Solved TDSS / Hijackware / Ransomware infection

December 10, 2012 at 17:15:34
Specs: Windows 7, Pentium 4 2.1GHz / 4gb
I need help eliminating this virus. I'm not sure if it's mutating or what the deal is, but it's been a persistant bugger, that's for sure.

I run Win 7 with Microsoft Security Essentials. A few weeks ago I got hit with ransomware, complete with an FBI logo and a full lockdown of my laptop. My husband pulled the drive and ran a scan using his laptop and MSE, which cleaned it enough that it would boot and function. The last two weeks, however, I've had to deal with increasing instances of hijackware. Anytime I run a seach, when I click on a result it redirects to a spam or other unrelated site.

So far, I've run MSE on here and as an external slave drive. I've also tried some of the tools like TDSSKiller andHitMan Pro. Every time I run a scan, I get a diferent virus with a different name. I wrote down two of them: Alureon.a and msdlm32.exe

Any help would be greatly appreciated. Thanks in advance!


See More: TDSS / Hijackware / Ransomware infection

Report •


✔ Best Answer
December 10, 2012 at 19:58:55
You have some nasty stuff on your pc, what we are doing is trying to strip down the viruses bit by bit. To do this we may have to run some of the programs we have already tried.
You are doing great :)
Good news KillZA found nothing.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?



#1
December 10, 2012 at 17:26:38
Try running Rkill first to stop known malware/viruses.
http://www.bleepingcomputer.com/dow...

Then download and run Malwarebytes free from this link:
http://www.malwarebytes.org/product...

Next download and run Malwarebytes's Anti-Rootkit from this link:
http://www.malwarebytes.org/product...

Then finish off with Eset's online scanner, from this link:
http://www.eset.com/online-scanner-...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#2
December 10, 2012 at 17:43:18
RKill: Done, no issues
Malwarebytes: 7 objects, most under adobe. Deleted files, sent IE into a tizzy, restarted machine.
Malwarebytes, rnd 2: Clean pass

Report •

#3
December 10, 2012 at 17:50:00
Hows it running after the restart?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

Related Solutions

#4
December 10, 2012 at 18:07:34
After a clean pass with malwarebytes...
MBR: no malware found
Up next: Eset

Report •

#5
December 10, 2012 at 19:15:04
50 min into ESET scan, and it has picked up 11 threats so far. Not sure how much longer it will run, since it's been at 99% for half an hour now. But it's still scanning.

Report •

#6
December 10, 2012 at 19:20:45
Stop the scan, and remove what it's found.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#7
December 10, 2012 at 19:24:56
It lists 4 things as "unable to clean"

win64\olmarik.ao trojan
html\scrinject.B Gen virus


Report •

#8
December 10, 2012 at 19:36:31
Then download and run KillZA from this link:
http://www.majorgeeks.com/KillZA_d7...
The first thing it will do, is remove any of the ZeroAccess leftovers.

Note: Once it restarts your pc, it will fix your service.exe file.

While you do that I will see what I can find out about Eset not deleting those two.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#9
December 10, 2012 at 19:44:54
Done. Also, I tried to find and manually delete those two files, but they don't appear to be where they say they were.

Report •

#10
December 10, 2012 at 19:47:19
Did KillZA find anything?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#11
December 10, 2012 at 19:49:41
Please download and run Rougekiller from this link:
http://majorgeeks.com/RogueKiller_d...
Instructions:
•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked. 
•Then, press the [Delete] button.
An RKreport Log (Mode: Delete) is created on the Desktop.
Please provide the RKreport Log in your reply.
Restart the computer.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#12
December 10, 2012 at 19:55:33
KillZA said it didn't find anything, and it restarted twice and said it finished all of its processes. On to the next.

Report •

#13
December 10, 2012 at 19:58:55
✔ Best Answer
You have some nasty stuff on your pc, what we are doing is trying to strip down the viruses bit by bit. To do this we may have to run some of the programs we have already tried.
You are doing great :)
Good news KillZA found nothing.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#14
December 10, 2012 at 19:59:13
RogueKiller V8.3.2 [Dec 10 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Andrea [Admin rights]
Mode : Scan -- Date : 12/10/2012 21:57:08

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: OCZ-AGILITY3 +++++
--- User ---
[MBR] 74141dce9f9b7f751e078a6b716bca1e
[BSP] e7d407aad5bd948361e5619ca1f2c2cb : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12102012_02d2157.txt >>
RKreport[1]_S_12102012_02d2157.txt


Report •

#15
December 10, 2012 at 20:01:31
In your Post #2 Was the Malwarebytes scan "Quick" or "Full"?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#16
December 10, 2012 at 20:08:53
Thank you for the encouragement! It's a bit like slugging through a muck. In winter.

Malwarebytes was "Quick"


Report •

#17
December 10, 2012 at 20:12:49
Something's working! Google search and results take me to the actual webpages.

Report •

#18
December 10, 2012 at 20:18:18
"It's a bit like slugging through a muck. In winter." - Yes it can be like that :)
Now we need to use the big guns, so to speak.

Download Combofix from this link and save to your Desktop:
http://www.bleepingcomputer.com/dow...

Combofix Instructions:
http://www.bleepingcomputer.com/com...

NOTE: Please turn off MSE before starting Combofix, and any other realtime scanners. Ask if your not sure.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#19
December 10, 2012 at 21:07:06
ComboFix 12-12-10.01 - Andrea 12/10/2012 22:42:10.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4056.2690 [GMT -6:00]
Running from: c:\users\Andrea\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DGWJSTCO\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\dsgsdgdsgdsgw.pad
c:\users\Andrea\afmwcxuriswrohczbcqurm.exe
c:\users\Andrea\g2mdlhlpx.exe
c:\users\Andrea\mvrlbiawifjfihaapsw.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-11 to 2012-12-11 )))))))))))))))))))))))))))))))
.
.
2012-12-11 04:49 . 2012-12-11 04:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-11 04:00 . 2012-12-11 04:00 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{508317DC-9958-4E02-801C-E6A514D11D20}\offreg.dll
2012-12-11 03:41 . 2012-12-11 03:41 -------- d-----w- C:\Support
2012-12-11 03:41 . 2012-12-11 03:41 53248 ----a-w- c:\windows\SysWow64\zlib.dll
2012-12-11 02:08 . 2012-12-11 02:08 -------- d-----w- c:\program files (x86)\ESET
2012-12-11 01:37 . 2012-12-11 01:37 -------- d-----w- c:\users\Andrea\AppData\Roaming\Malwarebytes
2012-12-11 01:37 . 2012-12-11 01:37 -------- d-----w- c:\programdata\Malwarebytes
2012-12-11 01:37 . 2012-12-11 01:37 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-12-11 01:37 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-11 00:43 . 2012-12-11 00:43 -------- d-----w- c:\programdata\Kaspersky Lab
2012-12-11 00:43 . 2012-12-11 00:43 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2012-12-11 00:16 . 2012-12-11 00:16 -------- d-----w- c:\program files\HitmanPro
2012-12-10 23:54 . 2012-12-10 23:54 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-12-10 23:47 . 2012-12-11 00:02 -------- d-----w- c:\programdata\HitmanPro
2012-12-10 17:00 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{508317DC-9958-4E02-801C-E6A514D11D20}\mpengine.dll
2012-12-10 16:44 . 2012-12-10 16:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-07 15:40 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-07 01:28 . 2012-12-09 02:09 -------- d-----w- c:\programdata\Rosetta Stone
2012-12-07 01:28 . 2012-12-07 01:28 -------- d-----w- c:\program files (x86)\Rosetta Stone
2012-12-05 21:03 . 2012-12-11 04:00 -------- d-----w- c:\users\Andrea\AppData\Roaming\Skype
2012-12-05 21:03 . 2012-12-05 21:03 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-12-05 21:02 . 2012-12-05 21:03 -------- d-----r- c:\program files (x86)\Skype
2012-12-05 21:02 . 2012-12-11 00:48 -------- d-----w- c:\programdata\Skype
2012-12-04 22:08 . 2012-12-04 22:08 -------- d-----w- c:\users\Andrea\AppData\Roaming\MyPublisher
2012-12-04 22:08 . 2012-12-04 22:08 -------- d-----w- c:\program files (x86)\MyPublisher
2012-12-03 05:29 . 2012-12-03 05:38 -------- d-----w- c:\windows\Microsoft Antimalware
2012-12-03 00:27 . 2012-12-03 00:29 -------- d-----w- C:\neil
2012-12-01 15:34 . 2012-12-01 15:34 -------- d-----w- c:\program files (x86)\Wyse
2012-11-28 13:47 . 2012-11-28 13:47 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6E463837-21D2-4EE7-91FF-B047EA9FE046}\gapaengine.dll
2012-11-23 20:56 . 2012-11-23 20:57 -------- d-----w- c:\program files\Stunt Track Driver
2012-11-23 20:55 . 1998-01-23 18:22 304128 ----a-w- c:\windows\IsUninst.exe
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-11-19 03:37 . 2012-11-19 03:37 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-11-19 03:36 . 2012-11-19 03:37 -------- d-----w- c:\program files (x86)\QuickTime
2012-11-15 21:09 . 2012-11-15 21:09 -------- d-----w- C:\found.000
2012-11-15 14:50 . 2012-10-08 11:26 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2012-11-15 14:50 . 2012-10-08 11:25 499200 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll
2012-11-15 14:50 . 2012-10-08 07:50 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
2012-11-15 14:50 . 2012-10-08 07:49 387584 ----a-w- c:\program files (x86)\Internet Explorer\jsdbgui.dll
2012-11-15 14:50 . 2012-10-08 12:19 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-15 14:50 . 2012-10-08 11:42 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-15 14:49 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-11-15 14:49 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-11-15 14:49 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-11-15 14:49 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-11-15 14:49 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2012-11-15 14:49 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-11-15 14:49 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2012-11-14 21:32 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-11-14 21:32 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-11-14 21:32 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-11-14 21:32 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2012-11-14 21:32 . 2012-10-18 18:25 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-14 21:32 . 2012-10-03 17:56 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-11-14 21:32 . 2012-10-03 17:44 246272 ----a-w- c:\windows\system32\netcorehc.dll
2012-11-14 21:32 . 2012-10-03 17:44 216576 ----a-w- c:\windows\system32\ncsi.dll
2012-11-14 21:32 . 2012-10-03 16:42 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2012-11-14 21:31 . 2012-10-03 17:44 70656 ----a-w- c:\windows\system32\nlaapi.dll
2012-11-14 21:31 . 2012-10-03 17:44 303104 ----a-w- c:\windows\system32\nlasvc.dll
2012-11-14 21:31 . 2012-10-03 17:44 18944 ----a-w- c:\windows\system32\netevent.dll
2012-11-14 21:31 . 2012-10-03 17:42 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-11-14 21:31 . 2012-10-03 16:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll
2012-11-14 21:31 . 2012-10-03 16:42 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
2012-11-14 21:31 . 2012-10-03 16:07 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-11-14 21:31 . 2012-01-13 07:12 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll
2012-11-14 21:31 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll
2012-11-14 21:31 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-11-12 16:38 . 2012-11-12 16:38 -------- d-----w- c:\users\Andrea\AppData\Local\Diagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-15 14:49 . 2012-07-01 01:50 66395536 ----a-w- c:\windows\system32\MRT.exe
2012-11-15 02:33 . 2012-07-01 04:17 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-15 02:33 . 2012-07-01 04:17 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-02 21:38 . 2012-11-02 21:38 862664 ----a-w- c:\windows\SysWow64\msvcr110.dll
2012-11-02 21:38 . 2012-11-02 21:38 828872 ----a-w- c:\windows\system32\msvcr110.dll
2012-11-02 21:38 . 2012-11-02 21:38 661448 ----a-w- c:\windows\system32\msvcp110.dll
2012-11-02 21:38 . 2012-11-02 21:38 534480 ----a-w- c:\windows\SysWow64\msvcp110.dll
2012-11-02 21:38 . 2012-11-02 21:38 50856 ----a-w- c:\windows\system32\drivers\point64.sys
2012-11-02 21:38 . 2012-11-02 21:38 354264 ----a-w- c:\windows\system32\vccorlib110.dll
2012-11-02 21:38 . 2012-11-02 21:38 251864 ----a-w- c:\windows\SysWow64\vccorlib110.dll
2012-11-02 21:38 . 2012-11-02 21:38 1795952 ----a-w- c:\windows\system32\WdfCoInstaller01011.dll
2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-10-16 08:38 . 2012-11-28 10:35 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-28 10:35 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-28 10:35 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-02 23:35 . 2012-07-04 13:17 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-29 04:32 . 2012-09-29 04:32 2177688 ----a-w- c:\windows\system32\coin92.dll
2012-09-16 22:54 . 2012-09-16 22:54 489712 ----a-w- c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2012-09-14 19:19 . 2012-10-10 14:23 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-14 18:28 . 2012-10-10 14:23 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-11-09 17877168]
"KSS"="c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe" [2012-04-26 202296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"tvncontrol"="c:\program files (x86)\TightVNC\tvnserver.exe" [2011-08-03 828944]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2012-07-05 295304]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
.
c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Andrea\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-6-13 27595032]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-12-3 1044320]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 ccayhuey;ccayhuey;c:\windows\system32\drivers\ccayhuey.sys [x]
R1 dnpfdlhs;dnpfdlhs;c:\windows\system32\drivers\dnpfdlhs.sys [x]
R1 hiyinpce;hiyinpce;c:\windows\system32\drivers\hiyinpce.sys [x]
R1 hvcvzhjp;hvcvzhjp;c:\windows\system32\drivers\hvcvzhjp.sys [x]
R1 hyhpfnfj;hyhpfnfj;c:\windows\system32\drivers\hyhpfnfj.sys [x]
R1 hyqrcvjf;hyqrcvjf;c:\windows\system32\drivers\hyqrcvjf.sys [x]
R1 ikpvpebq;ikpvpebq;c:\windows\system32\drivers\ikpvpebq.sys [x]
R1 sjikande;sjikande;c:\windows\system32\drivers\sjikande.sys [x]
R1 sqnferzp;sqnferzp;c:\windows\system32\drivers\sqnferzp.sys [x]
R1 tdkqybgj;tdkqybgj;c:\windows\system32\drivers\tdkqybgj.sys [x]
R1 wriftbtj;wriftbtj;c:\windows\system32\drivers\wriftbtj.sys [x]
R1 xhiareim;xhiareim;c:\windows\system32\drivers\xhiareim.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-11-22 3290304]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2011-01-04 31744]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
R3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\DRIVERS\btblan.sys [2012-07-05 40320]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 31744]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-11-02 50856]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-07-01 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-16 55024]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-12-11 108904]
S2 KSS;Kaspersky Security Scan Service;c:\program files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [2012-04-26 202296]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 Motorola Device Manager;Motorola Device Manager Service;c:\program files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2012-07-17 116632]
S2 PST Service;PST Service;c:\program files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2011-09-02 65657]
S2 tvnserver;TightVNC Server;c:\program files (x86)\TightVNC\tvnserver.exe [2011-08-03 828944]
S2 WysePocketCloud;Wyse PocketCloud;c:\program files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [2012-11-05 191488]
S2 WyseRemoteAccess;Wyse Remote Access;c:\program files (x86)\Wyse\PocketCloud Windows Companion\WyseRemoteAccess.exe [2012-11-05 1436160]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 25928]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-01 02:33]
.
2012-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-29 18:52]
.
2012-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-29 18:52]
.
2012-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3549758706-989551262-881051875-1000Core.job
- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-03 18:52]
.
2012-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3549758706-989551262-881051875-1000UA.job
- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-03 18:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\Andrea\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"PocketCloud Location"="c:\program files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2012-11-05 935312]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;192.168.*.*
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
TCP: DhcpNameServer = 24.220.0.10 24.220.0.11 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre7\bin\jusched.exe
SafeBoot-02112434.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:ca,b0,ec,52,34,c8,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-10 22:52:08
ComboFix-quarantined-files.txt 2012-12-11 04:52
.
Pre-Run: 44,395,479,040 bytes free
Post-Run: 46,165,278,720 bytes free
.
- - End Of File - - 74D234A6A388CF5E0867D782815C9B06

Report •

#20
December 10, 2012 at 21:23:56
Just checking you are running MSE and Kaspersky at the moment? You need to remove one of these if you do?

Wyse Remote Access did you install this remote access software?

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#21
December 10, 2012 at 21:36:04
Kaspersky can go. it was a part of my initial efforts.

Wyse is for my tablet remote desktop. I use it a lot. :-)


Report •

#22
December 10, 2012 at 21:37:12
Cool delete Kaspersky.
Im about to have dinner, be back in 20mins :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#23
December 10, 2012 at 21:44:48
Your help has been invaluable. It's nearly midnight here, I'll have to pick this up in the morning.

Report •

#24
December 10, 2012 at 21:57:32
Cool, its 7pm here so will here from you tomorrow. Not much left to do now. One more removal tool and then some fixes. Goodnight.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#25
December 11, 2012 at 10:28:23
I strongly suggest removing this entry, it is coming up on a couple of website checking tools as bad.
c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe

Last removal tool now, download AdwCleaner from this link:
http://www.softpedia.com/get/Antivi...
Run, click Search. It will search and then show you a log (Which is not saved yet). It then waits for an action click Delete. It starts deleting then stops, it will then ask to restart your pc to finish deleting. Please allow this.
On restart it will list what was fixed etc in a saved log. Include the log in your next reply please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#26
December 11, 2012 at 13:08:56
Should I just delete that .exe, or the whole folder? It's the only thing in the folder...

Report •

#27
December 11, 2012 at 13:15:38
# AdwCleaner v2.007 - Logfile created 12/11/2012 at 15:12:44
# Updated 06/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Andrea - ANDREA-PC
# Boot Mode : Normal
# Running from : C:\Users\Andrea\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P68GF5K3\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Andrea\AppData\Local\Ilivid

***** [Registry] *****

Key Deleted : HKCU\Software\ilivid

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Andrea\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [956 octets] - [11/12/2012 15:11:33]
AdwCleaner[S1].txt - [892 octets] - [11/12/2012 15:12:44]

########## EOF - C:\AdwCleaner[S1].txt - [951 octets] ##########


Report •

#28
December 11, 2012 at 13:26:57
"Should I just delete that .exe, or the whole folder?" - Yes folders fine, as long as its not installed.

Now we need to clean a few things up.
Cleaning Temp Files Etc:
Download and run the CCleaner free to clean out Temp Files etc, from this link:
http://www.piriform.com/ccleaner/do...
Run program, on the first page click the Analyse button at the bottom.
(No need to change settings)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#29
December 11, 2012 at 13:49:10
Deleted, and analyzing. :)

Report •

#30
December 11, 2012 at 13:53:01
Done. Run Cleaner?

Report •

#31
December 11, 2012 at 13:53:02
Excellent :)

Now to fix a few things:
Download Tweaking's Windows repair - All In One tool from this link:
http://www.tweaking.com/content/pag...
Run tool, on the first page go to far right tab Start repairs, it will ask to make a restore point please allow this.
Check mark the following fixes only;
*Reset File Permissions
*Reset Registry Permissions
*Register System Files
*Remove Policies Set By Infection
On the far right click the Start button. Warning do not fix anything else please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#32
December 11, 2012 at 13:55:50
Yes create a restore point when it asks, and delete everything it found :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#33
December 11, 2012 at 14:25:20
Finished. Anything else?

Report •

#34
December 11, 2012 at 14:29:29
Hows your pc running now?

Uninstalling Combofix:
Click on the Start button, then in the search field copy and paste;
combofix /uninstall
Then click run, it will remove combofix and all its files including its quarantined items.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#35
December 11, 2012 at 14:51:55
Seems to be right as rain. The fan quit running constantly, and I haven't had any search engine redirects.

Can't find Combofix / uninstall. Or Combofix. ? Maybe I clicked "run" instead of "download"...


Report •

#36
December 11, 2012 at 14:58:31
Click on the Start button, bottom left of desktop screen. In the Search field, copy and paste the following combofix /uninstall into the Search field, then click Run. You will not find it in your installed programs list .

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#37
December 11, 2012 at 15:00:01
One last thing update and run a Full Malwarebytes scan now. Include the log if it finds anything in your next reply. Just to be sure we got everything :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#38
December 11, 2012 at 15:01:06
Yes. It says "No items match your search"

With and without spaces, slashes, etc.


Report •

#39
December 11, 2012 at 15:07:42
Try entering the following into the search field, copy and paste:
c:\documents and settings\Administrator\Desktop\Combo-Fix.exe" /Uninstall

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#40
December 11, 2012 at 15:14:55
Sorry missed the first quote marks :(
"c:\documents and settings\Administrator\Desktop\Combo-Fix.exe" /Uninstall
That's better :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#41
December 11, 2012 at 15:26:35
Nope. And there's no C:\documents and settings, either.

Report •

#42
December 11, 2012 at 15:33:37
Ok, is the Combofix icon still on your desktop?
If not carry on with the Full Malwarebytes scan and that should be it.
If you have any more troubles you know where to find us, don't forget to mark a best answer :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#43
December 11, 2012 at 15:43:45
There is no Combofix icon on my desktop. I think I'm good there. :)

I updated and started a Full Malwarebytes scan. So far so good!

Thanks so much for your help. I'm impressed!


Report •

#44
December 11, 2012 at 15:47:27
Your most welcome.
I also suggest removing MSE and installing Avast free :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#45
December 11, 2012 at 16:07:15
I've been watching this and it has been great to see the "nasties" gradually fly out of the system.

Most impressed with both of you - very good result.


Report •

#46
December 11, 2012 at 16:09:34
Thanks Derek :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#47
December 11, 2012 at 16:22:03
Yes, thank you Derek.

And, Malwarebytes said, "The scan completed successfully. No malicious items were detected."

Thank you MrGoodguy!


Report •

#48
December 11, 2012 at 16:25:28
Excellent :) Safe Browsing. Thank you for sticking in there, you did a great job.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •


Ask Question