Computer Hope

Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: goodie2010 on August 31, 2012, 08:54:16 AM

Title: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on August 31, 2012, 08:54:16 AM
Good Day,

So last night, while on a piano website i start getting a bunch of UAC popups that went something like,  Do you want to allow the following program  to make changes to your computer?  fpdownload.macromedia.com/get/shockwave/cabs/flash....     that's not a quote, it had some other things on the end.  Anyways I declined access but it kept popping up, one time i came back to computer and I had around 20 popups of UAC asking if i wanted to allow Adobe to make changes.  I googled the crap out of fpdownload and surprisingly most sites were saying it was safe. :(    Anyways I was still suspicious, a couple of sites said it was a problem but those weren't the same links i had, they were fpdownload.macromedia but they didn't have shockwave and they seemed to have some more harsh problems accompanied with their virus.  So after the majority of sites saying the UAC was safe, I allowed access.   Nothing happened!  So I thought I was good, I ran malwarebytes and superantispyware.  Malwarebytes found nothing, superantispyware found some some cookies.  So I thought I was fine, then later that night all these UAC consents from fpdownload.macromedia started popping up again, i woke up this morning, computer was off, i started up, clicked resume and had a atleast 30 uac's to allow fpdownload.

Here are my logs, since i did malwarebytes last night and it didn't find anything, i didn't it again.


