x86)\Acer\Registration\GregHSRW.exe [2009-8-28 1150496]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-1 135664]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-1 135664]
S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-9-24 62720]
S4 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-6-17 50432]
S4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-6-17 144640]
S4 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S4 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2009-11-4 240160]
.
=============== Created Last 30 ================
.
2011-09-17 22:15:57   41272   ----a-w-   C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-17 02:10:35   --------   d-----w-   C:\Users\John\AppData\Roaming\SUPERAntiSpyware.com
2011-09-17 02:09:29   --------   d-----w-   C:\ProgramData\SUPERAntiSpyware.com
2011-09-17 02:09:29   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
2011-09-17 01:04:28   --------   d-----w-   C:\Users\John\AppData\Roaming\Malwarebytes
2011-09-17 01:04:19   --------   d-----w-   C:\ProgramData\Malwarebytes
2011-09-17 01:04:12   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-17 00:47:35   8862544   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{48D4906C-B379-4C2A-8C0A-AB0E6595F491}\mpengine.dll
2011-09-16 16:00:17   --------   d-----w-   C:\Program Files\Temp
2011-09-16 16:00:07   --------   d-----w-   C:\Temp
2011-09-16 05:11:06   601944   ----a-w-   C:\Windows\System32\drivers\aswSnx.sys
2011-09-16 05:11:05   65368   ----a-w-   C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-16 05:10:58   41184   ----a-w-   C:\Windows\avastSS.scr
2011-09-16 05:10:53   --------   d-----w-   C:\ProgramData\AVAST Software
2011-09-16 05:10:53   --------   d-----w-   C:\Program Files\AVAST Software
2011-09-07 03:39:14   404640   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-03 04:44:20   --------   d-----w-   C:\Users\John\AppData\Local\Facebook
2011-08-30 00:24:09   --------   d-----w-   C:\Users\John\AppData\Roaming\Mumble
2011-08-30 00:23:43   --------   d-----w-   C:\Program Files (x86)\Mumble
2011-08-24 18:35:52   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
2011-08-24 18:35:52   2048   ----a-w-   C:\Windows\System32\tzres.dll
.
==================== Find3M  ====================
.
2011-07-22 05:35:08   1638912   ----a-w-   C:\Windows\System32\mshtml.tlb
2011-07-22 04:56:17   1638912   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:26:54   362496   ----a-w-   C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53   243200   ----a-w-   C:\Windows\System32\wow64.dll
2011-07-16 05:26:53   13312   ----a-w-   C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18   214528   ----a-w-   C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09   16384   ----a-w-   C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32   422400   ----a-w-   C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46   338432   ----a-w-   C:\Windows\System32\conhost.exe
2011-07-16 04:36:09   14336   ----a-w-   C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14   44032   ----a-w-   C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50   25600   ----a-w-   C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29   5120   ----a-w-   C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27   272384   ----a-w-   C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12   7680   ----a-w-   C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11   2048   ----a-w-   C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47   6144   ---ha-w-   C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47   4608   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47   3584   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47   3072   ---ha-w-   C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:44:55   287744   ----a-w-   C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-23 05:29:39   5507968   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:38:05   3957120   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:38:04   3902336   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:27:14   1896832   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2011-06-21 06:20:48   1197056   ----a-w-   C:\Windows\System32\wininet.dll
2011-06-21 06:20:06   57856   ----a-w-   C:\Windows\System32\licmgr10.dll
2011-06-21 05:36:36   981504   ----a-w-   C:\Windows\SysWow64\wininet.dll
2011-06-21 05:35:05   44544   ----a-w-   C:\Windows\SysWow64\licmgr10.dll
2011-06-21 05:05:13   482816   ----a-w-   C:\Windows\System32\html.iec
2011-06-21 04:26:02   386048   ----a-w-   C:\Windows\SysWow64\html.iec
2011-05-04 15:28:07   39   ----a-w-   C:\Program Files\run.cmd
.
============= FINISH: 22:23:19.31 ===============


[regaining space - attachment deleted by admin]

SuperDave

  • Malware Removal Specialist


  • Sage
  • Thanked: 847
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Malware or Virus
« Reply #7 on: September 18, 2011, 01:34:10 PM »
I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
*******************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
******************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]
:OTL

BHO-X64:     AcroIEHelperStub - No File
BHO-X64:     Ask Toolbar BHO - No File
FF - Ext: XUL Cache: {9c0b4b35-0418-4b05-9889-938f63eac03b} - %profile%\extensions\{9c0b4b35-0418-4b05-9889-938f63eac03b}

:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***************************************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #8 on: September 18, 2011, 03:54:22 PM »
Alright I did most of these but.. doing the last step, a blue screen came up mid-scan. Also I've been getting pop-ups from avast! saying that C:\Porgram Files\Internet Explorer\iexplore.exe is doing bad things or whatever.

