Solved My Win7 Toshiba Has Win32/OpenCandy Application

April 28, 2013 at 07:51:18
Specs: Windows 7
I ran ESET and Win32/OpenCandy (2 instances) were found by the scan. It quarantined/cleaned the files and I had them deleted. Here is that info:

C:\Users\Indy\Downloads\KeyFinderInstaller.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\VTRoot\HarddiskVolume2\Users\Indy\AppData\Local\Temp\is-EE7GI.tmp\OCSetupHlp.dll Win32/OpenCandy application cleaned by deleting - quarantined

I then ran defogger and combofix and then restarted the computer. When it came back up I could not connect to the internet. I ran the troubleshooter and it found DHCP had been turned off. I ran the Windows fix and now I am obviously back and connected.

I decided to run for two reasons... I am working on another laptop and there is already an open ticket her for that and 2nd I just recent lost connection to my slingbox in the USA and that made me suspicious. I had my brother reset the box over there which usually does the trick, but this time I continue to not be able to connect. Not sure the viruses are hampering this or not, but it was one reason for checking for malware.

Combofix:

ComboFix 13-04-27.04 - Indy 04/28/2013 21:22:09.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.1779 [GMT 7:00]
Running from: c:\users\Indy\Downloads\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Indy\AppData\Local\assembly\tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-03-28 to 2013-04-28 )))))))))))))))))))))))))))))))
.
.
2013-04-28 14:28 . 2013-04-28 14:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-27 18:32 . 2013-04-27 18:32 -------- d-----w- c:\users\Indy\AppData\Local\SWTORPerf
2013-04-27 17:54 . 2008-05-30 07:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2013-04-27 17:53 . 2013-04-27 17:53 -------- d-----w- c:\program files\Common Files\BioWare
2013-04-27 17:53 . 2013-04-27 17:53 -------- d-----w- c:\program files\Electronic Arts
2013-04-27 17:53 . 2013-04-27 17:53 -------- d-----w- c:\users\hedev
2013-04-27 17:27 . 2013-04-28 14:28 -------- d-----w- c:\users\Indy\AppData\Local\PMB Files
2013-04-27 17:27 . 2013-04-27 17:28 -------- d-----w- c:\programdata\PMB Files
2013-04-27 17:26 . 2013-04-27 17:26 -------- d-----w- c:\program files\Pando Networks
2013-04-27 17:04 . 2013-04-27 17:04 -------- d-----w- c:\program files\Common Files\Java
2013-04-27 17:04 . 2013-04-27 17:04 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-27 17:04 . 2013-04-27 17:04 -------- d-----w- c:\program files\Java
2013-04-27 16:35 . 2013-04-27 16:35 -------- d-----w- c:\users\Indy\.swt
2013-04-27 16:35 . 2013-04-27 16:35 -------- d-----w- c:\programdata\Caphyon
2013-04-27 16:35 . 2013-04-27 16:35 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2013-04-27 16:34 . 2013-04-27 16:34 -------- d-----w- c:\program files\spotflux
2013-04-27 16:33 . 2013-04-28 12:23 -------- d-----w- c:\users\Indy\AppData\Roaming\.spotflux
2013-04-27 16:33 . 2013-04-27 16:33 -------- d-----w- c:\users\Indy\AppData\Roaming\Spotflux
2013-04-27 16:26 . 2013-04-27 16:39 -------- d-----w- c:\programdata\HappyCloud
2013-04-26 13:40 . 2013-04-26 13:40 -------- d-----w- C:\VTRoot
2013-04-26 13:40 . 2013-04-27 15:05 12282 ----a-w- c:\windows\system32\drivers\fvstore.dat
2013-04-26 03:08 . 2011-05-30 13:42 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2013-04-26 03:08 . 2011-05-23 09:52 153088 ----a-w- c:\windows\system32\xvid.ax
2013-04-26 03:08 . 2011-05-23 07:46 645632 ----a-w- c:\windows\system32\xvidcore.dll
2013-04-26 03:08 . 2013-04-26 03:08 -------- d-----w- c:\program files\Xvid
2013-04-25 14:39 . 2013-04-25 14:39 -------- d-----w- c:\program files\ESET
2013-04-25 09:02 . 2013-04-25 09:02 -------- d-----w- c:\program files\Common Files\Skype
2013-04-25 04:57 . 2013-04-12 13:45 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-25 00:39 . 2013-04-25 00:39 -------- d-----w- c:\programdata\TechSmith
2013-04-24 12:16 . 2013-04-24 12:16 -------- d-----w- c:\programdata\Shared Space
2013-04-24 08:41 . 2013-04-24 08:42 -------- d-----w- c:\programdata\Comodo
2013-04-24 08:41 . 2013-04-24 08:41 -------- d-----w- c:\programdata\Comodo Downloader
2013-04-24 08:40 . 2013-04-24 08:40 -------- d-----w- c:\program files\COMODO
2013-04-21 08:05 . 2013-04-21 08:05 -------- d-----w- c:\program files\MSECache
2013-04-17 12:23 . 2013-04-17 12:23 -------- d-----w- c:\users\Indy\AppData\Local\Opera
2013-04-17 12:22 . 2013-04-17 12:23 -------- d-----w- c:\program files\Opera
2013-04-16 03:53 . 2013-04-16 03:54 -------- d-----w- c:\windows\system32\Adobe
2013-04-12 13:29 . 2013-04-12 17:03 -------- d-----w- c:\users\Indy\AppData\Roaming\Audacity
2013-04-12 13:29 . 2013-04-12 13:29 -------- d-----w- c:\program files\Audacity
2013-04-10 08:19 . 2013-03-01 03:09 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-10 08:19 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-10 08:19 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 08:19 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 08:19 . 2013-03-19 04:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 08:19 . 2013-03-19 02:49 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-10 08:15 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 08:15 . 2013-02-15 04:34 131584 ----a-w- c:\windows\system32\aaclient.dll
2013-04-10 08:15 . 2013-02-15 03:25 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-04-08 10:19 . 2013-04-08 12:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2013-04-04 11:31 . 2013-04-04 11:31 -------- d-----w- c:\users\Indy\AppData\Roaming\Barnes & Noble
2013-04-04 11:31 . 2013-04-04 11:31 -------- d-----w- c:\program files\Barnes & Noble
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-27 17:04 . 2013-02-25 06:47 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-27 17:04 . 2013-02-25 06:47 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-18 17:02 . 2013-01-16 12:51 84928 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-04-15 17:38 . 2013-01-16 12:51 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-04-15 17:38 . 2013-01-16 12:51 581912 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-04-15 17:38 . 2013-01-16 12:51 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-04-15 17:38 . 2013-01-24 15:43 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-04-15 17:38 . 2013-01-24 15:43 348584 ----a-w- c:\windows\system32\guard32.dll
2013-04-15 17:38 . 2013-01-24 15:42 276688 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-04-15 17:38 . 2013-01-24 15:42 40656 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-04-04 07:50 . 2013-02-23 08:23 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-13 03:14 . 2013-03-13 03:14 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CB52173F-C9FF-474C-878D-C94B666C8217}\offreg.dll
2013-03-08 14:00 . 2013-03-08 13:57 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 14:00 . 2013-03-08 13:57 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-07 05:21 . 2013-03-07 05:21 33160 ----a-w- c:\windows\system32\drivers\tapSF0901.sys
2013-02-14 19:48 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2013-02-14 17:43 . 2013-02-14 17:43 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-02-14 17:43 . 2013-02-14 17:43 161792 ----a-w- c:\windows\system32\msls31.dll
2013-02-14 17:43 . 2013-02-14 17:43 86528 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-14 17:43 . 2013-02-14 17:43 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-02-14 17:43 . 2013-02-14 17:43 74752 ----a-w- c:\windows\system32\iesetup.dll
2013-02-14 17:43 . 2013-02-14 17:43 63488 ----a-w- c:\windows\system32\tdc.ocx
2013-02-14 17:43 . 2013-02-14 17:43 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-02-14 17:43 . 2013-02-14 17:43 367104 ----a-w- c:\windows\system32\html.iec
2013-02-14 17:43 . 2013-02-14 17:43 35840 ----a-w- c:\windows\system32\imgutil.dll
2013-02-14 17:43 . 2013-02-14 17:43 23552 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-14 17:43 . 2013-02-14 17:43 152064 ----a-w- c:\windows\system32\wextract.exe
2013-02-14 17:43 . 2013-02-14 17:43 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-02-14 17:43 . 2013-02-14 17:43 11776 ----a-w- c:\windows\system32\mshta.exe
2013-02-14 17:43 . 2013-02-14 17:43 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-02-14 17:43 . 2013-02-14 17:43 101888 ----a-w- c:\windows\system32\admparse.dll
2013-02-14 16:50 . 2013-02-14 16:50 16 --sh--r- c:\windows\system32\drivers\fbd.sys
2013-02-12 04:48 . 2013-03-13 02:20 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 02:20 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32 . 2013-03-22 06:40 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 00:45 . 2013-03-13 02:18 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CB52173F-C9FF-474C-878D-C94B666C8217}\mpengine.dll
2013-04-12 09:07 . 2013-04-12 09:07 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-02-27 07:48 220632 ----a-w- c:\users\Indy\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-02-27 07:48 220632 ----a-w- c:\users\Indy\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-02-27 07:48 220632 ----a-w- c:\users\Indy\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2013-04-27 4284976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-04-15 3012816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2009-08-05 22:04 738616 ----a-w- c:\program files\TOSHIBA\FlashCards\TCrdMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyTOSHIBA]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder]
2009-07-16 19:04 529256 ----a-w- c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2009-07-28 22:00 460088 ----a-w- c:\program files\TOSHIBA\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teco]
2009-08-12 00:09 1324384 ----a-w- c:\program files\TOSHIBA\TECO\TEco.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
2009-08-17 18:48 1294136 ----a-w- c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosSENotify]
2009-08-04 01:17 611672 ----a-w- c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosWaitSrv]
2009-08-07 01:05 611672 ----a-w- c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2009-08-21 17:29 476512 ----a-w- c:\program files\TOSHIBA\Power Saver\TPwrMain.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 tapSF0901;Spotflux TAP Device Driver;c:\windows\system32\DRIVERS\tapSF0901.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-08 14:00]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 44.0.0.253 44.0.0.3 44.0.0.4 8.8.8.8
TCP: Interfaces\{DDEB6388-A067-4BC4-BCE4-FD02039AADFE}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Indy\AppData\Roaming\Mozilla\Firefox\Profiles\976omnfo.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - ExtSQL: 2013-04-27 23:20; {9EB34849-81D3-4841-939D-666D522B889A}; c:\users\Indy\AppData\Roaming\Mozilla\Firefox\Profiles\976omnfo.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(7960)
c:\windows\system32\guard32.dll
.
Completion time: 2013-04-28 21:31:00
ComboFix-quarantined-files.txt 2013-04-28 14:31
.
Pre-Run: 265,746,743,296 bytes free
Post-Run: 265,774,809,088 bytes free
.
- - End Of File - - D670BE0E0BAC85FFEF9FAD5DA4297B2E


See More: My Win7 Toshiba Has Win32/OpenCandy Application

Report •


✔ Best Answer
April 30, 2013 at 22:47:10
Nice work, I was going to suggest checking all your startups & Updaters.

Open CCleaner > Tools > Startup, click on each tab & you will be able to change anything in there.

These are what I spotted from your logs.

Programs that update in the background.
Comodo, Skype, Flash Player, Windows Defender, Xvid.



#1
April 28, 2013 at 07:54:08
Ok, give me a minute & I will advise further.

Report •

#2
April 28, 2013 at 07:56:15
1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt. Let me know if it dosn't produce a log please.

2: Reboot

3: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

4: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. http://www.bleepingcomputer.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#3
April 28, 2013 at 08:35:05
I did unhide and here is adware:

# AdwCleaner v2.202 - Logfile created 04/28/2013 at 22:29:48
# Updated 23/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Indy - INDYSHIBA
# Boot Mode : Normal
# Running from : C:\Users\Indy\AppData\Local\Opera\Opera\temporary_downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Indy\AppData\Roaming\Mozilla\Firefox\Profiles\976omnfo.default\prefs.js

[OK] File is clean.

-\\ Chromium v24.0.1350.0

File : C:\Users\Indy\AppData\Local\Chromium\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.15.1748.0

File : C:\Users\Indy\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1336 octets] - [28/04/2013 22:28:05]
AdwCleaner[S1].txt - [1275 octets] - [28/04/2013 22:29:48]

########## EOF - C:\AdwCleaner[S1].txt - [1335 octets] ##########


Report •

Related Solutions

#4
April 28, 2013 at 08:41:57
"When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt. Let me know if it dosn't produce a log please"

Answer please.


Report •

#5
April 28, 2013 at 08:44:04
Junkware:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.1 (04.27.2013:1)
OS: Windows 7 Home Premium x86
Ran by Indy on Sun 04/28/2013 at 22:38:56.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\windows\system32\ai_recyclebin"

~~~ FireFox

Emptied folder: C:\Users\Indy\AppData\Roaming\mozilla\firefox\profiles\976omnfo.default\minidumps [25 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 04/28/2013 at 22:42:51.86
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#6
April 28, 2013 at 08:45:38
Unhide created a text file on the desktop.

Report •

#7
April 28, 2013 at 08:47:19
Post the info in that text file.

Report •

#8
April 28, 2013 at 08:47:39
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 04/28/2013 10:07:02 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 127437 files processed.

The C:\Users\Indy\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 04/28/2013 10:09:09 PM
Execution time: 0 hours(s), 2 minute(s), and 6 seconds(s)


Report •

#9
April 28, 2013 at 08:50:15
FYI... slingbox issue is unrelated to this. It is a hardware issue. The slingbox apparently died.

Report •

#10
April 28, 2013 at 08:56:40
Ok, I would run all your programs again, update them before using.

Uninstall Combofix ( another new version has just been released ) & run again.

It's always best to run everything again, to make sure all the deletions stuck. With a bit of luck, we will get clean logs.

Same applies for the other comp, if you get clean logs, run TFC.

http://www.geekstogo.com/forum/file...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

I'm going to bed now, catch you later.


Report •

#11
April 28, 2013 at 09:34:00
Okay have a good night. I ran RogueKiller and it found several items on Toshi as well... RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Indy [Admin rights]
Mode : Remove -- Date : 04/28/2013 23:32:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320325AS ATA Device +++++
--- User ---
[MBR] 614046c0c6081d43eb4887f31ca0d874
[BSP] e58067dc9dfe83a00a047cdc68f4fff3 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 295636 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 608536576 | Size: 8108 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04282013_02d2332.txt >>
RKreport[1]_S_04282013_02d2331.txt ; RKreport[2]_D_04282013_02d2332.txt


Report •

#12
April 28, 2013 at 17:42:09
This applies to both comps, assuming you have run ALL the programs again, lets see if any offending programs remain.

Run ESET again please.
1: Click the Start button.
2: Accept any security warnings from your browser.
3: Under scan settings, check "Scan Archives" and "Remove found threats"
4: Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology
5: ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
6: When the scan completes, click List Threats.
7: Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
8: Click the Back button.
9: Click the Finish button.


Report •

#13
April 28, 2013 at 21:32:04
defogger/combofix:

ComboFix 13-04-28.01 - Indy 04/29/2013 11:22:23.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2812.2126 [GMT 7:00]
Running from: c:\users\Indy\Downloads\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2013-03-28 to 2013-04-29 )))))))))))))))))))))))))))))))
.
.
2013-04-29 04:29 . 2013-04-29 04:29 -------- d-----w- c:\users\Indy\AppData\Local\temp
2013-04-29 04:29 . 2013-04-29 04:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-28 15:38 . 2013-04-28 15:38 -------- d-----w- c:\windows\ERUNT
2013-04-28 15:38 . 2013-04-28 15:38 -------- d-----w- C:\JRT
2013-04-27 18:32 . 2013-04-27 18:32 -------- d-----w- c:\users\Indy\AppData\Local\SWTORPerf
2013-04-27 17:54 . 2008-05-30 07:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2013-04-27 17:53 . 2013-04-27 17:53 -------- d-----w- c:\program files\Common Files\BioWare
2013-04-27 17:53 . 2013-04-27 17:53 -------- d-----w- c:\program files\Electronic Arts
2013-04-27 17:53 . 2013-04-27 17:53 -------- d-----w- c:\users\hedev
2013-04-27 17:27 . 2013-04-29 04:28 -------- d-----w- c:\users\Indy\AppData\Local\PMB Files
2013-04-27 17:27 . 2013-04-27 17:28 -------- d-----w- c:\programdata\PMB Files
2013-04-27 17:26 . 2013-04-27 17:26 -------- d-----w- c:\program files\Pando Networks
2013-04-27 17:04 . 2013-04-27 17:04 -------- d-----w- c:\program files\Common Files\Java
2013-04-27 17:04 . 2013-04-27 17:04 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-27 17:04 . 2013-04-27 17:04 -------- d-----w- c:\program files\Java
2013-04-27 16:35 . 2013-04-27 16:35 -------- d-----w- c:\users\Indy\.swt
2013-04-27 16:35 . 2013-04-27 16:35 -------- d-----w- c:\programdata\Caphyon
2013-04-27 16:34 . 2013-04-27 16:34 -------- d-----w- c:\program files\spotflux
2013-04-27 16:33 . 2013-04-28 12:23 -------- d-----w- c:\users\Indy\AppData\Roaming\.spotflux
2013-04-27 16:33 . 2013-04-27 16:33 -------- d-----w- c:\users\Indy\AppData\Roaming\Spotflux
2013-04-27 16:26 . 2013-04-27 16:39 -------- d-----w- c:\programdata\HappyCloud
2013-04-26 13:40 . 2013-04-26 13:40 -------- d-----w- C:\VTRoot
2013-04-26 13:40 . 2013-04-27 15:05 12282 ----a-w- c:\windows\system32\drivers\fvstore.dat
2013-04-26 03:08 . 2011-05-30 13:42 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2013-04-26 03:08 . 2011-05-23 09:52 153088 ----a-w- c:\windows\system32\xvid.ax
2013-04-26 03:08 . 2011-05-23 07:46 645632 ----a-w- c:\windows\system32\xvidcore.dll
2013-04-26 03:08 . 2013-04-26 03:08 -------- d-----w- c:\program files\Xvid
2013-04-25 14:39 . 2013-04-25 14:39 -------- d-----w- c:\program files\ESET
2013-04-25 09:02 . 2013-04-25 09:02 -------- d-----w- c:\program files\Common Files\Skype
2013-04-25 04:57 . 2013-04-12 13:45 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-25 00:39 . 2013-04-25 00:39 -------- d-----w- c:\programdata\TechSmith
2013-04-24 12:16 . 2013-04-24 12:16 -------- d-----w- c:\programdata\Shared Space
2013-04-24 08:41 . 2013-04-24 08:42 -------- d-----w- c:\programdata\Comodo
2013-04-24 08:41 . 2013-04-24 08:41 -------- d-----w- c:\programdata\Comodo Downloader
2013-04-24 08:40 . 2013-04-24 08:40 -------- d-----w- c:\program files\COMODO
2013-04-21 08:05 . 2013-04-21 08:05 -------- d-----w- c:\program files\MSECache
2013-04-17 12:23 . 2013-04-17 12:23 -------- d-----w- c:\users\Indy\AppData\Local\Opera
2013-04-17 12:22 . 2013-04-17 12:23 -------- d-----w- c:\program files\Opera
2013-04-16 03:53 . 2013-04-16 03:54 -------- d-----w- c:\windows\system32\Adobe
2013-04-12 13:29 . 2013-04-12 17:03 -------- d-----w- c:\users\Indy\AppData\Roaming\Audacity
2013-04-12 13:29 . 2013-04-12 13:29 -------- d-----w- c:\program files\Audacity
2013-04-10 08:19 . 2013-03-01 03:09 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-10 08:19 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-10 08:19 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 08:19 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 08:19 . 2013-03-19 04:48 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 08:19 . 2013-03-19 02:49 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-10 08:15 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 08:15 . 2013-02-15 04:34 131584 ----a-w- c:\windows\system32\aaclient.dll
2013-04-10 08:15 . 2013-02-15 03:25 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-04-08 10:19 . 2013-04-08 12:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2013-04-04 11:31 . 2013-04-04 11:31 -------- d-----w- c:\users\Indy\AppData\Roaming\Barnes & Noble
2013-04-04 11:31 . 2013-04-04 11:31 -------- d-----w- c:\program files\Barnes & Noble
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-27 17:04 . 2013-02-25 06:47 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-27 17:04 . 2013-02-25 06:47 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-25 10:05 . 2013-01-16 12:51 84928 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-04-23 14:04 . 2013-01-24 15:43 348048 ----a-w- c:\windows\system32\guard32.dll
2013-04-15 17:38 . 2013-01-16 12:51 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-04-15 17:38 . 2013-01-16 12:51 581912 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-04-15 17:38 . 2013-01-16 12:51 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-04-15 17:38 . 2013-01-24 15:43 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-04-15 17:38 . 2013-01-24 15:42 276688 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-04-15 17:38 . 2013-01-24 15:42 40656 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-04-04 07:50 . 2013-02-23 08:23 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-13 03:14 . 2013-03-13 03:14 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CB52173F-C9FF-474C-878D-C94B666C8217}\offreg.dll
2013-03-08 14:00 . 2013-03-08 13:57 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-08 14:00 . 2013-03-08 13:57 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-07 05:21 . 2013-03-07 05:21 33160 ----a-w- c:\windows\system32\drivers\tapSF0901.sys
2013-02-14 19:48 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2013-02-14 17:43 . 2013-02-14 17:43 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-02-14 17:43 . 2013-02-14 17:43 161792 ----a-w- c:\windows\system32\msls31.dll
2013-02-14 17:43 . 2013-02-14 17:43 86528 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-14 17:43 . 2013-02-14 17:43 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-02-14 17:43 . 2013-02-14 17:43 74752 ----a-w- c:\windows\system32\iesetup.dll
2013-02-14 17:43 . 2013-02-14 17:43 63488 ----a-w- c:\windows\system32\tdc.ocx
2013-02-14 17:43 . 2013-02-14 17:43 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-02-14 17:43 . 2013-02-14 17:43 367104 ----a-w- c:\windows\system32\html.iec
2013-02-14 17:43 . 2013-02-14 17:43 35840 ----a-w- c:\windows\system32\imgutil.dll
2013-02-14 17:43 . 2013-02-14 17:43 23552 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-14 17:43 . 2013-02-14 17:43 152064 ----a-w- c:\windows\system32\wextract.exe
2013-02-14 17:43 . 2013-02-14 17:43 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-02-14 17:43 . 2013-02-14 17:43 11776 ----a-w- c:\windows\system32\mshta.exe
2013-02-14 17:43 . 2013-02-14 17:43 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-02-14 17:43 . 2013-02-14 17:43 101888 ----a-w- c:\windows\system32\admparse.dll
2013-02-14 16:50 . 2013-02-14 16:50 16 --sh--r- c:\windows\system32\drivers\fbd.sys
2013-02-12 04:48 . 2013-03-13 02:20 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 02:20 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32 . 2013-03-22 06:40 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 00:45 . 2013-03-13 02:18 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CB52173F-C9FF-474C-878D-C94B666C8217}\mpengine.dll
2013-04-12 09:07 . 2013-04-12 09:07 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-02-27 07:48 220632 ----a-w- c:\users\Indy\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-02-27 07:48 220632 ----a-w- c:\users\Indy\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-02-27 07:48 220632 ----a-w- c:\users\Indy\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2013-04-27 4284976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-04-15 3012816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2009-08-05 22:04 738616 ----a-w- c:\program files\TOSHIBA\FlashCards\TCrdMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyTOSHIBA]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder]
2009-07-16 19:04 529256 ----a-w- c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2009-07-28 22:00 460088 ----a-w- c:\program files\TOSHIBA\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teco]
2009-08-12 00:09 1324384 ----a-w- c:\program files\TOSHIBA\TECO\TEco.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
2009-08-17 18:48 1294136 ----a-w- c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosSENotify]
2009-08-04 01:17 611672 ----a-w- c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosWaitSrv]
2009-08-07 01:05 611672 ----a-w- c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPwrMain]
2009-08-21 17:29 476512 ----a-w- c:\program files\TOSHIBA\Power Saver\TPwrMain.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 tapSF0901;Spotflux TAP Device Driver;c:\windows\system32\DRIVERS\tapSF0901.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-08 14:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{DDEB6388-A067-4BC4-BCE4-FD02039AADFE}: DhcpNameServer = 10.0.1.1
FF - ProfilePath - c:\users\Indy\AppData\Roaming\Mozilla\Firefox\Profiles\976omnfo.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - ExtSQL: 2013-04-27 23:20; {9EB34849-81D3-4841-939D-666D522B889A}; c:\users\Indy\AppData\Roaming\Mozilla\Firefox\Profiles\976omnfo.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\guard32.dll
.
Completion time: 2013-04-29 11:31:13
ComboFix-quarantined-files.txt 2013-04-29 04:31
ComboFix2.txt 2013-04-28 14:31
.
Pre-Run: 274,529,284,096 bytes free
Post-Run: 274,528,149,504 bytes free
.
- - End Of File - - 470CEAF87804FE65B071BD42838DA0B0


Report •

#14
April 28, 2013 at 21:34:17
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 04/29/2013 11:32:49 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 125086 files processed.

The C:\Users\Indy\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 04/29/2013 11:33:51 AM
Execution time: 0 hours(s), 1 minute(s), and 1 seconds(s)


Report •

#15
April 28, 2013 at 21:39:14
Post #13
Found one bad file.

Post #14
Clean


Report •

#16
April 28, 2013 at 21:39:37
# AdwCleaner v2.300 - Logfile created 04/29/2013 at 11:35:43
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Indy - INDYSHIBA
# Boot Mode : Normal
# Running from : C:\Users\Indy\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Indy\AppData\Roaming\Mozilla\Firefox\Profiles\976omnfo.default\prefs.js

[OK] File is clean.

-\\ Chromium v24.0.1350.0

File : C:\Users\Indy\AppData\Local\Chromium\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.15.1748.0

File : C:\Users\Indy\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1336 octets] - [28/04/2013 22:28:05]
AdwCleaner[S1].txt - [1404 octets] - [28/04/2013 22:29:48]
AdwCleaner[S2].txt - [1169 octets] - [29/04/2013 11:35:43]

########## EOF - C:\AdwCleaner[S2].txt - [1229 octets] ##########


Report •

#17
April 28, 2013 at 21:48:48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.1 (04.27.2013:1)
OS: Windows 7 Home Premium x86
Ran by Indy on Mon 04/29/2013 at 11:44:21.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 04/29/2013 at 11:48:20.50
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#18
April 28, 2013 at 21:53:51
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Indy [Admin rights]
Mode : Remove -- Date : 04/29/2013 11:52:42
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320325AS ATA Device +++++
--- User ---
[MBR] 614046c0c6081d43eb4887f31ca0d874
[BSP] e58067dc9dfe83a00a047cdc68f4fff3 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 295636 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 608536576 | Size: 8108 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04292013_02d1152.txt >>
RKreport[1]_S_04292013_02d1151.txt ; RKreport[2]_D_04292013_02d1152.txt


Report •

#19
April 28, 2013 at 21:55:06
I need to take a break now... eat and write a short essay for my class. I'll be back in a couple hours.

Report •

#20
April 28, 2013 at 22:22:31
Post #16
One deletion.
#17
3 deletions
#18
Ok.

We are getting there, bit by bit.


Report •

#21
April 28, 2013 at 22:40:57
I have ESET running.... takes a couple hours.

Report •

#22
April 28, 2013 at 23:47:42
ESET returned with no infections.

Report •

#23
April 28, 2013 at 23:56:54
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.29.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Indy :: INDYSHIBA [administrator]

4/29/2013 1:50:00 PM
mbam-log-2013-04-29 (13-50-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218494
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#24
April 29, 2013 at 00:01:28
Comodo reports zero threats.

Report •

#25
April 29, 2013 at 00:03:48
Run ESET again as per post #12

Report •

#26
April 29, 2013 at 00:33:21
Strange... ESET seems stuck at 46% on the same target file now for several minutes. Maybe I should restart?

Report •

#27
April 29, 2013 at 00:34:16
Nevermind... it is moving again.

Report •

#28
April 29, 2013 at 01:14:51
ESET returned zero threats.

Report •

#29
April 29, 2013 at 01:27:38
I think we are done, any glitches/ slowness, browser problems?


Report •

#30
April 29, 2013 at 01:28:53
Nope. Not that I have noticed. Thanks for your help.

Report •

#31
April 29, 2013 at 01:31:50
Very good, I have to go out in just over an hour, should work out just right for the other comp as well.

Report •

#32
April 30, 2013 at 03:57:57
I do have situations when I load one of my browsers (which has numerous tabs from a previous session) and it will freeze the browser and essentially windows explorer is either frozen or moving slowly. I've just put up with it, but now I wonder if that is an indication of a problem. You should know that I frequently run a number of apps such as slingbox to watch tv and 2 or 3 browsers each with 5 or more tabs. So I put a heavy toll on memory and cpu. Let me know what you think. Thanks.

Report •

#33
April 30, 2013 at 04:24:56
Have you run the Wise programs?

How much memory/ram do you have?

Is Firefox the same?


Report •

#34
April 30, 2013 at 05:28:24
I had not, but now have run them. I noticed that the icons on desktop at startup are there now as opposed to slowly blinking into recognition after running those programs.

I was going to do the screen capture thing of my system window, but apparently it doesn't work well with Opera browser. Here are the computer details:

Toshiba Satellite L505D

AMD Athlon II Dual-core M300 2.0 GHZ

3.0 GB (2.75 GB usable) Memory

I do not remember if FF has done it, but Opera does it a lot. I use Opera, FF and SRWARE IRON. I think all three have shown signs of freezing from time to time... Opera is most fresh in the memory.


Report •

#35
April 30, 2013 at 05:31:29
Ok, shall now do a bit digging & thinking.

Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; Please Copy and Paste the contents into your reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#36
April 30, 2013 at 05:31:45
Use Snipping Tool to capture screen shots in windows 7
http://www.7tutorials.com/how-use-s...
http://www.windows7home.net/use-sni...
In windows 7,you can use Snipping Tool to capture a screen shot, or snip, of any objects on your screen, and then annotate or save, or share this image.
Snipping Tool supports the following types of snips:
* Free-form Snip. Draw a free-form shape around an object.
Rectangular Snip. Drag the cursor around an object to form a rectangle.
Window Snip. Select a window, such as a browser window or dialog box, that you want to capture.
Full-screen Snip. Capture the entire screen.
After you capture a snip, it’s automatically copied to the Clipboard and the mark-up window. From the mark-up window, you can annotate, save, or share the snip. The following procedures explain how to use Snipping Tool.
Below is an example of how to capture a snip of a menu:
1. Go to Start (the Orb) ,input snipping in the search field then click snipping tool
snipping
2. After you open Snipping Tool, press Esc, and then open the menu that you want to capture.
3. Press Ctrl+PrtScn
4. Click the arrow next to the New button, select Free-form Snip, Rectangular Snip, Window Snip, or Full-screen Snip from the list, and then select the area of your screen that you want to capture.
5. Annotate and save this snip.

Report •

#37
April 30, 2013 at 05:41:49
Results of screen317's Security Check version 0.99.63
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Windows Firewall Disabled!
COMODO Antivirus
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Wise Disk Cleaner 7.81
Wise Registry Cleaner 7.68
Java 7 Update 21
Adobe Flash Player 11.7.700.169
Adobe Reader XI
Mozilla Firefox (20.0.1)
Mozilla Thunderbird (17.0.5)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Comodo Firewall cmdagent.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 3%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#38
April 30, 2013 at 05:47:16
"You should know that I frequently run a number of apps such as slingbox to watch tv and 2 or 3 browsers each with 5 or more tabs. So I put a heavy toll on memory and cpu. Let me know what you think"
Next time you have this happen, open Task manager > Processes & get a screenshot ( SS ) of what is using all of your CPU. Use the scroll bar to look at all of them.
Reap the benefits of Windows 7's Task Manager
http://www.techrepublic.com/blog/wi...

Report •

#39
April 30, 2013 at 06:06:42
Okay, I will do that. When I have looked before the big resource hogs were FF at 250,000-300,000, Opera 250,000 and Iron is hard to estimate because each window gets its own line, but I would put it up there. However, I look at the memory available and it shows approximately half available. If it happens again, I'll try to capture it.

Report •

#40
April 30, 2013 at 06:15:05
"250,000-300,000"
I'm more interested in the CPU %.

Report •

#41
April 30, 2013 at 06:32:03
When I do capture a snippet how do I add to this log?

Report •

#42
Report •

#43
April 30, 2013 at 06:58:59
Going to bed now.

This also will help find a culprit of high CPU.

Process Hacker
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://processhacker.sourceforge.net/
http://sourceforge.net/projects/pro...
The System Information screen is one of the goodies that impressed us the most during our test as it provides a detailed report concerning the computer, including valuable data regarding physical memory, CPU usage, network traffic and many more.


Report •

#44
April 30, 2013 at 08:22:22
The highest user is System Idle Process with nothing else running is in the 95+ range. I read that this process is looking for work and that it is a good thing. I also read somewhere that the file ntkrnlpa.exe runs in the background and that is correct and it is running evenly split on each of the cores (I'm guessing).

The history on this laptop my shed some light. I spilled beer on it... about half a glass some time ago. I cleaned it up and found the HD unusable, but the bios etc. was starting up. I got a new HD which failed (I assumed because it was bad). They replaced that HD and that is what I have now. It started right up with loading windows etc. no problems. The keyboard failed as well and I replaced that. The fan stopped once, but I got it going again and it has not stopped working. It is very hot here and I do not have a/c to keep the room cool... so the computer runs hot during the day. I have fans running that are directly on the computer and that helps. I downloaded a heat program a while ago and checked it and it was quite hot... I don't remember the number now and that program turned out to have something malwarebytes didn't like. So if you have a temp program I can download let me know. At night it is much cooler and the computer runs cooler. I seem to have problems with video flash material. A site will load the video comes up, but then stops and I constantly reload. I removed the current flash and loaded an older version and that seemed to help. I just downloaded the newest again and once again it seems like things have gone back to poor quality. I just think there is something not right about how the computer processes things. I think it should be much better like it used to be. However, I realize the beer could have done something to the hardware. So if there are test we can do down the road of understanding the hardware as well maybe that would be a good path. BTW my XP computer handles video better than this one does now. It used to be the reverse.

Let me know what you think.


Report •

#45
April 30, 2013 at 08:44:24
I look at overall cpu usage vs. idle and they seem to be aligned in terms of adding up to 100%. I assume that is the way it is supposed to work. I did check event viewer for hardware notifications and there are zero reports there. I'm running Iron and FF now with Iron running the video content and it is hovering at about 8-12 on the cpu rankings. FF is 1 or less. I'll look on bleeping for a heat gauge and download one if there is one there to tell you the temps. Well, I tried majorgeeks for coretemp and comodo identified it as malware and so I removed it. Let me know if there is another program I should try.

Report •

#46
April 30, 2013 at 08:48:16
I see that flashplayer will suddenly take a large portion of cpu then drop down again and cpu usage goes from 30 to 70 or higher for a blip of a second.

Report •

#47
April 30, 2013 at 13:50:10
I don't use any temp programs.

With laptops in hot conditions, make sure it is on a solid surface & the air vents underneath are clean & don't have any obstructions.

Raise the laptop a little higher if it overheats, just to give it more airspace underneath.

Any issues you have, can you list them 1, 2, 3 etc rather than large blocks of text.

If this program gets a warning from Comodo, it is a false positive & you should select it as Safe.

Core Temp
http://www.softpedia.com/get/Window...
http://www.softpedia.com/progScreen...
http://www.alcpu.com/CoreTemp/


Report •

#48
April 30, 2013 at 21:59:27
Laptop was reading about 90-98 on the temp scale. I looked at Process Hacker and FF was using up to 48% of cpu and I wasn't even using anything there. It had about 5 or 6 open tabs that were essentially idle webpages. I closed FF and temp is now 75.

I did have the laptop raised, but I went ahead and lifted up a bit more. I moved the outside fan closer. The big difference was in closing FF. Core temp showed the load on the core at 100% at its hottest point which corresponded to FF being open.


Report •

#49
April 30, 2013 at 22:18:30
I use FF as my default browser, without problems. I have many other browsers installed, including the ones you mentioned.

Flash was having big problems in all browsers, you have the latest version, so all's good.

Lets see how you go for a while.


Report •

#50
April 30, 2013 at 22:36:00
Okay, the only other thing I found was PMB.exe which came with Star Wars the Old Republic to increase the download and game play experience. I thought it was only to run when the game was loaded, but it runs at startup. I changed the settings and will monitor that. Otherwise, I'll just see if anything looks strange and let you know. Thanks.

Report •

#51
April 30, 2013 at 22:47:10
✔ Best Answer
Nice work, I was going to suggest checking all your startups & Updaters.

Open CCleaner > Tools > Startup, click on each tab & you will be able to change anything in there.

These are what I spotted from your logs.

Programs that update in the background.
Comodo, Skype, Flash Player, Windows Defender, Xvid.


Report •

#52
April 30, 2013 at 23:40:39
Do you mean stop Comodo from doing a background update or remove from startup?

FF just froze. The tabs won't allow me to click and I can't close the program. Using 36% of the cpu. This is the kind of thing that happens with FF/Opera. I still can't remember for sure if it happens with Iron or not.


Report •

#53
April 30, 2013 at 23:41:11
Core temp shows 100% load on both cores.

Report •

#54
April 30, 2013 at 23:55:03
"Do you mean stop Comodo from doing a background update or remove from startup?"
Nah, I was only listing, your decision. Won't hurt, bear in mind, you are doing a process of elimination.

Report •

#55
May 1, 2013 at 04:26:36
Okay, I took your advice and ended up disabling all but comodo and realtek in startup. That seemed to make a huge difference in reducing cpu and helping with the flash issue. Then I had FF freeze again twice and it maxed out my cpu again. I decided to look at plugins and disabled everything that I feel isn't absolutely necessary. I did the same to Opera and Iron. Now I am just monitoring to see what FF does and if it goes into consume mode again, but otherwise I think that may have been the primary issue.

Report •

#56
May 1, 2013 at 20:10:00
I came across this website: http://www.speedguide.net/articles/...

I'm using an old router (apple airport express) and in past ping tests I've had a high percentage of dropped packets. When I made some of the suggested changes on this site, everything improved from a flash perspective. I did several ping tests and had zero dropped each time (using speedtest.net and pingtest.net). I don't suppose there are any dangers involved with making these changes to your knowledge?

I disabled heuristcs and set autotuning to "disabled". I tried the other settings, but I saw most improvement with autotuning set to "disabled". I also turned on ctcp.


Report •

#57
May 1, 2013 at 20:13:36
Windows AutoTune
Here is the screen view of the CMD window.

Report •

#58
May 1, 2013 at 20:25:27
"I don't suppose there are any dangers involved with making these changes to your knowledge?"
Without googling, no idea.

Report •


Ask Question