DDS


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Owner at 10:29:48 on 2012-08-31
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4008.1510 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: STOPzilla Anti-Spyware *Disabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files (x86)\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\GFNEXSrv.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Users\Owner\AppData\Local\Skillbrains\lightshot\3.0.0.0\LightShot.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Sleep Utility\TSleepSrv.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\windows\System32\alg.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\STOPzilla!\STOPzilla.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\DllHost.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\svchost.exe -k AxInstSVGroup
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\taskmgr.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\$Recycle.Bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\U
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [LightShot] C:\Users\Owner\AppData\Local\Skillbrains\lightshot\LightShot.exe Flags: uninsdeletevalue
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\windows\system32\idmmbc.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{42DC5299-B72D-45A6-96F2-5E7E9658F9EA} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{42DC5299-B72D-45A6-96F2-5E7E9658F9EA}\D4A402F6E602055616368647275656 : DhcpNameServer = 192.168.43.1
TCP: Interfaces\{42DC5299-B72D-45A6-96F2-5E7E9658F9EA}\D4A4055616368647275656 : DhcpNameServer = 192.168.43.1
TCP: Interfaces\{42DC5299-B72D-45A6-96F2-5E7E9658F9EA}\D6A616E64627F69646 : DhcpNameServer = 192.168.43.1
TCP: Interfaces\{9846802C-EA34-4101-93C1-285F66728A2F} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{C21BEDC8-19D6-4D37-A721-97C73D482AD5} : DhcpNameServer = 192.168.42.129
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64:     IDM Helper - No File
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
BHO-X64:     0x1 - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - *Blocked Russian URL*/yandsearch?win=28&clid=1855511&text=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Owner\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\extensions\{394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B}\plugins\npLightshot.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110788
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 326ac83000000000000074de2badb40a
FF - user.js: extensions.BabylonToolbar_i.hardId - 326ac83000000000000074de2badb40a
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15419
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.172:54:58
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 GFNEXSrv;GFNEX Service;C:\Windows\System32\GFNEXSrv.exe --> C:\Windows\System32\GFNEXSrv.exe [?]
R2 IDMWFP;IDMWFP;C:\windows\system32\DRIVERS\idmwfp.sys --> C:\windows\system32\DRIVERS\idmwfp.sys [?]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-11-21 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2011-5-24 294848]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-11-21 2656280]
R3 IntcDAud;Intel(R) Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-11-21 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-10 138152]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2011-7-1 828856]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
S3 ivusb;Initio Driver for USB Default Controller;C:\windows\system32\DRIVERS\ivusb.sys --> C:\windows\system32\DRIVERS\ivusb.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-2 114144]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-08-31 07:32:25   69000   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5113528E-8A02-4701-92FD-AFE665ACF31A}\offreg.dll
2012-08-31 07:31:46   9310152   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5113528E-8A02-4701-92FD-AFE665ACF31A}\mpengine.dll
2012-08-31 04:21:44   --------   d--h--w-   C:\windows\AxInstSV
2012-08-30 23:48:55   475136   ----a-w-   C:\Users\Owner\AppData\Local\qxoubxtxem.exe
2012-08-29 12:03:03   73696   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-29 12:03:01   192592   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-08-29 12:03:01   114144   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-08-29 12:03:00   421200   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-08-29 12:02:59   770384   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-08-22 06:05:25   --------   d-----w-   C:\Program Files (x86)\MixMeister BPM Analyzer
2012-08-22 05:49:14   --------   d-----w-   C:\Program Files (x86)\Abyssmedia
2012-08-22 05:35:37   --------   d-----w-   C:\Program Files (x86)\Pistonsoft BPM Detector
2012-08-15 11:16:26   503808   ----a-w-   C:\windows\System32\srcore.dll
2012-08-15 11:16:26   43008   ----a-w-   C:\windows\SysWow64\srclient.dll
2012-08-15 11:16:22   751104   ----a-w-   C:\windows\System32\win32spl.dll
2012-08-15 11:16:22   67072   ----a-w-   C:\windows\splwow64.exe
2012-08-15 11:16:22   559104   ----a-w-   C:\windows\System32\spoolsv.exe
2012-08-15 11:16:22   492032   ----a-w-   C:\windows\SysWow64\win32spl.dll
2012-08-15 11:16:18   59392   ----a-w-   C:\windows\System32\browcli.dll
2012-08-15 11:16:18   41984   ----a-w-   C:\windows\SysWow64\browcli.dll
2012-08-15 11:16:18   3148800   ----a-w-   C:\windows\System32\win32k.sys
2012-08-15 11:16:18   136704   ----a-w-   C:\windows\System32\browser.dll
2012-08-15 11:16:17   956928   ----a-w-   C:\windows\System32\localspl.dll
.
==================== Find3M  ====================
.
2012-07-27 10:55:00   70304   ----a-w-   C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-27 10:55:00   419488   ----a-w-   C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 17:46:44   24904   ----a-w-   C:\windows\System32\drivers\mbam.sys
2012-06-29 03:56:34   2312704   ----a-w-   C:\windows\System32\jscript9.dll
2012-06-29 03:49:11   1392128   ----a-w-   C:\windows\System32\wininet.dll
2012-06-29 03:48:07   1494528   ----a-w-   C:\windows\System32\inetcpl.cpl
2012-06-29 03:43:49   173056   ----a-w-   C:\windows\System32\ieUnatt.exe
2012-06-29 03:39:48   2382848   ----a-w-   C:\windows\System32\mshtml.tlb
2012-06-29 00:16:58   1800704   ----a-w-   C:\windows\SysWow64\jscript9.dll
2012-06-29 00:09:01   1129472   ----a-w-   C:\windows\SysWow64\wininet.dll
2012-06-29 00:08:59   1427968   ----a-w-   C:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43   142848   ----a-w-   C:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45   2382848   ----a-w-   C:\windows\SysWow64\mshtml.tlb
2012-06-06 06:06:16   2004480   ----a-w-   C:\windows\System32\msxml6.dll
2012-06-06 06:06:16   1881600   ----a-w-   C:\windows\System32\msxml3.dll
2012-06-06 06:02:54   1133568   ----a-w-   C:\windows\System32\cdosys.dll
2012-06-06 05:05:52   1390080   ----a-w-   C:\windows\SysWow64\msxml6.dll
2012-06-06 05:05:52   1236992   ----a-w-   C:\windows\SysWow64\msxml3.dll
2012-06-06 05:03:06   805376   ----a-w-   C:\windows\SysWow64\cdosys.dll
2012-06-02 22:15:31   2622464   ----a-w-   C:\windows\System32\wucltux.dll
2012-06-02 22:15:08   99840   ----a-w-   C:\windows\System32\wudriver.dll
2012-06-02 19:19:42   186752   ----a-w-   C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12   36864   ----a-w-   C:\windows\System32\wuapp.exe
.
============= FINISH: 10:30:19.07 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/9/2011 8:47:19 AM
System Uptime: 8/30/2012 10:20:54 PM (12 hours ago)
.
Motherboard: Intel Corporation |  | Oneonta Falls
Processor: Intel(R) Core(TM) i3-2330M CPU @ 2.20GHz | CPU 1 | 2200/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 450 GiB total, 288.887 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Realtek PCIe FE Family Controller
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_FC661179&REV_05\1E010000364CE00000
Manufacturer: Realtek
Name: Realtek PCIe FE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_FC661179&REV_05\1E010000364CE00000
Service: RTL8167
.
==== System Restore Points ===================
.
RP92: 8/14/2012 9:24:39 AM - Windows Update
RP93: 8/16/2012 11:33:11 AM - Windows Update
RP94: 8/19/2012 8:40:33 AM - StopZILLA! Restore Point.
RP95: 8/21/2012 4:56:43 PM - Windows Update
RP96: 8/26/2012 8:40:32 AM - StopZILLA! Restore Point.
RP97: 8/28/2012 5:40:10 PM - Windows Update
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Apple Software Update
Ares 2.1.7
Bejeweled 3
BPM Counter 1.6.0.0
Chuzzle Deluxe
ConvertXtoDVD 3.6.4.158
D3DX10
DAEMON Tools Lite
FATE - The Traitor Soul
Fishdom (TM) 2
Google Chrome
Google Update Helper
HijackThis 2.0.2
InfraRecorder
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 25
Junk Mail filter update
Label@Once 1.0
lightshot-3.0.0.0
Malwarebytes Anti-Malware version 1.62.0.1300
Mesh Runtime
Microsoft Office 2010
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
MixMeister BPM Analyzer 1.0
Mozilla Firefox 15.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Premium
neroxml
Norton PC Checkup
Paint XP version 1.1
Penguins!
Pistonsoft BPM Detector 1.0
Plants vs. Zombies - Game of the Year
PlayItAll media player 1.0.5
PlayReady PC Runtime x86
Polar Bowler
QuickTime
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
STOPzilla
Tom Clancy's Splinter Cell
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Resolution+ Plug-in for Windows Media Player
TOSHIBA Service Station
TOSHIBA Sleep Utility
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
TOSHIBA Wireless LAN Indicator
TOSHIBARegistration
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update Installer for WildTangent Games App
Virtual Villagers 5 - New Believers
WildTangent Games
WildTangent Games App (Toshiba Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 (32-bit)
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
8/31/2012 3:42:17 AM, Error: Schannel [36888]  - The following fatal alert was generated: 40. The internal error state is 107.
8/31/2012 3:42:17 AM, Error: Schannel [36874]  - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
8/31/2012 10:23:23 AM, Error: Microsoft-Windows-SharedAccess_NAT [31004]  - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
8/30/2012 10:21:23 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  is3srv
8/26/2012 10:56:40 AM, Error: ACPI [10]  - ACPI: ACPI BIOS is attempting to write to an illegal PCI Operation Region (0x4), Please contact your system vendor for technical assistance.
.
==== End Of File ===========================