I also don't have anything that has Ask in it as something available to uninstall, so I'm not sure if I have it.. maybe it's something else?

Updated Java as well, and ran OTL. I'll try combofix again and report back.

========== OTL ==========
File Ext: XUL Cache: {9c0b4b35-0418-4b05-9889-938f63eac03b} - %profile%\extensions\{9c0b4b35-0418-4b05-9889-938f63eac03b} not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.29.1 log created on 09182011_164151

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #9 on: September 18, 2011, 05:32:55 PM »
Ran it again, ended up working fine. The same malciious URL blocked notification keeps coming up from avast!, same thing.
Object: http:/
Infection: URL:Mal
Process: C:\Program Files\Internet Explorer\iexplore.exe


ComboFix 11-09-18.03 - John 09/18/2011  17:10:40.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3764.2450 [GMT -5:00]
Running from: c:\users\John\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\John\AppData\Roaming\Microsoft\Windows\Recent\YouTube - Pretty much everywhere, it's gonna be hot..URL
c:\users\John\AppData\Roaming\Microsoft\Windows\Recent\YouTube - Rebecca Black - Friday Official music video [Lyrics].URL
.
.
(((((((((((((((((((((((((   Files Created from 2011-08-18 to 2011-09-18  )))))))))))))))))))))))))))))))
.
.
2011-09-18 22:44 . 2011-09-18 22:44   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-09-18 21:13 . 2011-09-18 21:13   --------   d-----w-   C:\_OTL
2011-09-18 20:58 . 2011-09-18 20:58   --------   d-----w-   c:\program files (x86)\Common Files\Java
2011-09-17 22:15 . 2011-09-17 22:15   41272   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-17 02:10 . 2011-09-17 02:10   --------   d-----w-   c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2011-09-17 02:09 . 2011-09-17 02:10   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-09-17 02:09 . 2011-09-17 02:09   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2011-09-17 01:04 . 2011-09-17 01:04   --------   d-----w-   c:\users\John\AppData\Roaming\Malwarebytes
2011-09-17 01:04 . 2011-09-17 01:04   --------   d-----w-   c:\programdata\Malwarebytes
2011-09-17 01:04 . 2011-09-17 01:04   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2011-09-17 00:47 . 2011-08-12 04:10   8862544   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{48D4906C-B379-4C2A-8C0A-AB0E6595F491}\mpengine.dll
2011-09-16 16:00 . 2011-09-16 16:00   --------   d-----w-   c:\program files\Temp
2011-09-16 16:00 . 2011-09-16 16:00   --------   d-----w-   C:\Temp
2011-09-16 05:11 . 2011-09-06 20:38   301912   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-09-16 05:11 . 2011-09-06 20:36   24408   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-09-16 05:11 . 2011-09-06 20:36   42328   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-09-16 05:11 . 2011-09-06 20:38   601944   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-09-16 05:11 . 2011-09-06 20:36   58200   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-09-16 05:11 . 2011-09-06 20:45   254400   ----a-w-   c:\windows\system32\aswBoot.exe
2011-09-16 05:11 . 2011-09-06 20:36   65368   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2011-09-16 05:10 . 2011-09-06 20:45   41184   ----a-w-   c:\windows\avastSS.scr
2011-09-16 05:10 . 2011-09-06 20:45   199304   ----a-w-   c:\windows\SysWow64\aswBoot.exe
2011-09-16 05:10 . 2011-09-16 05:10   --------   d-----w-   c:\programdata\AVAST Software
2011-09-16 05:10 . 2011-09-16 05:10   --------   d-----w-   c:\program files\AVAST Software
2011-09-07 03:39 . 2011-09-14 01:25   404640   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-03 04:44 . 2011-09-16 16:49   --------   d-----w-   c:\users\John\AppData\Local\Facebook
2011-08-30 00:24 . 2011-08-30 03:03   --------   d-----w-   c:\users\John\AppData\Roaming\Mumble
2011-08-30 00:23 . 2011-08-30 00:23   --------   d-----w-   c:\program files (x86)\Mumble
2011-08-24 18:35 . 2011-07-09 05:14   2048   ----a-w-   c:\windows\system32\tzres.dll
2011-08-24 18:35 . 2011-07-09 04:30   2048   ----a-w-   c:\windows\SysWow64\tzres.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 05:35 . 2011-08-11 05:04   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2011-07-22 04:56 . 2011-08-11 05:04   1638912   ----a-w-   c:\windows\SysWow64\mshtml.tlb
2011-07-19 10:05 . 2010-08-15 00:32   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2011-07-16 05:26 . 2011-08-11 05:05   362496   ----a-w-   c:\windows\system32\wow64win.dll
