Computer Hope
Software => Computer viruses and spyware => Topic started by: az_shyguy on July 24, 2013, 06:33:44 PM
-
Hello Maleware specialists.
I will try to keep details short, and try this again as computer shutdown and restarted last time while trying to post here. >:(
I normally keep maintenance on my mom's comp up to date and running good. I have been quite busy lately and haven't got down to do it. She told me that her computer was running erratic and slow on the internet. She keeps getting "page cannot be displayed" or "errors", and if she tried to click on a link in a website she was in or type a web address in address bar: the computer would shutdown and restart. I thought I could get on and clean it up for her and be on my way..
Boy was I wrong!! :o I got on and after several refreshes on websites (kept getting "page cannot be displayed") I finally got a website to open and when I would click on a link in website, sometimes it would open and sometimes would shut computer down without notice with a black screen and just restart itself..Same thing with typing in a address.. it would let me type and enter and get the site sometimes and other times, even typing the same site it would shutdown and restart. Also it would just hang sometimes too. I also noticed her homepage had changed to Ask , and default search provider had changed to Ask also.. I just figured maybe she installed an update or new version of something and missed that. I have it set to not change hompage or notify if trying too. So I dunno what was going on.
Anyhow these are the steps I took . First I took and disconnected everything and looked in computer case to make sure inside was clean and cpu fan was running after plugged in. I do clean out case occasionally and do take the precautions with static. I have had problems before with cpu getting hot and shutting down on other computers (not this one) Everthing looked fine.
Next I figured I would leave internet disconnected and try to restore the computer to an earlier time. restore wasnt working and kept saying it could be an antivirus keeping it from doing that. I did disable avg antivirus, Iobit malware fighter and zonealarm firewall to no avail? Finally just uninstalled all of them and got restore to work.. restored to last restore point that was on there.
I Then ran advanced system care6(ASC) and it found 15 malware (MyWebsearch and funmoods) so did repair. I then reconnected internet and downloaded and reinstalled all security programs first. while doing the downloads I noticed homepage was back to normal but search default was still Ask. Computer was still shutting down and rebooting, but didnt seem as often. I was not getting the "page cannot be displayed" like I was before.
First things first. after installs I ran scans with avg and Iobit maleware fighter with both saying nothing found. so I then ran ASC again and did repair.
ok so now I made sure all windows updates was installed and rebooted. I then proceeded to make sure everything else was up to date, Java, flash player, firefox etc.. while doing those I didnt get one "page cannot be displayed or errors" I was still getting irritated by shutdowns and restarts though. Oh before I forget I also did a defrag run too! I have used all the tools and knowledge I know of and am miffed at what it is so I need a specialist to help me please.
I also thought it could be the internet, they use a E1200 linksys wirless router to a dishnet (hughes) HN9000 modem. Moms laptop runs flawlessly though, so have ruled that out. I did miss the IE update to 10 so installed it and when I started to type computerhope in the address bar, the computer shutdown again? >:(
This time when I got back on and brought up IE, all the sudden the yahoo toolbar is missing? ???
I believe their might still be fragments or something of maleware or virus that is beyond my scope and tools or knowledge to use them. I thought of using your highjack this tool but still kinda shy on making them changes without assistance by one of you! Thank you so much for your help in advance. :)
Computer specs and reports following,
Hope I didnt Ramble on too much? :)
Computer: Hp Pavilion p6610f, windows 7 home premium, AMD Athlon II 635 Quad-core, 4Gb memory
AdwCleaner:
# AdwCleaner v2.306 - Logfile created 07/24/2013 at 12:16:22
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Carol Lee - CAROLLEE-HP
# Boot Mode : Normal
# Running from : C:\Users\Carol Lee\Desktop\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\searchplugins\Askcom.xml
File Deleted : C:\Users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\searchplugins\zonealarm.xml
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\ProgramData\~0
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\Carol Lee\AppData\Local\APN
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\FunWebProducts
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\MyWebSearch
Folder Deleted : C:\Users\Carol Lee\AppData\LocalLow\TotalRecipeSearch_14EI
Folder Deleted : C:\Users\Carol Lee\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\extensions\staged
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Registry] *****
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Deleted : HKCU\Software\AppDataLow\Software\TotalRecipeSearch_14EI
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01947140-417F-46B6-8751-A3A2B8345E1A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{120927BF-1700-43BC-810F-FAB92549B390}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E720451-B472-4954-B7AA-33069EB53906}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{819FFE21-35C7-4925-8CDA-4E0E2DB94302}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8E9CF769-3D3B-40EB-9E2D-76E7A205E4D2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [1]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16496
[OK] Registry is clean.
-\\ Mozilla Firefox v21.0 (en-US)
File : C:\Users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\prefs.js
C:\Users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\user.js ... Deleted !
Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("extensions.asktb.abar-war-regex", "conduit\\.com");
Deleted : user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
Deleted : user_pref("extensions.asktb.cbid", "^TV");
Deleted : user_pref("extensions.asktb.config-updated", false);
Deleted : user_pref("extensions.asktb.crumb", "2013.03.22+17.39.18-toolbar011iad-US-U2VhdHRsZSxXQSxVbml0ZWQgU3[...]
Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Deleted : user_pref("extensions.asktb.displaybehavior", "");
Deleted : user_pref("extensions.asktb.displaytext", "");
Deleted : user_pref("extensions.asktb.dtid", "^YYYYYY^YY^US");
Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", false);
Deleted : user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "USWA0395");
Deleted : user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "F");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "hxxp://isearch.avg.com/search?cid=%7B7ac4c603[...]
Deleted : user_pref("extensions.asktb.ff19-config-first-run", "true");
Deleted : user_pref("extensions.asktb.fresh-install", false);
Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Deleted : user_pref("extensions.asktb.keyword-toggled-in-session", false);
Deleted : user_pref("extensions.asktb.l", "dis");
Deleted : user_pref("extensions.asktb.last-config-req", "1364583701300");
Deleted : user_pref("extensions.asktb.last-search-timestamp", "1364536721244");
Deleted : user_pref("extensions.asktb.locale", "en_US");
Deleted : user_pref("extensions.asktb.location", "Seattle,WA,United States");
Deleted : user_pref("extensions.asktb.lstation", "");
Deleted : user_pref("extensions.asktb.new-tab-opt-out", true);
Deleted : user_pref("extensions.asktb.news-native-on", true);
Deleted : user_pref("extensions.asktb.o", "100000031");
Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Deleted : user_pref("extensions.asktb.pstate", "");
Deleted : user_pref("extensions.asktb.qsrc", "2871");
Deleted : user_pref("extensions.asktb.r", "19");
Deleted : user_pref("extensions.asktb.search-history-queries", "Shoppers");
Deleted : user_pref("extensions.asktb.search-plugin-suggestions-url", "hxxp://ss.websearch.ask.com/query?qsrc=[...]
Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
Deleted : user_pref("extensions.asktb.socialmini-first", true);
Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000");
Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
Deleted : user_pref("extensions.asktb.socialmini-max-items", "30");
Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
Deleted : user_pref("extensions.asktb.socialmini-speed", "10000");
Deleted : user_pref("extensions.asktb.socialmini-transition-first-open", false);
Deleted : user_pref("extensions.asktb.to", "");
Deleted : user_pref("extensions.asktb.v", "3.15.15.100013");
Deleted : user_pref("extensions.asktb.volume", "");
*************************
AdwCleaner[S1].txt - [16277 octets] - [24/07/2013 12:16:22]
########## EOF - C:\AdwCleaner[S1].txt - [16338 octets] ##########
Malwarebytes:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.07.24.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Carol Lee :: CAROLLEE-HP [administrator]
7/24/2013 2:54:20 PM
mbam-log-2013-07-24 (14-54-20).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212938
Time elapsed: 5 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Security Check:
Results of screen317's Security Check version 0.99.71
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Disabled!
ZoneAlarm Free Firewall Antivirus
AVG AntiVirus Free Edition 2013
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````[/u]
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 25
Adobe Flash Player 11.7.700.224
Adobe Reader XI
Mozilla Firefox (22.0)
````````Process Check: objlist.exe by Laurent````````[/u]
AVG avgwdsvc.exe
IObit IObit Malware Fighter IMFsrv.exe
IObit IObit Malware Fighter IMF.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
CheckPoint ZoneAlarm ZAPrivacyService.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
I noticed that you have two AV's on that computer; ZoneAlarm Free Firewall Antivirus
and AVG AntiVirus Free Edition 2013 That could be part of the problem. Only one AV and one Firewall should be active at any time on your computer. One will have to be disabled/uninstalled.
*********************************************
Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.
•Warning! Once the scan is complete JRT will shut down your browser with NO warning.
•Shut down your protection software now to avoid potential conflicts.
•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this (http://www.bleepingcomputer.com/forums/topic114351.html) link to see a list of security programs that should be disabled and how to disable them.
•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete depending on your system's specifications.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Copy and Paste the JRT.txt log into your next message.
**********************************************
Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.
- Close any open windows and double click ComboFix.exe to run it.
You will see the following image:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)
Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
-
Hello SuperDave. thanks for the quick response and your help.
Had quite a scare a few minutes ago. I ran the jrt and then ran the combofix. the combo fix restarted the computer and processed the log. I went to open IE to send you the reports and all the sudden got a message saying "Illegal operation attempted on a registry key marked for deletion" I tried to open the reports to take to another computer to send to you and was getting the same saying on any program I tried to open. started having a panic attack.. :o Anyhow I decided to restart computer again and everything seems to be working now. :) Figured I should let you know.
Oh and I knew there was two antiviruses and I have the zone alarm disabled or think I do, pretty sure I do. I couldn't find a place to just get the zonealarm firewall by itself? I value your guy's opinions and if you think Zone alarm virus protection is just as good as avg I will just uninstall avg.
Thanks for the help!
Ok here are the reports. will wait for further instructions.
JRT log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.2 (07.22.2013:2)
OS: Windows 7 Home Premium x64
Ran by Carol Lee on Thu 07/25/2013 at 13:55:54.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{17662709-9A30-4ABF-9460-14DDBDC77084}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AE3D60B2-482E-4778-9FA2-8984E5A64262}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}
~~~ Files
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"
~~~ Folders
Successfully deleted: [Folder] "C:\Users\Carol Lee\appdata\local\visi_coupon"
Successfully deleted: [Folder] "C:\Users\Carol Lee\appdata\locallow\totalrecipesearch_14"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"
~~~ FireFox
Emptied folder: C:\Users\Carol Lee\AppData\Roaming\mozilla\firefox\profiles\vfbcj3gf.default\minidumps [48 files]
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/25/2013 at 14:02:00.74
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Combofix log:
ComboFix 13-07-25.02 - Carol Lee 07/25/2013 14:08:21.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2531 [GMT -6:00]
Running from: c:\users\Carol Lee\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: ZoneAlarm Free Firewall Antivirus *Disabled/Outdated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Free Firewall Anti-Spyware *Disabled/Outdated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\0p_20hhejjef_o\us_sres.data
c:\data\default\us_sres.data
c:\program files (x86)\MyWebFace_5aEI
c:\program files (x86)\MyWebFace_5aEI\Installr\1.bin\5aEZSETP.dll
c:\users\Carol Lee\WINDOWS
c:\windows\SysWow64\Cache
c:\windows\SysWow64\Cache\272512937d9e61a4.fb
c:\windows\SysWow64\Cache\287204568329e189.fb
c:\windows\SysWow64\Cache\28bc8f716fd76a47.fb
c:\windows\SysWow64\Cache\2c53092c95605355.fb
c:\windows\SysWow64\Cache\3917078cb68ec657.fb
c:\windows\SysWow64\Cache\425f96eab34a884d.fb
c:\windows\SysWow64\Cache\590ba23ce359fd0c.fb
c:\windows\SysWow64\Cache\610289e025a3ee9a.fb
c:\windows\SysWow64\Cache\651c5d3cdbfb8bd1.fb
c:\windows\SysWow64\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\SysWow64\Cache\a8556537add6dfc5.fb
c:\windows\SysWow64\Cache\ad10a52aff5e038d.fb
c:\windows\SysWow64\Cache\b1575de33224ecfa.fb
c:\windows\SysWow64\Cache\c4d28dca2e7648be.fb
c:\windows\SysWow64\Cache\d201ef9910cd39de.fb
c:\windows\SysWow64\Cache\d2e94710a5708128.fb
c:\windows\SysWow64\Cache\d79b9dfe81484ec4.fb
c:\windows\SysWow64\Cache\e0de16f883bea794.fb
.
.
((((((((((((((((((((((((( Files Created from 2013-06-25 to 2013-07-25 )))))))))))))))))))))))))))))))
.
.
2013-07-25 20:15 . 2013-07-25 20:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-25 19:55 . 2013-07-25 19:55 -------- d-----w- c:\windows\ERUNT
2013-07-24 19:02 . 2013-04-04 20:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-24 19:02 . 2013-07-24 19:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-07-24 18:03 . 2013-07-24 18:03 -------- d-----w- c:\program files\CCleaner
2013-07-24 12:39 . 2013-07-24 12:39 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-07-24 11:45 . 2013-05-23 00:49 32600 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2013-07-24 11:45 . 2013-05-23 00:49 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2013-07-24 11:07 . 2013-07-24 11:07 -------- d-----w- c:\users\Carol Lee\AppData\Roaming\AVG2013
2013-07-24 11:07 . 2013-07-24 11:07 -------- d-----w- c:\programdata\AVG2013
2013-07-24 11:07 . 2013-07-24 11:07 -------- d-----w- C:\$AVG
2013-07-24 11:06 . 2013-07-24 11:09 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Avg2013
2013-07-24 11:06 . 2013-07-24 11:06 -------- d-----w- c:\program files (x86)\AVG
2013-07-24 11:01 . 2013-07-25 14:41 -------- d-----w- c:\programdata\MFAData
2013-07-24 11:01 . 2013-07-24 13:26 -------- d-----w- c:\users\Carol Lee\AppData\Local\Avg2013
2013-07-24 11:01 . 2013-07-24 11:01 -------- d-----w- c:\users\Carol Lee\AppData\Local\MFAData
2013-07-24 10:35 . 2013-07-24 10:35 -------- d-----w- C:\AVGTemp
2013-07-23 22:32 . 2013-07-23 22:32 -------- d-----w- c:\users\Carol Lee\AppData\Roaming\PC-FAX TX
2013-07-23 22:04 . 2013-07-23 22:04 -------- d-----w- C:\Brother
2013-07-23 22:04 . 2013-07-23 22:04 -------- d-----w- c:\program files (x86)\Browny02
2013-07-23 22:04 . 2010-02-09 23:11 217088 ------w- c:\windows\SysWow64\NSSearch.dll
2013-07-23 22:04 . 2010-01-22 21:34 3072 ------w- c:\windows\SysWow64\BrDctF2S.dll
2013-07-23 22:04 . 2007-12-14 04:16 73728 ------w- c:\windows\SysWow64\BrDctF2.dll
2013-07-23 22:04 . 2007-12-14 04:16 5120 ------w- c:\windows\SysWow64\BrDctF2L.dll
2013-07-23 22:04 . 2010-02-05 17:42 180224 ------w- c:\windows\SysWow64\BroSNMP.dll
2013-07-23 21:59 . 2013-07-23 21:59 -------- d-----w- c:\users\Carol Lee\AppData\Roaming\InstallShield
2013-07-23 18:25 . 2013-07-23 18:25 9216 ----a-w- c:\program files (x86)\Windows Defender\MpAsDesc.dll
2013-07-23 18:25 . 2013-07-23 18:25 571904 ----a-w- c:\program files\Windows Defender\MpClient.dll
2013-07-23 18:25 . 2013-07-23 18:25 54784 ----a-w- c:\program files (x86)\Windows Defender\MpOAV.dll
2013-07-23 18:25 . 2013-07-23 18:25 4608 ----a-w- c:\program files (x86)\Windows Defender\MsMpLics.dll
2013-07-23 18:25 . 2013-07-23 18:25 392704 ----a-w- c:\program files (x86)\Windows Defender\MpClient.dll
2013-07-23 18:25 . 2013-07-23 18:25 314880 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2013-07-23 18:25 . 2013-07-23 18:25 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-23 18:24 . 2013-07-23 18:24 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-07-23 18:23 . 2013-07-23 18:23 624128 ----a-w- c:\windows\system32\qedit.dll
2013-07-23 18:23 . 2013-07-23 18:23 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2013-07-23 18:23 . 2013-07-23 18:23 1732608 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-23 18:23 . 2013-07-23 18:23 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-23 18:22 . 2013-07-23 18:22 1887744 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-23 18:22 . 2013-07-23 18:22 1620480 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-23 18:22 . 2013-07-23 18:22 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-07-23 18:22 . 2013-07-23 18:22 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-07-21 23:14 . 2013-07-23 22:18 -------- d-----w- c:\program files (x86)\Cisco Systems
2013-07-21 23:01 . 2013-07-21 23:01 -------- d-----w- c:\programdata\Cisco Systems
2013-07-20 19:19 . 2013-07-20 19:19 -------- d-----w- c:\programdata\Pure Networks
2013-07-18 16:10 . 2013-07-18 16:10 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\IObit
2013-07-17 16:07 . 2013-07-24 09:33 -------- d-----w- c:\windows\system32\MRT
2013-07-11 20:38 . 2013-07-11 20:38 1393152 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 20:38 . 2013-07-11 20:38 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 20:38 . 2013-07-11 20:38 1367040 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 20:23 . 2013-07-11 20:23 -------- d-----w- c:\programdata\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-24 11:59 . 2012-11-19 02:19 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-24 11:59 . 2012-11-19 02:19 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-24 10:48 . 2011-02-27 00:33 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2013-07-24 10:47 . 2011-02-04 21:09 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2013-06-24 06:57 . 2010-12-25 18:07 78277128 ----a-w- c:\windows\system32\MRT.exe
2013-06-13 22:34 . 2011-05-08 00:51 451096 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2013-06-13 03:48 . 2012-08-24 01:23 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-06-13 03:48 . 2011-11-05 23:38 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-06-13 03:47 . 2013-06-18 23:20 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-18 20:28 . 2013-05-18 20:28 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-18 20:28 . 2013-05-18 20:28 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-18 20:28 . 2013-05-18 20:28 144384 ----a-w- c:\windows\system32\cdd.dll
2013-05-18 20:20 . 2013-05-18 20:20 197120 ----a-w- c:\windows\system32\shdocvw.dll
2013-05-18 20:20 . 2013-05-18 20:20 1930752 ----a-w- c:\windows\system32\authui.dll
2013-05-18 20:20 . 2013-05-18 20:20 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-05-18 20:20 . 2013-05-18 20:20 14172672 ----a-w- c:\windows\system32\shell32.dll
2013-05-18 20:20 . 2013-05-18 20:20 70144 ----a-w- c:\windows\system32\appinfo.dll
2013-05-18 20:20 . 2013-05-18 20:20 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-18 20:20 . 2013-05-18 20:20 48640 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-18 20:20 . 2013-05-18 20:20 230400 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-18 20:19 . 2013-05-18 20:19 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-05-18 20:19 . 2013-05-18 20:19 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-05-18 20:19 . 2013-05-18 20:19 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-05-18 20:19 . 2013-05-18 20:19 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-05-18 20:19 . 2013-05-18 20:19 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-05-18 20:19 . 2013-05-18 20:19 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-05-13 05:51 . 2013-06-12 01:49 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-12 01:49 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-12 01:49 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-12 01:49 52224 ----a-w- c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-12 01:49 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45 . 2013-06-12 01:49 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-12 01:49 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43 . 2013-06-12 01:49 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 01:49 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-12 01:49 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-05-10 05:49 . 2013-06-12 01:49 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-12 01:49 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39 . 2013-06-12 01:48 1910632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-03 17:02 . 2013-05-03 17:02 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-04-22 05:50 . 2011-04-22 05:50 495 ----a-w- c:\program files (x86)\0421201123504043.bat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-11-26 1525088]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 6"="c:\program files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe" [2013-04-19 491840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-06-20 73832]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-13 343168]
"SSBkgdUpdate"="c:\program files (x86)\common files\scansoft shared\ssbkgdupdate\ssbkgdupdate.exe" [2006-10-25 210472]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"IObit Malware Fighter"="c:\program files (x86)\IObit\IObit Malware Fighter\IMF.exe" [2013-06-07 1514816]
"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2013-04-29 4408368]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
R2 RaMediaServer;Ralink UPnP Media Server;c:\program files (x86)\Ralink\Common\RaMediaServer.exe;c:\program files (x86)\Ralink\Common\RaMediaServer.exe
R3 AODDriver4.0;AODDriver4.0;
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys
R3 RegFilter;RegFilter;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys
R3 UrlFilter;UrlFilter;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys;c:\program files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys
R4 FileMonitor;FileMonitor;c:\program files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys;c:\program files (x86)\IObit\IObit Malware Fighter\Drivers\win7_amd64\FileMonitor.sys
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys;c:\windows\SYSNATIVE\Drivers\RapportKE64.sys
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys;c:\windows\SYSNATIVE\Drivers\SmartDefragDriver.sys
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys
S1 RapportCerberus_43926;RapportCerberus_43926;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys
S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe;c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService.exe
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
S2 IMFservice;IMF Service;c:\program files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe;c:\program files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe
S2 RalinkRegistryWriter64;RalinkRegistryWriter64;c:\program files (x86)\Ralink\Common\RaRegistry64.exe;c:\program files (x86)\Ralink\Common\RaRegistry64.exe
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-19 11:59]
.
2013-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-12 05:54]
.
2013-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-12 05:54]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\hewlett-packard\hp mediasmart\smartmenu.exe" [2010-01-18 568888]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.pogo.com/
mLocal Page = c:\windows\SYSTEM32\blank.htm
TCP: DhcpNameServer = 67.142.180.10 67.142.180.11 192.168.1.1
FF - ProfilePath - c:\users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\
FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm
FF - prefs.js: browser.startup.homepage - hxxp://www.pogo.com/
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?src=sp&tbid=goughDev3&Lan=en&gu=8120184c7e0a43f480a62b7b96572463&tu=10G9y009C2B0CO0&sku=&tstsId=&ver=&&q=
FF - ExtSQL: 2013-07-24 00:08; [email protected]; c:\users\Carol Lee\AppData\Roaming\Mozilla\Firefox\Profiles\vfbcj3gf.default\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
WebBrowser-{91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - (no file)
AddRemove-Coupon Printer for Windows5.0.0.2 - c:\program files (x86)\Coupons\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\HPZipm12.exe
c:\program files (x86)\Ralink\Common\RaRegistry.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2013-07-25 14:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-25 20:22
.
Pre-Run: 629,215,375,360 bytes free
Post-Run: 629,044,285,440 bytes free
.
- - End Of File - - 77127E231134045AC2E5B599DF464584
4A7C4350715967A19385746440037F6D
-
I went to open IE to send you the reports and all the sudden got a message saying "Illegal operation attempted on a registry key marked for deletion"
Re-start your computer usually fixes that problem.
Are either Zonealarm or AVG the paid-for applications? You're better off keeping the paid-for application.
Please download Rooter (http://eric71.geekstogo.com/tools/Rooter.exe) and Save it to your desktop.
- Double click it to start the tool.Vista and Windows7 run as administrator.
- Click Scan.
- Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
****************************************
- Download RogueKiller (http://tigzy.geekstogo.com/Tools/RogueKiller.exe) on the desktop
- Close all the running programs
- Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
- Otherwise just double-click on RogueKiller.exe
- Pre-scan will start. Let it finish.
- Click on SCAN button.
- A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
- If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
-
Neither one is paid for. I was just wondering if one was better than the other or about the same, as zonealarm has the firewall and antivirus together, where as avg you have to pay to get the firewall of theirs.
ok.. took awhile but finally got the two reports that follow.
Rooter:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - AMD64 Family 16 Model 5 Stepping 3, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Disabled !
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.10.9200.16635
Mozilla Firefox 22.0 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:686 Go - Free:585 Go )
D:\ [Fixed-NTFS] .. ( Total:12 Go - Free:1 Go )
E:\ [CD_Rom]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
J:\ [Removable]
.
Scan : 17:59.45
Path : C:\Users\Carol Lee\Desktop\Rooter.exe
User : Carol Lee ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ??? ?????? (372)
______ ??? ?????? (492)
______ ??? ?????? (536)
______ ??? ?????? (808)
______ ??? ?????? (880)
______ ??? ?????? (904)
______ ??? ?????? (952)
______ ??? ?????? (1000)
______ ??? ?????? (1008)
______ ??? ?????? (1016)
______ ??? ?????? (820)
______ C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe (1028)
______ ??? ?????? (1084)
______ ??? ?????? (1180)
______ ??? ?????? (1280)
______ ??? ?????? (1312)
______ ??? ?????? (1344)
______ ??? ?????? (1376)
______ ??? ?????? (1460)
______ ??? ?????? (1492)
______ ??? ?????? (1568)
______ ??? ?????? (1580)
______ ??? ?????? (1656)
______ ??? ?????? (1884)
______ ??? ?????? (1892)
______ ??? ?????? (1960)
______ ??? ?????? (2032)
______ ??? ?????? (2080)
______ ??? ?????? (2380)
______ ??? ?????? (2420)
______ C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe (2448)
______ ??? ?????? (2488)
______ C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (2520)
______ C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (2532)
______ C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe (2540)
______ C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe (2616)
______ ??? ?????? (2624)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (2664)
______ C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe (2692)
______ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (2812)
______ C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe (2828)
______ ??? ?????? (2860)
______ C:\Program Files (x86)\AVG\AVG2013\avgui.exe (2872)
______ C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe (2912)
______ C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe (3012)
______ C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe (3064)
______ c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe (2156)
______ ??? ?????? (1944)
______ C:\Program Files (x86)\PDF Complete\pdfsvc.exe (1912)
______ C:\Windows\SysWOW64\HPZipm12.exe (2772)
______ C:\Program Files (x86)\Ralink\Common\RaRegistry.exe (3108)
______ C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe (3128)
______ ??? ?????? (3248)
______ C:\Program Files (x86)\AVG\AVG2013\avgscanx.exe (3612)
______ ??? ?????? (3620)
______ ??? ?????? (3900)
______ ??? ?????? (3912)
______ C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe (3928)
______ ??? ?????? (4756)
______ ??? ?????? (4880)
______ ??? ?????? (4932)
______ ??? ?????? (4996)
______ C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe (5064)
______ C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe (3744)
______ ??? ?????? (4328)
______ C:\Program Files (x86)\Browny02\BrYNSvc.exe (1808)
______ ??? ?????? (5332)
______ ??? ?????? (5512)
______ ??? ?????? (5580)
______ ??? ?????? (5296)
______ ??? ?????? (4052)
Locked audiodg.exe (3472)
______ ??? ?????? (5796)
______ C:\Users\Carol Lee\Desktop\Rooter.exe (4812)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:104857600)
\Device\Harddisk0\Partition2 (Start_Offset:105906176 | Length:737078673408)
\Device\Harddisk0\Partition3 (Start_Offset:737184579584 | Length:12969836544)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\TaskDisabled
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 17:59.58
.
C:\Rooter$\Rooter_1.txt - (25/07/2013 | 17:59.58)
RogueKiller:
RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Carol Lee [Admin rights]
Mode : Scan -- Date : 07/26/2013 04:10:37
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721075CLA332 SATA Disk Device +++++
--- User ---
[MBR] 787f3cfcf7704d44b5cb43f3f629012c
[BSP] 36f47b55b9edb73b90a3ce4d63ef4d5c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 702933 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1439813632 | Size: 12369 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] e6bdd4c12305eac649249713d20e76a8
[BSP] ae9fcc0739773fcf778ecffb5fcb9c31 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo
Finished : << RKreport[0]_S_07262013_041037.txt >>
-
I was just wondering if one was better than the other or about the same, as zonealarm has the firewall and antivirus together, where as avg you have to pay to get the firewall of theirs.
You can do your own comparison here. (http://www.av-comparatives.org/) I prefer MSE by MS because it's liteweight and unobtrusive.
Please run RogueKiller and delete those items.
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
- Leave the check mark next to Remove found threats.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Ok SuperDave,
I ran RogueKiller and deleted and then ran ESET online scanner. When it was done it said, no threats found and all it had was a finish button, so I went to :C:\Program Files\ESET\ESET Online Scanner\log.txt and the only log that was there said this:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
hope that is normal?
thanks for the link on antiviruses... I think I might just uninstall avg and go with the Microsoft essentials. I didn't look to much but didn't see to much on checkpoint (zonealarm) just wish I could get just the firewall alone.
last time I had a problem and came here I was advised to get another firewall besides windows. that was on an xp operating system. is windows firewall more secure now in windows 7... just curious!
ok will wait for further instructions:
-
that was on an xp operating system. is windows firewall more secure now in windows 7... just curious!
You can have ZoneAlarm free firewall here.
How's your computer running?
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html)
3) Agnitum Outpost (http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html)
4) PC Tools Firewall Plus (http://www.majorgeeks.com/PC_Tools_Firewall_Plus_d5470.html)
5) ZoneAlarm Firewall (http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
-
hello SuperDave,
I do have zonealarm firewall installed on here.. I just checked and it said basic firewall and application control is on and saying 105 programs secured. maybe I should uninstall and reinstall? I have been disabling zonealarm, avg and iobit malware fighter when running the scans you suggest. maybe that was wrong?
Well the computer is running way better than it was. I only had a shutdown and restart yesterday and one this morning. before it was like as soon as you got on and clicked a site or typed in an web address that it would do it. these last two times I was typing in "ratings on free firewalls" in the address bar and was going to let google search.. I got to "ratings on f" and it shutdown and restarted and the one time yesterday I forget what or didn't write down what address or words I was using in the address bar when it went down. I told my dad to get on this morning and do what he normally does and he said he had no blackouts as he calls them. So what we have done has greatly helped. I dunno maybe it is more than a malware problem. just clicking on links or favorites to sites and links within the sites, the restart has ceased to be happening. maybe you have thoughts on it. only when I type in the address bar does it happen but when it restarts I can type in the same thing and it goes through and works.. it seems to just be random. once a day is a very big improvement to the way it was. I Havent ran any other scans or installed or uninstalled anything , only disabled what I mentioned above. so as not to interfere with our progress. I do appreciate the help and advice.
-
I just clicked on your link for online armor and majorgeeks website came up and while loading screen , computer shutdown and restarted. once restarted came back to your link and clicked again with no problem went straight to site and loaded. weird ???
-
What browser are you using?
-
Internet Explorer 10.. Guess I can try firefox for awhile and see if it does the same thing.
-
Internet Explorer 10.. Guess I can try firefox for awhile and see if it does the same thing.
Will you please do that and let me know?
-
Firefox is even worse. went to bleeping computer and it restarted on me second time went in BC again and got in then restarted when I clicked on a link in there.. so this time went to Major geeks and as soon as I got in it restarted again. didn't even try that again and just came here to report. Well it did it again when I clicked on reply. So came back in Internet Explorer to report to you. Any Ideas I am at a loss for sure. :-\
-
[removed]
Please do not post malware removal advice unless you are a certified helper as detailed in the sticky thread at the top of the forum.
http://www.computerhope.com/forum/index.php/topic,46313.0.html
Calum.
-
[removed]
Please do not post malware removal advice unless you are a certified helper as detailed in the sticky thread at the top of the forum.
http://www.computerhope.com/forum/index.php/topic,46313.0.html
Calum.
-
Obiviously battleplan you are new to the computerhope forums.. I think I will stick with Superdaves advice.
-
Hello SupwerDave,
I am still waiting on further instructions or advice. You haven't givin up on me yet have you?
-
No, I'm just a bit baffled by this strange behaviour. When it shuts down is there any warning message?
-
yea, I am just as baffled as you are... never seen this before.
No, there is no warning/error message.. the screen just goes black and then a screen saying windows did not shut down successfully etc.. then has the options of starting in safe mode, safe mode with networking, safe mode with command prompt or start windows normally highlighted and will start after so many seconds by itself unless you hit enter. I think today I will disable all add-on's and see if it still does it.. just a thought? I know all the stuff we have done has improved it a lot from where it was before.
-
Please look in your device manager to see if there are any yellow icons.
-
Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.Superdave.
-
sorry for taking so long to reply... had a family emergency.. I looked in device manager and did not see any yellow icons.. just got back so haven't had time to really see how things are working. I will try to get on some more and see what is happening. will get back to you. any other thoughts? thanks! :)
-
Hello Superdave!!
I am back and have folks complaining that computer is still shutting down and re-booting.. I am at a loss here.. I did bring my computer down and hooked it up. now mine shutsdown but gives a warning before I have to manually shutdown.. so I am thinking it might have something to do with the modem for the dishnet. I do not want to do much without your advice or direction. I am pretty literal on computers, but this has me confused.. I will start a new thread for my computer to make sure all is ok.. Oh and btw if I go to safemode with networking, I have no problems on either computer for shutting down or going to black screen.. any thoughts? Thanks so much for your patience! will start a new thread for my computer just to make sure.. but I am believing it is not our computers.. it is hughesnet or the modem. Or do you think maybe windows 7 cannot handle the web accelerator. just thoughts going through my head. any thoughts or advice would be helpful?
-
I did bring my computer down and hooked it up. now mine shutsdown but gives a warning before I have to manually shutdown.. so I am thinking it might have something to do with the modem for the dishnet.
I am also baffled. The modem shouldn't have anything to do with both computer shutting down. Are you certain that you have a reliable power supply there?
-
ok so I have finally had some time to mess around with computers again... Yes Superdave I am sure the power supply is reliable.. I have found that if I boot into safe mode on the computers that everything works fine.. but the minute I boot back to normal windows they shutdown again. I do not know what to think. I even took mine back home and it works fine on cableone internet service... I have been bringing it up to others I think knowledgeable people, just for input mind you! I still havent done anything as I know you are helping me.. one suggestion was that dishnet or hughes has some kind of accelerator that boosts the signal at first then slows it down and maybe if I shut that off it might help. I do not even know what or where that would be except in the modem or do you think maybe it is the sattelite. I dunno just grasping at straws now? ??? I just cannot figure why it works ok in safemode with networking but not normal windows.. any Ideas... like i said I havent done anything to my moms except what you have told me to do. harvesting is going on right now so havent had much time to work on it.. and I take other suggestions from others lightly... just at a loss right now! :-\ any other suggestions?
-
I even took mine back home and it works fine on cableone internet service
The fact that the computer works well on another ISP means that there's something about your ISP that's causing the problem. You should try contacting them to see if they can help.
-
Hello Superdave!
sorry it's been so long to reply, haven't been around due to working away from home.. I did get ahold of hughes network before I left and they said that they was still working out bugs in the new satellite that my mom gets her internet from...( was shocked they admitted that!)... guess they have fixed whatever it was, as my mom said that she hasn't had problems like she was with comp shutting down.. has only happened a couple of times since I have been gone.. I am back home for holidays and brought my comp down to moms and I have not had any problems with a shutdown while surfing or searching internet.. so I guess it had something to do with service providers equipment... I suppose you can close this posts now.. things seem to be working fine now.. I would like to thank you so very much for your patience and time that you have given me.. You guy's are the best! :) ;) (|
-
You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.