# AdwCleaner v2.000 - Logfile created 08/31/2012 at 10:32:35
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\Documents\Downloads\Programs\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\user.js
File Found : C:\Users\Owner\AppData\Local\funmoods-speeddial.crx
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\Users\Owner\AppData\Local\Babylon
Folder Found : C:\Users\Owner\AppData\LocalLow\Search Settings
Folder Found : C:\Users\Owner\AppData\Roaming\Babylon
Folder Found : C:\Users\Owner\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKCU\Software\Zugo
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKLM\Software\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Software
Key Found : HKU\S-1-5-21-383216099-2733633658-1331451555-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\prefs.js

Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110788");
Found : user_pref("extensions.BabylonToolbar_i.hardId", "326ac83000000000000074de2badb40a");
Found : user_pref("extensions.BabylonToolbar_i.id", "326ac83000000000000074de2badb40a");
Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15419");
Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.172:54:58");
Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Found : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/addons/firefox/update.x[...]
Found : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/addons/firefox/update.x[...]
Found : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/scripts/qa.php?product_[...]
Found : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/scripts/qa.php?product_[...]
Found : user_pref("extensions.kango.storage.script_loader. data", "\"[]\"");
Found : user_pref("extensions.kango.storage.statistics.use r_guid", "\"{07E7BE69-C56E-FF1A-4912-4A95F888EBBF}[...]
Found : user_pref("extensions.kango.storage.statistics.use r_stat_sent", "\"Sun Jun 03 2012 08:19:29 GMT-0400[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Chromium v [Unable to get version]

File : C:\Users\Owner\AppData\Local\Chromium\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Owner\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4018 octets] - [31/08/2012 10:32:35]

########## EOF - C:\AdwCleaner[R1].txt - [4078 octets] ##########
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: Dr Jay on August 31, 2012, 09:42:47 AM
Hello hello!

Remove the Adware:
Please post the log.


ComboFix
 
Please download ComboFix(http://img7.imageshack.us/img7/4930/combofix.gif) by sUBs
From BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
 
Please save the file to your Desktop, but rename it first to svchost.exe
 
Important information about ComboFix
 
Before the download:
After the download:
Running ComboFix:
Troubleshooting ComboFix
 
Safe Mode:
 
If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.
 
(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")
 
Re-downloading:
 
If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.
 
Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.


NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on August 31, 2012, 10:20:56 AM
Hi, thanks for your help Drag Master Jay!

# AdwCleaner v2.000 - Logfile created 08/31/2012 at 12:03:16
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\Documents\Downloads\Programs\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\user.js
File Deleted : C:\Users\Owner\AppData\Local\funmoods-speeddial.crx
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\Owner\AppData\Local\Babylon
Folder Deleted : C:\Users\Owner\AppData\LocalLow\Search Settings
Folder Deleted : C:\Users\Owner\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Owner\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\prefs.js

C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\user.js ... Deleted !

Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110788");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "326ac83000000000000074de2badb40a");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "326ac83000000000000074de2badb40a");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15419");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.172:54:58");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/addons/firefox/update.x[...]
Deleted : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/addons/firefox/update.x[...]
Deleted : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/scripts/qa.php?product_[...]
Deleted : user_pref("extensions.kango.storage.CachedhxxpRequ est.hxxp://ring-tools.info/scripts/qa.php?product_[...]
Deleted : user_pref("extensions.kango.storage.script_loader. data", "\"[]\"");
Deleted : user_pref("extensions.kango.storage.statistics.use r_guid", "\"{07E7BE69-C56E-FF1A-4912-4A95F888EBBF}[...]
Deleted : user_pref("extensions.kango.storage.statistics.use r_stat_sent", "\"Sun Jun 03 2012 08:19:29 GMT-0400[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Chromium v [Unable to get version]

File : C:\Users\Owner\AppData\Local\Chromium\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Owner\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4143 octets] - [31/08/2012 10:32:35]
AdwCleaner[R2].txt - [4203 octets] - [31/08/2012 12:02:47]
AdwCleaner[S1].txt - [4775 octets] - [31/08/2012 12:03:16]

########## EOF - C:\AdwCleaner[S1].txt - [4835 octets] ##########







ComboFix 12-08-30.05 - Owner 08/31/2012  12:09:31.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4008.2592 [GMT -4:00]
Running from: c:\users\Owner\Desktop\svchost.exe.exe
SP: STOPzilla Anti-Spyware *Disabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\@
c:\$recycle.bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\n
c:\$recycle.bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\U\00000001.@
c:\$recycle.bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\U\80000000.@
c:\$recycle.bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\U\800000cb.@
c:\users\Owner\AppData\Local\PackSetup.exe
c:\users\Owner\AppData\Local\qxoubxtxem.exe
c:\users\Owner\AppData\Local\Skillbrains\lightshot\LightShot.exe Flags: uninsdeletevalue
c:\users\Owner\AppData\Roaming\inst.exe
c:\users\Owner\AppData\Roaming\vso_ts_preview.xml
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-28 to 2012-08-31  )))))))))))))))))))))))))))))))
.
.
2012-08-31 16:14 . 2012-08-31 16:14   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-08-31 15:19 . 2012-08-31 15:19   --------   d-----w-   c:\programdata\McAfee
2012-08-31 15:19 . 2012-08-31 15:19   --------   d-----w-   c:\programdata\McAfee Security Scan
2012-08-31 15:19 . 2012-08-31 15:19   --------   d-----w-   c:\program files (x86)\McAfee Security Scan
2012-08-31 15:02 . 2012-08-31 16:03   --------   d--h--w-   c:\windows\AxInstSV
2012-08-31 07:31 . 2012-08-23 08:26   9310152   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{5113528E-8A02-4701-92FD-AFE665ACF31A}\mpengine.dll
2012-08-29 12:03 . 2012-08-29 12:03   73696   ----a-w-   c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-29 12:03 . 2012-08-29 12:03   192592   ----a-w-   c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-08-29 12:03 . 2012-08-29 12:03   114144   ----a-w-   c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-08-29 12:03 . 2012-08-29 12:03   421200   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-08-29 12:02 . 2012-08-29 12:03   770384   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-08-22 06:05 . 2012-08-22 06:05   --------   d-----w-   c:\program files (x86)\MixMeister BPM Analyzer
2012-08-22 05:49 . 2012-08-22 05:49   --------   d-----w-   c:\program files (x86)\Abyssmedia
2012-08-22 05:35 . 2012-08-22 05:35   --------   d-----w-   c:\program files (x86)\Pistonsoft BPM Detector
2012-08-15 11:16 . 2012-05-05 08:36   503808   ----a-w-   c:\windows\system32\srcore.dll
2012-08-15 11:16 . 2012-05-05 07:46   43008   ----a-w-   c:\windows\SysWow64\srclient.dll
2012-08-15 11:16 . 2012-02-11 06:43   751104   ----a-w-   c:\windows\system32\win32spl.dll
2012-08-15 11:16 . 2012-02-11 06:36   559104   ----a-w-   c:\windows\system32\spoolsv.exe
2012-08-15 11:16 . 2012-02-11 06:36   67072   ----a-w-   c:\windows\splwow64.exe
2012-08-15 11:16 . 2012-02-11 05:43   492032   ----a-w-   c:\windows\SysWow64\win32spl.dll
2012-08-15 11:16 . 2012-07-18 18:15   3148800   ----a-w-   c:\windows\system32\win32k.sys
2012-08-15 11:16 . 2012-07-04 22:16   73216   ----a-w-   c:\windows\system32\netapi32.dll
2012-08-15 11:16 . 2012-07-04 22:13   59392   ----a-w-   c:\windows\system32\browcli.dll
2012-08-15 11:16 . 2012-07-04 22:13   136704   ----a-w-   c:\windows\system32\browser.dll
2012-08-15 11:16 . 2012-07-04 21:14   41984   ----a-w-   c:\windows\SysWow64\browcli.dll
2012-08-15 11:16 . 2012-05-14 05:26   956928   ----a-w-   c:\windows\system32\localspl.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 15:19 . 2012-07-17 07:58   696520   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-31 15:19 . 2011-07-27 03:34   73416   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 15:34 . 2012-03-02 03:11   62134624   ----a-w-   c:\windows\system32\MRT.exe
2012-07-03 17:46 . 2012-03-09 11:59   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-09 05:43 . 2012-07-15 11:36   14172672   ----a-w-   c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-15 11:36   2004480   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-15 11:36   1881600   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-15 11:36   1133568   ----a-w-   c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-15 11:36   1390080   ----a-w-   c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-15 11:36   1236992   ----a-w-   c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-15 11:36   805376   ----a-w-   c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-21 22:20   38424   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 22:20   2428952   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 22:20   57880   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 22:20   44056   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 22:20   701976   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 22:20   2622464   ----a-w-   c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 22:20   99840   ----a-w-   c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 22:20   186752   ----a-w-   c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 22:20   36864   ----a-w-   c:\windows\system32\wuapp.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightShot"="c:\users\Owner\AppData\Local\Skillbrains\lightshot\LightShot.exe" [2011-03-16 195072]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-23 6591800]
"ares"="c:\program files (x86)\Ares\Ares.exe" [2010-10-27 1015808]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-07-15 1938274]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2007-06-29 286720]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R0 is3srv;is3srv;c:\windows\SySWOW64\drivers\is3srv64.sys [2011-09-26 74768]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-29 29720]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-26 114144]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-10-30 250984]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-14 413800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-21 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [2011-09-26 74768]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-06-24 482384]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-05-15 283200]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 GFNEXSrv;GFNEX Service;c:\windows\System32\GFNEXSrv.exe [2010-09-10 162824]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-07-06 145008]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2011-05-24 294848]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-21 2656280]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2012-02-03 82816]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2011-02-09 38096]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-11-03 1103464]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2011-07-01 828856]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 21:55]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 21:55]
.
2012-08-31 c:\windows\Tasks\update-S-1-5-21-383216099-2733633658-1331451555-1000.job
- c:\program files (x86)\Skillbrains\Updater\Updater.exe [2012-01-17 03:09]
.
2012-08-31 c:\windows\Tasks\update-sys.job
- c:\program files (x86)\Skillbrains\Updater\Updater.exe [2012-01-17 03:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50   22408   ----a-w-   c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-06-03 2226280]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
LSP: c:\windows\system32\idmmbc.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - *Blocked Russian URL*/yandsearch?win=28&clid=1855511&text=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
Toolbar-Locked - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-383216099-2733633658-1331451555-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d0,f3,8a,0c,25,a7,1c,03,dd,93,cf,d9,5a,f0,80,e4,85,ab,64,0d,03,
   6f,64,f9,29,c7,4a,38,bd,21,7a,93,af,87,be,1f,25,e9,12,34,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-383216099-2733633658-1331451555-1000_Classes\Wow6432Node\CLSID\{8b57a127-b7f1-400a-b4a2-69c783f20fcb}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000049
"Therad"=dword:00000015
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-31  12:16:59
ComboFix-quarantined-files.txt  2012-08-31 16:16
.
Pre-Run: 312,372,957,184 bytes free
Post-Run: 312,228,642,816 bytes free
.
- - End Of File - - 6A87775ED81DB18BA2CEC7AA5F75489D
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: Dr Jay on August 31, 2012, 10:46:13 AM
Scan for malware

(http://www.malwarebytes.org/forums/style_images/1/bf_new.gif) Please download Malwarebytes Anti-Malware from HERE (https://store.malwarebytes.org/342/cookie?affiliate=5304&redirectto=http%3a%2f%2fwww.malwarebytes.org%2fproducts%2fmalwarebytes_free).


Double Click mbam-setup.exe to install the application.
ESET Online Scan
 
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on August 31, 2012, 11:27:46 AM
i keep getting illegal operation on registry file can't be opened, there set for deletion, i get that trying to run malwarebytes the online cleaner you listed.  I have an older version of mbytes should i run that?
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on August 31, 2012, 11:30:46 AM
as a matter of fact, i cant run any virus software (cccleaner, hijackthis, mbytes, sas) i click on all and get illegal operation on reg. marked for deletion.  I notice all the icons have that UAC looking shield on them.
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: Dr Jay on September 01, 2012, 04:38:31 AM
I don't know if you got this, but I wrote the following above:

Quote
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Please reboot the computer, and try the tools again.
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on September 01, 2012, 07:17:31 PM
sorry for the delay, it took Eset a really long time, but it found some things.  thanks so much Drag Master J (sounds like a rapper, lol)  My logs are below, I have a question, you put do the mbytes quick scan, so that's what i did, usually i do full scan, in the future is there any rule of when to do the full vs quick scan? Also mbytes is highly approved here at Computer Hope but these bugs never showed up in mbytes. Do I need to purchase mbytes professional or are all these different removal apps good in certain areas, like eset might be good for this bug, but mbytes better for another.  Before this, i've been using Mbytes and SAS, i've noticed a few times mbytes caught something sas didn't and vice versa.   

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.01.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

9/1/2012 2:16:45 PM
mbam-log-2012-09-01 (14-16-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198541
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ESET SCAN


C:\Program Files (x86)\FLVPlayer\FLVPlayer.exe   a variant of Win32/InstallCore.A application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\n.vir   Win64/Sirefef.AP trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\U\[email protected]   Win64/Sirefef.AL trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-383216099-2733633658-1331451555-1000\$fe701b6b144cd079585b9e196f361888\U\[email protected]   Win64/Sirefef.AH trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Owner\AppData\Local\qxoubxtxem.exe.vir   Win32/Adware.SecurityShield.D application   cleaned by deleting - quarantined
C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6f41d511-2ea3b00f   Win32/Adware.SecurityShield.D application   deleted - quarantined
C:\Users\Owner\Documents\Downloads\Programs\AdvancedPCTweaker_Setup.exe   a variant of Win32/Adware.AdvPCTweak application   cleaned by deleting - quarantined
C:\Users\Owner\Downloads\PlayItAllSetup.exe   Win32/Toolbar.Zugo application   cleaned by deleting - quarantined


Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: Dr Jay on September 02, 2012, 04:09:08 PM
ComboFix Script
 
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on September 05, 2012, 10:55:46 AM
sorry for delay,




ComboFix 12-08-30.05 - Owner 09/04/2012  13:27:24.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4008.2688 [GMT -4:00]
Running from: c:\users\Owner\Desktop\svchost.exe.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\Skillbrains\lightshot\LightShot.exe Flags: uninsdeletevalue
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-04 to 2012-09-04  )))))))))))))))))))))))))))))))
.
.
2012-09-04 17:42 . 2012-09-04 17:42   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-09-04 16:03 . 2012-08-23 08:26   9310152   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{FC62E0E9-2064-49CC-9750-9518BBC9CD9C}\mpengine.dll
2012-09-01 18:24 . 2012-09-01 18:24   --------   d-----w-   c:\program files (x86)\ESET
2012-09-01 18:16 . 2012-09-01 18:16   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-01 18:16 . 2012-07-03 17:46   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-08-31 15:19 . 2012-08-31 15:19   --------   d-----w-   c:\programdata\McAfee
2012-08-31 15:02 . 2012-08-31 16:03   --------   d--h--w-   c:\windows\AxInstSV
2012-08-29 12:03 . 2012-08-29 12:03   73696   ----a-w-   c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-29 12:03 . 2012-08-29 12:03   192592   ----a-w-   c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-08-29 12:03 . 2012-08-29 12:03   114144   ----a-w-   c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-08-29 12:03 . 2012-08-29 12:03   421200   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-08-29 12:02 . 2012-08-29 12:03   770384   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-08-22 06:05 . 2012-08-22 06:05   --------   d-----w-   c:\program files (x86)\MixMeister BPM Analyzer
2012-08-15 11:16 . 2012-05-05 08:36   503808   ----a-w-   c:\windows\system32\srcore.dll
2012-08-15 11:16 . 2012-05-05 07:46   43008   ----a-w-   c:\windows\SysWow64\srclient.dll
2012-08-15 11:16 . 2012-02-11 06:43   751104   ----a-w-   c:\windows\system32\win32spl.dll
2012-08-15 11:16 . 2012-02-11 06:36   559104   ----a-w-   c:\windows\system32\spoolsv.exe
2012-08-15 11:16 . 2012-02-11 06:36   67072   ----a-w-   c:\windows\splwow64.exe
2012-08-15 11:16 . 2012-02-11 05:43   492032   ----a-w-   c:\windows\SysWow64\win32spl.dll
2012-08-15 11:16 . 2012-07-18 18:15   3148800   ----a-w-   c:\windows\system32\win32k.sys
2012-08-15 11:16 . 2012-07-04 22:16   73216   ----a-w-   c:\windows\system32\netapi32.dll
2012-08-15 11:16 . 2012-07-04 22:13   59392   ----a-w-   c:\windows\system32\browcli.dll
2012-08-15 11:16 . 2012-07-04 22:13   136704   ----a-w-   c:\windows\system32\browser.dll
2012-08-15 11:16 . 2012-07-04 21:14   41984   ----a-w-   c:\windows\SysWow64\browcli.dll
2012-08-15 11:16 . 2012-05-14 05:26   956928   ----a-w-   c:\windows\system32\localspl.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 15:19 . 2012-07-17 07:58   696520   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-31 15:19 . 2011-07-27 03:34   73416   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 15:34 . 2012-03-02 03:11   62134624   ----a-w-   c:\windows\system32\MRT.exe
2012-06-09 05:43 . 2012-07-15 11:36   14172672   ----a-w-   c:\windows\system32\shell32.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-08-31_16.14.50   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-08-30 16:18   16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-09-04 00:18   16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-30 16:18   49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-04 00:18   49152              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2012-09-01 17:57   37154              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-12-09 13:49 . 2012-09-01 17:57   9424              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-383216099-2733633658-1331451555-1000_UserData.bin
- 2012-08-31 16:04 . 2012-08-31 16:04   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-01 17:55 . 2012-09-01 17:55   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-01 17:55 . 2012-09-01 17:55   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-31 16:04 . 2012-08-31 16:04   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2012-08-30 16:18   114688              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-09-04 00:18   114688              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-12-20 11:03 . 2012-09-02 22:17   262602              c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2011-12-20 01:08 . 2012-09-03 07:50   280664              c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-08-31 02:25   624412              c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-01 22:13   624412              c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-09-01 22:13   106756              c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-08-31 02:25   106756              c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-09-01 17:54   229488              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-31 16:03   229488              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-12-09 15:02 . 2012-09-01 17:54   65869404              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-383216099-2733633658-1331451555-1000-8192.dat
- 2011-12-09 15:02 . 2012-08-31 16:03   65869404              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-383216099-2733633658-1331451555-1000-8192.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightShot"="c:\users\Owner\AppData\Local\Skillbrains\lightshot\LightShot.exe" [2011-03-16 195072]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2012-02-23 6591800]
"ares"="c:\program files (x86)\Ares\Ares.exe" [2010-10-27 1015808]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-07-15 1938274]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2007-06-29 286720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-05-15 283200]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 GFNEXSrv;GFNEX Service;c:\windows\System32\GFNEXSrv.exe [2010-09-10 162824]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2011-07-06 145008]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 21:55]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-21 21:55]
.
2012-09-04 c:\windows\Tasks\update-S-1-5-21-383216099-2733633658-1331451555-1000.job
- c:\program files (x86)\Skillbrains\Updater\Updater.exe [2012-01-17 03:09]
.
2012-09-04 c:\windows\Tasks\update-sys.job
- c:\program files (x86)\Skillbrains\Updater\Updater.exe [2012-01-17 03:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50   22408   ----a-w-   c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-07 12558440]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-06-03 2226280]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
LSP: c:\windows\system32\idmmbc.dll
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\057jrvt7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - *Blocked Russian URL*/yandsearch?win=28&clid=1855511&text=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-383216099-2733633658-1331451555-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d0,f3,8a,0c,25,a7,1c,03,dd,93,cf,d9,5a,f0,80,e4,85,ab,64,0d,03,
   6f,64,f9,29,c7,4a,38,bd,21,7a,93,af,87,be,1f,25,e9,12,34,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-383216099-2733633658-1331451555-1000_Classes\Wow6432Node\CLSID\{8b57a127-b7f1-400a-b4a2-69c783f20fcb}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000049
"Therad"=dword:00000015
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-04  14:12:47
ComboFix-quarantined-files.txt  2012-09-04 18:12
ComboFix2.txt  2012-08-31 16:17
.
Pre-Run: 310,964,260,864 bytes free
Post-Run: 310,539,313,152 bytes free
.
- - End Of File - - 294B07AB7B481582EBE8061E9733E77C
Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: Dr Jay on September 05, 2012, 02:35:46 PM
ESET Online Scan
 
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

Title: Re: A bunch of UAC popups from fpdownload.macromedia.com/get/shockwave
Post by: goodie2010 on September 06, 2012, 11:11:22 AM
Thanks JMJ, no threats were found, computer seems to running so/so i have over 80% of 500gb free, 4gb of ram but my when having say 10 tabs open in firefox at once my computer starts acting crazy.Multi tabs is how i've been doing things for years since i switched to firefox.  When I first got this laptop to test things, i recall having 23 tabs open at once before i saw memory issues, so now i dont understand why it can't handle pages.  youtube videos buffer during the videos several times with no other tabs open, pictures on sites seem slightly off sync to but that .  I don't think its a virus but you asked for a summary. thx