2011-07-16 05:26 . 2011-08-11 05:05   243200   ----a-w-   c:\windows\system32\wow64.dll
2011-07-16 05:26 . 2011-08-11 05:05   13312   ----a-w-   c:\windows\system32\wow64cpu.dll
2011-07-16 05:26 . 2011-08-11 05:05   214528   ----a-w-   c:\windows\system32\winsrv.dll
2011-07-16 05:24 . 2011-08-11 05:05   16384   ----a-w-   c:\windows\system32\ntvdm64.dll
2011-07-16 05:21 . 2011-08-11 05:05   422400   ----a-w-   c:\windows\system32\KernelBase.dll
2011-07-16 05:17 . 2011-08-11 05:05   338432   ----a-w-   c:\windows\system32\conhost.exe
2011-07-16 05:04 . 2011-08-11 05:05   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:05   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   5120   ---ha-w-   c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   4608   ---ha-w-   c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   4608   ---ha-w-   c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   6144   ---ha-w-   c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 05:04 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 04:36 . 2011-08-11 05:05   14336   ----a-w-   c:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:32 . 2011-08-11 05:05   44032   ----a-w-   c:\windows\apppatch\acwow64.dll
2011-07-16 04:31 . 2011-08-11 05:05   25600   ----a-w-   c:\windows\SysWow64\setup16.exe
2011-07-16 04:30 . 2011-08-11 05:05   5120   ----a-w-   c:\windows\SysWow64\wow32.dll
2011-07-16 04:30 . 2011-08-11 05:05   272384   ----a-w-   c:\windows\SysWow64\KernelBase.dll
2011-07-16 04:19 . 2011-08-11 05:05   4096   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   4608   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   4096   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:05   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   5120   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   4096   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:26 . 2011-08-11 05:04   7680   ----a-w-   c:\windows\SysWow64\instnm.exe
2011-07-16 02:26 . 2011-08-11 05:04   2048   ----a-w-   c:\windows\SysWow64\user.exe
2011-07-16 02:21 . 2011-08-11 05:04   6144   ---ha-w-   c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 05:04   4608   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 05:04   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-11 05:04   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:44 . 2011-08-11 05:05   287744   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2011-06-23 05:29 . 2011-08-11 05:04   5507968   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-06-23 04:38 . 2011-08-11 05:04   3957120   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:38 . 2011-08-11 05:04   3902336   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2011-06-21 06:27 . 2011-08-11 05:04   1896832   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2011-06-21 06:20 . 2011-08-11 05:04   1197056   ----a-w-   c:\windows\system32\wininet.dll
2011-06-21 06:20 . 2011-08-11 05:04   57856   ----a-w-   c:\windows\system32\licmgr10.dll
2011-06-21 05:36 . 2011-08-11 05:04   981504   ----a-w-   c:\windows\SysWow64\wininet.dll
2011-06-21 05:35 . 2011-08-11 05:04   44544   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2011-06-21 05:05 . 2011-08-11 05:04   482816   ----a-w-   c:\windows\system32\html.iec
2011-06-21 04:26 . 2011-08-11 05:04   386048   ----a-w-   c:\windows\SysWow64\html.iec
2011-05-04 15:28 . 2010-07-19 21:04   39   ----a-w-   c:\program files\run.cmd
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-11 05:41   120104   ----a-w-   c:\program files (x86)\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Systweak Memory Optimizer"="c:\program files (x86)\advanced system optimizer\memtuneup.exe" [2007-06-22 119024]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 5471104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"ArcadeDeluxeAgent"="c:\program files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2009-10-29 419112]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files (x86)\Stardock\ObjectDock\ObjectDock.exe [2010-8-22 3450608]
TimeLeft.lnk - c:\program files (x86)\TimeLeft3\TimeLeft.exe [2010-8-22 2004776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Memory Tuneup.lnk - c:\program files (x86)\Advanced System Optimizer\memtuneup.exe [2010-7-30 119024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R2 NACAgent;Cisco NAC Agent;c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe

R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys

R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-11 305448]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R4 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 844320]
R4 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 135664]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 135664]
R4 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-09-24 62720]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
R4 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R4 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
S1 aswSnx;aswSnx;

S1 aswSP;aswSP;

S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys

S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys

S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 aswFsBlk;aswFsBlk;

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys

S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys

S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 14:46]
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 14:46]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45   134384   ----a-w-   c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-11 05:44   137512   ----a-w-   c:\program files (x86)\EgisTec\MyWinLocker 3\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"mwlDaemon"="c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-11 349480]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-29 8312352]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 823840]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603105416l0488z1k5t44n1d14s
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603105416l0488z1k5t44n1d14s
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://cas-dorms.lewisu.local/auth/taweb.cab
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\uluf7408.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=382950&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58808
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
Toolbar-Locked - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
Wow6432Node-HKLM-Run-NACAgentUI - c:\program files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-879847433-1111700371-1626439009-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-879847433-1111700371-1626439009-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2011-09-18  18:19:21 - machine was rebooted
ComboFix-quarantined-files.txt  2011-09-18 23:19
.
Pre-Run: 166,057,238,528 bytes free
Post-Run: 165,831,168,000 bytes free
.
- - End Of File - - E15C9D0AD3871A0C395D158D0AC944A6

SuperDave

  • Malware Removal Specialist


  • Sage
  • Thanked: 847
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Malware or Virus
« Reply #10 on: September 19, 2011, 04:51:03 PM »
Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply
*******************************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #11 on: September 19, 2011, 09:35:54 PM »
***I attempted to run SysProt, ran it as administrator, changed settings for all users to run as admin, and I kept getting a error saying I couldn't run it without the program being run as administrator. It also froze up.. I closed it and re-opened it a few times to try different things, but now I'm just leaving it, hoping it will work if I do. Until then, this did work.






==================================================
Dump File         : 091811-28142-01.dmp
Crash Time        : 9/18/2011 4:29:22 PM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffffa80`04a467a7
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`76f40000
Caused By Driver  : hal.dll
Caused By Address : hal.dll+1344e
File Description  :
Product Name      :
Company           :
File Version      :
Processor         : x64
Crash Address     : ntoskrnl.exe+705c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\091811-28142-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 279,056
==================================================

==================================================
Dump File         : 091611-29000-01.dmp
Crash Time        : 9/16/2011 8:00:49 PM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffffa80`04a537a7
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`76ea0000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+705c0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16841 (win7_gdr.110622-1503)
Processor         : x64
Crash Address     : ntoskrnl.exe+705c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\091611-29000-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 279,056
==================================================

==================================================
Dump File         : 091611-28189-01.dmp
Crash Time        : 9/16/2011 11:59:01 AM
Bug Check String  : PROCESS_HAS_LOCKED_PAGES
Bug Check Code    : 0x00000076
Parameter 1       : 00000000`00000000
Parameter 2       : fffffa80`08240680
Parameter 3       : 00000000`000007d1
Parameter 4       : 00000000`00000000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+705c0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16841 (win7_gdr.110622-1503)
Processor         : x64
Crash Address     : ntoskrnl.exe+705c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\091611-28189-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 279,056
==================================================

==================================================
Dump File         : 120110-26410-01.dmp
Crash Time        : 12/1/2010 6:13:31 PM
Bug Check String  : DRIVER_POWER_STATE_FAILURE
Bug Check Code    : 0x0000009f
Parameter 1       : 00000000`00000003
Parameter 2       : fffffa80`048dc060
Parameter 3       : fffff800`00b9c518
Parameter 4       : fffffa80`041d9c60
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70740
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16841 (win7_gdr.110622-1503)
Processor         : x64
Crash Address     : ntoskrnl.exe+70740
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\120110-26410-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 703,904
==================================================

==================================================
Dump File         : 113010-20529-01.dmp
Crash Time        : 11/30/2010 6:27:00 PM
Bug Check String  : DRIVER_POWER_STATE_FAILURE
Bug Check Code    : 0x0000009f
Parameter 1       : 00000000`00000003
Parameter 2       : fffffa80`048b6a20
Parameter 3       : fffff800`00b9c518
Parameter 4       : fffffa80`06449470
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70740
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16841 (win7_gdr.110622-1503)
Processor         : x64
Crash Address     : ntoskrnl.exe+70740
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\113010-20529-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 695,712
==================================================

==================================================
Dump File         : 112310-22604-01.dmp
Crash Time        : 11/23/2010 3:20:52 PM
Bug Check String  : DRIVER_POWER_STATE_FAILURE
Bug Check Code    : 0x0000009f
Parameter 1       : 00000000`00000003
Parameter 2       : fffffa80`048d8060
Parameter 3       : fffff800`00b9c518
Parameter 4       : fffffa80`042cdc60
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70740
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16841 (win7_gdr.110622-1503)
Processor         : x64
Crash Address     : ntoskrnl.exe+70740
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\112310-22604-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 703,904
==================================================

==================================================
Dump File         : 111810-27424-01.dmp
Crash Time        : 11/18/2010 10:34:08 AM
Bug Check String  : DRIVER_POWER_STATE_FAILURE
Bug Check Code    : 0x0000009f
Parameter 1       : 00000000`00000003
Parameter 2       : fffffa80`048d7060
Parameter 3       : fffff800`046a7518
Parameter 4       : fffffa80`05ef1c60
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70740
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16841 (win7_gdr.110622-1503)
Processor         : x64
Crash Address     : ntoskrnl.exe+70740
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\111810-27424-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 714,552
==================================================

==================================================
Dump File         : 082610-22198-01.dmp
Crash Time        : 8/26/2010 6:43:11 PM
Bug Check String  : DRIVER_POWER_STATE_FAILURE
Bug Check Code    : 0x1000009f
Parameter 1       : 00000000`00000004
Parameter 2       : 00000000`00000258
Parameter 3       : fffffa80`03b60680
Parameter 4       : fffff800`03e9c510
Caused By Driver  : mfehidk.sys
Caused By Address : mfehidk.sys+273b7
File Description  :
Product Name      :
Company           :
File Version      :
Processor         : x64
Crash Address     : ntoskrnl.exe+765da
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\082610-22198-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 489,464
==================================================


SuperDave

  • Malware Removal Specialist


  • Sage
  • Thanked: 847
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Malware or Virus
« Reply #12 on: September 20, 2011, 01:30:40 PM »
To Run the SFC /SCANNOW Command in Windows 7
1. Open an elevated command prompt.

2. To Scan and Repair System Files
NOTE: Scans the integrity of all protected system files and repairs the system files if needed.
A) In the elevated command prompt, type sfc /scannow and press Enter. (see screenshot below)
NOTE: This may take some time to finish.



B) Go to step 4.

3. To Only Verify if the System Files are Corrupted
NOTE: Scans and only verifies the integrity of all proteced system files only.
A) In the elevated command prompt, type sfc /verifyonly and press Enter.

4. When the scan is complete, hopefully you will see all is ok like the screenshot below.
NOTE: If not, then you can attempt to run a System Restore using a restore point dated before the bad file occured to fix it. You may need to repeat doing a System Restore until you find a older restore point that may work.



5. When done, close the elevated command prompt.
****************************************************
Please try this one.

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

Bubblescoop

    Topic Starter


    Rookie

  • Experience: Familiar
  • OS: Windows 7
Re: Malware or Virus
« Reply #13 on: September 20, 2011, 06:59:45 PM »
Elevated Command Prompt reported that I had no problems.

When attempting to run RootRepeal, an error message came up saying that it didn't support 64-bit OSs.

SuperDave

  • Malware Removal Specialist


  • Sage
  • Thanked: 847
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Malware or Virus
« Reply #14 on: September 21, 2011, 12:30:19 PM »
Sorry. I missed that 64 bit. Please try this one.

Please download Rooter and Save it to your desktop.
  • Double click it to start the tool.Vista and Windows7 run as administrator.
  • Click Scan.
  • Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender