Solved Text Delay, PC unresponsive at times. Weird W-N-C appears

October 28, 2012 at 05:18:23
Specs: Windows 7
This has been ongoing for about a month. These 3 things all happen simultaneously:
•Sometimes I'll be typing on facebook or leaving a YouTube comment, and there is quite a delay from the keys I'm hitting, to them showing up on the screen. At first I thought my computer was frozen.
•If I attempt to minimize the screen, or bring up Windows Task Mgr, there is quite a delay in the computer's response to my commands
•While this strange behavior is going on, if I look at my Wireless Network Connection options, I see one that has nothing to do with me or my neighbors, called "receiving". All in lowercase letters like that. Also, while this "receiving" connection appears (usually for up to 5 minutes) I checked my connection info, and it is sending and receiving Millions of bytes!!!

It has been acting this way since I got it back from the Geek Squad at Best Buy. I suspected a keystroke recording program, but looked everywhere and ran a full system scan and didn't find anything harmful.
Right now my typing is on point where it should be, everything responds quickly, and that "receiving" option is not in my Wireless Network Connections.
As soon as it starts acting funny, it will be back. WHAT IS GOING ON?


See More: Text Delay, PC unresponsive at times. Weird W-N-C appears

Report •

#1
October 28, 2012 at 05:52:57
✔ Best Answer
"WHAT IS GOING ON?"

So many things it can be.

Lets start with ESET.

1: Run ESET & post the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.


Report •

#2
October 28, 2012 at 12:41:44
Hi MissElizabeth,
'It has been acting this way since I got it back from the Geek Squad at Best Buy. ' First thing I would do is TAKE it BACK to the Geek Squad (they are notorious for messing up machines and overcharging) and TELL them to fix this problem as you already paid for their services...

If no use from them, I would say to do a system restore back to BEFORE the problem. The only things you will have to do is update your critical updates after doing that....see if that cures your problem...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#3
October 28, 2012 at 12:46:21
If response #2 does not help...and you think there is an unwanted rootkit installed...run these 3 free progs in EXACTLY the order listed and DO NOT reboot untill after the last scan
1- rkill.exe
http://www.technibble.com/rkill-rep...
2- tdsskiller
http://support.kaspersky.com/faq/?q...
3- Malwarebytes
http://www.filehippo.com/download_m...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

Related Solutions

#4
October 30, 2012 at 03:18:10
XpUser4Real - that is a good idea, I went to try it (do a System Restore to the last time I set a Restore point) and it tells me there IS NO Restore point :-O
I'm tempted to do a Factory Restore but I have Microsoft Office and Picture Mgr (which I use everyday) and don't have the discs to reinstall so I'd lose them :(
I will try #1 & #3

Report •

#5
October 30, 2012 at 07:15:32
Johnw - I ran ESET, it says it found and treated 13 threats!
The actual "Log" you requested I post is actually very short, but here ya go: ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Here's all the stuff it found :-(
C:\ProgramData\vokgxaox.exe Win32/Weelsof.B trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\626A.tmp Win64/Olmarik.AO trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\62A9.tmp Win64/Olmarik.AO trojan cleaned by deleting - quarantined
C:\Users\Princess\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\43de88f9-23bab13f Java/Agent.AB trojan deleted - quarantined
C:\Windows\System32\config\systemprofile\0.02500272167971873.exe Win32/Weelsof.B trojan cleaned by deleting - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\2W4CEJF5\cat-and-dolphin-playing-together[1].htm HTML/ScrInject.B.Gen virus deleted (after the next restart) - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\62MRL9X0\37822-15[1].js HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\D3MC5F6S\json[1].js HTML/Iframe.B.Gen virus deleted - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\HGTUOHO3\ttj[8].js HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\MMVF5FVH\37822-2[1].js HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\MMVF5FVH\37940-2[1].js HTML/ScrInject.B.Gen virus deleted - quarantined C:\Windows\Temp\Temporary Internet Files\Content.IE5\OXAJQBEE\37822-15[1].js HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\Temp\Temporary Internet Files\Content.IE5\WDRNRCA3\imp[2].js HTML/Iframe.B.Gen virus deleted - quarantined

Seriously, there is a virus that calls itself "Cat and dolphin playing together"..?
Holy smokes after all that I sure hope it runs normal now!

THANK YOU GUYS SO MUCH for your help/suggestions ! ♥


Report •

#6
October 30, 2012 at 09:43:57
MissElizabeth
"Holy smokes after all that I sure hope it runs normal now!"
I doubt it, it may for a short time, but it will probably grow again.
"Seriously, there is a virus that calls itself "Cat and dolphin playing together"..?"
Google it, if you want to find out more.

Report •

#7
October 30, 2012 at 09:45:18
Please copy & paste instructions into a text file, print steps & info. You will need them, as they are hard to remember, for when you are offline.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are unremoveable.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc.
The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
http://www.dslreports.com/faq/10063
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451
Change your router password if it is not strong or still uses the default one.
Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...

If you do decide to reinstall, make sure you delete ALL partitions & format to NTFS.
D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.

If any program won't run ( due to the infection ) let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the uploader.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this. I use Imgur.com
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru

After each fix or change we make, let me know how the comp is running. Example: Still cannot boot into Normal mode.


Report •

#8
October 30, 2012 at 09:51:02
1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: ListParts
Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.


Report •

#9
December 12, 2012 at 18:19:51
Johnw -
I downloaded and ran "Unhide"
here is the log:
Processing the C:\ drive
Finished processing the C:\ drive. 270733 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 75 files processed.

The C:\Users\Princess\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_TrackDocs was set to 0! It was set back to 1!

Program finished at: 12/12/2012 03:01:51 PM
Execution time: 0 hours(s), 9 minute(s), and 47 seconds(s)


Report •

#10
December 12, 2012 at 18:23:14
"it's not letting me reply"
What isn't?

Report •

#11
December 12, 2012 at 18:30:28
Additionally ↑
I downloaded and ran the ListParts
here is the log from that:

ListParts by Farbar Version: 30-10-2012
Ran by Princess (administrator) on 12-12-2012 at 17:31:34
Windows 7 (X64)
Running From: C:\Users\Princess\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 56%
Total physical RAM: 1979.2 MB
Available physical RAM: 853.19 MB
Total Pagefile: 3958.39 MB
Available Pagefile: 2421.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:220.2 GB) (Free:154.02 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:12.49 GB) (Free:2.09 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 220 GB 200 MB
Partition 3 Primary 12 GB 220 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 220 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 12 GB Healthy

======================================================================================================

****** End Of Log ******

The secrets to life are hidden behind the word Cliché.


Report •

#12
December 12, 2012 at 18:38:38
"I downloaded and ran the ListParts
here is the log from that:"

All good, no hidden partitions.

4: Run ComboFix
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#13
December 15, 2012 at 14:10:10
Ok completed #4 . Shall I post the log ?

The secrets to life are hidden behind the word Cliché.


Report •

#14
December 15, 2012 at 14:50:50
Here it is anyway..
But I still see that "receiving" as an option in Wirless Network Connections. None of my neighbors' computers see that, nor does my iPhone when I do a WiFi scan.

ComboFix 12-12-14.01 - Princess 12/15/2012 13:31:58.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1979.955 [GMT -8:00]
Running from: c:\users\Princess\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Princess\AppData\Roaming\csogi.dll
c:\users\Princess\AppData\Roaming\wpdsv.dll
c:\windows\svchost.exe
c:\windows\SysWow64\config\systemprofile\frgxuitipmov.exe
c:\windows\SysWow64\config\systemprofile\ohtfgaxylebbdxdzyxkfqqh.exe
c:\windows\SysWow64\config\systemprofile\wgsdgsdgdsgsd.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-15 to 2012-12-15 )))))))))))))))))))))))))))))))
.
.
2012-12-15 21:46 . 2012-12-15 21:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-15 21:46 . 2012-12-15 21:46 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-12-15 21:45 . 2012-12-15 21:45 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{959AC148-F323-4E68-AB61-D59F0C4C2D9B}\offreg.dll
2012-12-14 14:19 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{959AC148-F323-4E68-AB61-D59F0C4C2D9B}\mpengine.dll
2012-12-13 16:44 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-12-13 16:44 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-13 11:07 . 2012-11-14 05:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-13 09:04 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-13 09:04 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-13 08:30 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-13 08:30 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-13 08:30 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-13 08:30 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-12 22:41 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-11-18 11:36 . 2012-11-18 11:36 -------- d-----w- c:\program files (x86)\QuickTime
2012-11-18 11:35 . 2012-08-21 21:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-18 11:34 . 2012-11-18 11:34 -------- d-----w- c:\program files\iPod
2012-11-18 11:34 . 2012-11-18 11:35 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-11-18 11:34 . 2012-11-18 11:35 -------- d-----w- c:\program files\iTunes
2012-11-18 11:30 . 2012-11-18 11:30 -------- d-----w- c:\program files\Bonjour
2012-11-18 11:30 . 2012-11-18 11:30 -------- d-----w- c:\program files (x86)\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-13 11:16 . 2010-05-08 21:26 67413224 ----a-w- c:\windows\system32\MRT.exe
2012-11-20 04:23 . 2012-05-08 21:07 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-20 04:23 . 2011-11-19 22:52 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 11:12 . 2012-10-25 11:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 11:12 . 2012-10-25 11:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-10-16 08:38 . 2012-11-27 19:32 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-27 19:32 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-27 19:32 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-09 18:17 . 2012-11-14 06:42 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-10-09 18:17 . 2012-11-14 06:42 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-10-09 17:40 . 2012-11-14 06:42 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40 . 2012-11-14 06:42 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2012-10-04 16:40 . 2012-12-13 12:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-10-03 17:56 . 2012-11-14 06:42 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-10-03 17:44 . 2012-11-14 06:42 303104 ----a-w- c:\windows\system32\nlasvc.dll
2012-10-03 17:44 . 2012-11-14 06:42 70656 ----a-w- c:\windows\system32\nlaapi.dll
2012-10-03 17:44 . 2012-11-14 06:42 246272 ----a-w- c:\windows\system32\netcorehc.dll
2012-10-03 17:44 . 2012-11-14 06:42 18944 ----a-w- c:\windows\system32\netevent.dll
2012-10-03 17:44 . 2012-11-14 06:42 216576 ----a-w- c:\windows\system32\ncsi.dll
2012-10-03 17:42 . 2012-11-14 06:42 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-10-03 16:42 . 2012-11-14 06:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll
2012-10-03 16:42 . 2012-11-14 06:42 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
2012-10-03 16:42 . 2012-11-14 06:42 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2012-10-03 16:07 . 2012-11-14 06:42 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-09-25 22:47 . 2012-11-14 06:43 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-09-25 22:46 . 2012-11-14 06:43 95744 ----a-w- c:\windows\system32\synceng.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-05 216064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-16 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R4 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe [2012-06-16 138272]
R4 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1308000.00E\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1308000.00E\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [2012-04-02 1160824]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1308000.00E\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20120613.007\IDSvia64.sys [2012-06-14 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1308000.00E\Ironx64.SYS [2012-04-18 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1308000.00E\SYMNETS.SYS [2012-04-18 405624]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-06-05 138912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-25 c:\windows\Tasks\HPCeeScheduleForPrincess.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-csogi - c:\users\Princess\AppData\Roaming\csogi.dll
Wow6432Node-HKCU-Run-wpdsv - c:\users\Princess\AppData\Roaming\wpdsv.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKU-Default-Run-vokgxaoxdupnldf - c:\programdata\vokgxaox.exe
Wow6432Node-HKU-Default-RunOnce-1w93y79o - c:\users\Princess\AppData\Roaming\1w93y79o.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Lexmark 730 Series - c:\program files (x86) (x86)\Lexmark 730 Series\Install\x64\Uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1E61ED7C-7CB8-49D6-B9E9-AB4C880C8414}"=hex:51,66,7a,6c,4c,1d,38,12,12,ee,72,
1a,8a,32,b8,0c,c6,ff,e8,0c,8d,52,c0,00
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:38,c9,76,ef,64,b2,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-15 13:50:20
ComboFix-quarantined-files.txt 2012-12-15 21:50
.
Pre-Run: 163,059,232,768 bytes free
Post-Run: 178,148,982,784 bytes free
.
- - End Of File - - 7525E1C5B26949AF3A6E5C0E0537287D

The secrets to life are hidden behind the word Cliché.


Report •

#15
December 15, 2012 at 14:58:38
"Here it is anyway"
Thanks, quite a lot of infected files removed.

5: Run TDSSKiller & post the log.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...
Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?q...
If TDSS dos'nt run, use FixTDSS
http://www.symantec.com/content/en/...
Download FixTDSS and save it to your desktop.
Double click on the FixTDSS.exe icon to run it.
Click the "I Accept" button, then the "Proceed" button to begin
The tool will restart your computer automatically - click OK to allow it to do so
The tool will begin it's scan on reboot > click "run" to begin
It will report if an infected MBR is found > click the "repair" button


Report •

#16
December 15, 2012 at 15:48:24
When I do that, one of those "Fix PC Speed" things starts running
is it supposed to do that ?
I thought those things were Bogus ...

The secrets to life are hidden behind the word Cliché.


Report •

#17
December 15, 2012 at 15:58:06
"When I do that"
When you do what?
I cannot assume anything, be very clear please.

Report •

#18
December 15, 2012 at 16:05:25
oh - lol ! Sorry
When I attempted to download and run TDSSkiller, a bunch of junk for "Speed up PC" started running and claiming to be doing all sorts of stuff

But when I accessed the download link from one of the alternate sites you posted, it showed me what should happen (a green window appears)

I ran it, it said it found one thing, asked me if I wanted to Cure it, Quarantine it, etc
I chose "Cure" and it says it did, without incident.. then asked me to restart computer
So I did..
Upon restarting it wanted to continue scanning, so I let it, and then it told me it scanned an additional 477 locations and found No More infected files.
I am telling you all this because I don't know how to find the "Log" for that one :)

The secrets to life are hidden behind the word Cliché.


Report •

#19
December 15, 2012 at 16:15:53
"I am telling you all this because I don't know how to find the "Log" for that one :)"
Ok, that is enough info at this point.

I don't think you have printed out my post #7

6: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
RogueKiller tutorial
http://en.kioskea.net/faq/11626-rog...


Report •

#20
December 15, 2012 at 16:28:32
I read thru your #7 post, but it made mention of How To Report ID theft and router passwords - which doesn't apply to me
(I don't use my computer to pay any bills or access any bank information
I have no control over the router, I am connected thru my landlord's guest account on their internet connection.
Yes, if someone were close enough outside on another computer I'm sure they could be causing mischief, but I live out in the country; there is a cherry orchard across the street from me and a horse pasture behind me.)

That Rogue killer part wasn't in there, maybe it got cut off ?
But I'll do it now..
brb

The secrets to life are hidden behind the word Cliché.


Report •

#21
December 15, 2012 at 16:34:56
"I read thru your #7 post"

Your post #13
Ok completed #4 . Shall I post the log ?

Extracts from my post #7
Please copy & paste instructions into a text file, print steps & info.

Post the log/logs after each run.

After each fix or change we make, let me know how the comp is running.


Report •

#22
December 15, 2012 at 16:39:34
RogueKiller report:
RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Princess [Admin rights]
Mode : Scan -- Date : 12/15/2012 16:35:16

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{99DACC2C-9E8D-4D1D-A175-46C3DE2C3E31} : NameServer (216.146.35.240,216.146.36.240,192.168.0.1) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{99DACC2C-9E8D-4D1D-A175-46C3DE2C3E31} : NameServer (216.146.35.240,216.146.36.240,192.168.0.1) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS725025A9A364 ATA Device +++++
--- User ---
[MBR] 10173da869a87383f676ae60dacf5dcc
[BSP] a8a9e5b26c0c80cc8a4034c931a021ac : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 225481 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 462194688 | Size: 12793 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12152012_02d1635.txt >>
RKreport[1]_S_12152012_02d1635.txt

The secrets to life are hidden behind the word Cliché.


Report •

#23
December 15, 2012 at 16:47:20
"RogueKiller report:"
Still finding remnants.

7: Update Malwarebytes ( MBAM ) & run again.


Report •

#24
December 15, 2012 at 18:07:51
Hello again
Malwarebytes found 6 things, removed them, restarted . . .

Ran RogueKiller again, New Report:
RogueKiller V8.4.0 [Dec 15 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Princess [Admin rights]
Mode : Remove -- Date : 12/15/2012 18:01:59

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{99DACC2C-9E8D-4D1D-A175-46C3DE2C3E31} : NameServer (216.146.35.240,216.146.36.240,192.168.0.1) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{99DACC2C-9E8D-4D1D-A175-46C3DE2C3E31} : NameServer (216.146.35.240,216.146.36.240,192.168.0.1) -> NOT REMOVED, USE DNSFIX

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS725025A9A364 ATA Device +++++
--- User ---
[MBR] 10173da869a87383f676ae60dacf5dcc
[BSP] a8a9e5b26c0c80cc8a4034c931a021ac : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 225481 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 462194688 | Size: 12793 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[7]_D_12152012_02d1801.txt >>
RKreport[1]_S_12152012_02d1635.txt ; RKreport[2]_D_12152012_02d1636.txt ; RKreport[3]_D_12152012_02d1638.txt ; RKreport[4]_S_12152012_02d1643.txt ; RKreport[5]_D_12152012_02d1643.txt ;
RKreport[6]_S_12152012_02d1801.txt ; RKreport[7]_D_12152012_02d1801.txt

The secrets to life are hidden behind the word Cliché.


Report •

#25
December 15, 2012 at 18:10:24
In the meantime, I've now got that "PC Fix Speed System Optimizer" bugging me all the time, I somehow accidently allowed it in when I was getting one of the other things (TDSSKiller)
I went into "Uninstall Programs" and told it to uninstall but it wont go away..
Grrrrrrrrrrreat :-/

The secrets to life are hidden behind the word Cliché.


Report •

#26
December 15, 2012 at 18:36:28
Is it "PC Fix Speed System Optimizer" or, PC Power Speed System Optimizer?

Report •

#27
December 15, 2012 at 18:38:30
"Malwarebytes found 6 things, removed them, restarted . . .

Ran RogueKiller again, New Report:

Nice work, we are getting there.


Report •

#28
December 15, 2012 at 19:03:09
I somehow accidently allowed it in when I was getting one of the other things (TDSSKiller)

always UNCHECK anything else that wants to be installed when installing a program you need.

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#29
December 15, 2012 at 20:11:59
8: Not, going to wait for confirmation, Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Report •

#30
December 15, 2012 at 20:13:17
XpUser -
thanks. That is normally what I do but these are programs I've never heard of before and I am being told "Click Allow" all over the place

JohnW - Yes "PC Fix Speed System Optimizer"
I stopped it from doing what it was doing but it was already on my computer by then :-(
RE: "let me know how it is behaving"

Honestly I hadnt been doing any thing with it besides carrying out all these tasks, so I didn't know. But I just watched a YouTube video, left a comment, play Tetris on Facebook, and brought up my Task Manager (just to see how long it would take to respond). It seems to be doing well :) Not as slow to respond to things as before.

The secrets to life are hidden behind the word Cliché.


Report •

#31
December 15, 2012 at 20:44:06
"Not as slow to respond to things as before"
Ok, shall wait for the results of step 8 in post #29.

Report •

#32
December 15, 2012 at 20:50:43
Downloaded AdwCleaner, hit "Delete" and it began doing something, but required no further input from me and I got a dialogue box saying "If you are using this tool your PC was probably exposed to malicious content . . " right before it asked me to allow it to Restart. So I did.

Log:
# AdwCleaner v2.007 - Logfile created 12/15/2012 at 20:25:09
# Updated 06/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Princess - PRINCESS-PC
# Boot Mode : Normal
# Running from : C:\Users\Princess\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : WajamUpdater

***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Deleted : C:\Program Files (x86)\Wajam
Folder Deleted : C:\Users\Princess\AppData\Local\Wajam
Folder Deleted : C:\Users\Princess\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Wajam
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
Key Deleted : HKLM\Software\Wajam
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wajam
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2673 octets] - [15/12/2012 20:25:09]

########## EOF - C:\AdwCleaner[S1].txt - [2733 octets] ##########

The secrets to life are hidden behind the word Cliché.


Report •

#33
December 15, 2012 at 20:56:24
" right before it asked me to allow it to Restart. So I did"
Do you still have "PC Fix Speed System Optimizer"?

Report •

#34
December 15, 2012 at 21:25:34
No sir, it appears to be gone.

Additionally, the last time I ran RogueKiller there were 2 things it said it detected that were "not removed, and to use DNSFIX"
And I just ran it again and now it finds nothing.

So that's good. :)

The secrets to life are hidden behind the word Cliché.


Report •

#35
December 15, 2012 at 21:51:24
I'm in Western Australia & friends have just arrived, will get you to do these & get back to you, when I can.

9: Run TFC
http://www.geekstogo.com/forum/file...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

10: Run ESET again.


Report •

#36
December 16, 2012 at 02:53:23
"not removed, and to use DNSFIX"
I hadn't picked that up, well done.
Could have done that from within the program.
http://i.imgur.com/EryzL.gif

"And I just ran it again and now it finds nothing"
Good thinking.

"So that's good. :)"
Perfect.

Shall now wait until I hear from you.


Report •

#37
December 16, 2012 at 04:36:09
11: Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Report •

#38
December 16, 2012 at 11:05:33
Ok, ran TFC and restarted . . ran ESET again before I fell asleep
It said it found 8 more things and I think it dealt with them but I can't find any trace of the program or the log . . .?

The secrets to life are hidden behind the word Cliché.


Report •

#39
December 16, 2012 at 11:14:21
Downloaded the Security check, ran it.. Here is the log:

Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Windows Firewall Disabled!
Norton Internet Security
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Malwarebytes Anti-Malware version 1.65.1.1000
Java(TM) 6 Update 32
[color=red][b]Java version out of Date![/b][/color]
Adobe Reader 9 [color=red][b]Adobe Reader out of Date![/b][/color]
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 0%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

The secrets to life are hidden behind the word Cliché.


Report •

#40
December 16, 2012 at 11:38:59
I must admit Miss Elizabeth....you certainly have a lot of patience! Good luck with this problem...did you approach Geek Squad like I mentioned in response #2 ?

They should stand behind their mess they left you....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#41
December 16, 2012 at 11:48:06
XpUser -
I am reluctant to take it back to them because (paranoid as this may sound) I believe they intentionally put something on this computer.
I never told you guys - the reason I took it to them wasn't even a software / virus problem ; it was just because the FAN stopped working and obviously if that doesn't run the computer overheats and shuts off..

That's why I mentioned the first thing I suspected was a keystroke recorder program.. but sometimes whatever it was I was doing would be slow (which is why I looked down at my Wireless Network Connections and noticed "receiving" down there in the first place).

I think they maybe do this to a lot of people who bring their computers in.. they monitor what they do / where they go on the net, what they Search for .. and then send that info to some kinda marketing / research companies.

I was literally FLOORED when I went to do a System Restore (I personally created a Restore Point in the summer of 2010) and found that my restore points had been cleared, and the earliest I could go back to was Oct 25th of 2012. . o.O

The secrets to life are hidden behind the word Cliché.


Report •

#42
December 16, 2012 at 12:13:54
I really don't think that Geek Squad (even though they are WAY overpriced and at most times inexperienced) would install a keylogger onto your PC...that is against the law and they could lose alot on that.

I think they maybe do this to a lot of people who bring their computers in.. they monitor what they do / where they go on the net, what they Search for .. and then send that info to some kinda marketing / research companies.
They wouldn't do that...they would have too much to lose...

If Geek Squad only replaced the fan...that tells me that you had prior malware problems on your PC.

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#43
December 16, 2012 at 13:02:35
"It said it found 8 more things and I think it dealt with them but I can't find any trace of the program or the log . . .?"
Ok, uninstall Combofix & download the latest version, they virtually have a new version every day.
Uninstall ComboFix.
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.
Qoobox is a folder created by Combofix to quarantine any infected files.
Double check no Combofix files remain, I use this for searching, I have it open all the time.
UltraSearch
http://www.softpedia.com/get/File-m...
http://www.softpedia.com/progScreen...
http://www.jam-software.com/ultrase...

12: Run the new version of Combofix.


Report •

#44
December 16, 2012 at 14:55:31
Ok you lost me right there.
Start > Run, Copy & Paste > Combofix /uninstall

I'm afraid I am unsure how to carry out that action...

The secrets to life are hidden behind the word Cliché.


Report •

#45
December 16, 2012 at 15:22:29
"I'm afraid I am unsure how to carry out that action..."

Depending how you have your W7 setup, when you hit the Start button, you will see the Search box or both the Search box & Run to the right, under > Help and Support.

Lets deal with the Search box only & type in run & hit > Enter.

How to uninstall combofix
http://www.bleepingcomputer.com/com...


Report •

#46
December 16, 2012 at 16:32:13
Ok I successfully uninstalled ComboFix.
Downloaded UltraSearch. Typed in "Qoobox" it finds nothing, typed in "combofix" it finds 4 remaining files.. deleted them.
Going to restart then reinstall . . .

The secrets to life are hidden behind the word Cliché.


Report •

#47
December 16, 2012 at 17:13:48
Now that I have Re-downloaded & ran ComboFix, when I come back to this page I get a "Security Alert" pop-up notifying me that "you are about to view pages over a secure connection". It never bothered to tell me that before.. furthemore; I thought only pages with "https:" were a secure connection ?

Anyways, here is the latest log:
ComboFix 12-12-14.01 - Princess 12/16/2012 16:50:48.2.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1979.1152 [GMT -8:00]
Running from: c:\users\Princess\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
.
.
2012-12-17 00:58 . 2012-12-17 00:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-17 00:58 . 2012-12-17 00:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-12-17 00:58 . 2012-12-17 00:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-14 14:19 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{959AC148-F323-4E68-AB61-D59F0C4C2D9B}\mpengine.dll
2012-12-13 16:44 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-12-13 16:44 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-13 11:07 . 2012-11-14 05:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-13 09:04 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-13 09:04 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-13 08:30 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-13 08:30 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-13 08:30 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-13 08:30 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-12 22:41 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-11-18 11:36 . 2012-11-18 11:36 -------- d-----w- c:\program files (x86)\QuickTime
2012-11-18 11:35 . 2012-08-21 21:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-18 11:34 . 2012-11-18 11:34 -------- d-----w- c:\program files\iPod
2012-11-18 11:34 . 2012-11-18 11:35 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-11-18 11:34 . 2012-11-18 11:35 -------- d-----w- c:\program files\iTunes
2012-11-18 11:30 . 2012-11-18 11:30 -------- d-----w- c:\program files\Bonjour
2012-11-18 11:30 . 2012-11-18 11:30 -------- d-----w- c:\program files (x86)\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-13 11:16 . 2010-05-08 21:26 67413224 ----a-w- c:\windows\system32\MRT.exe
2012-11-20 04:23 . 2012-05-08 21:07 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-20 04:23 . 2011-11-19 22:52 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 11:12 . 2012-10-25 11:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 11:12 . 2012-10-25 11:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-10-16 08:38 . 2012-11-27 19:32 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-27 19:32 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-27 19:32 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-09 18:17 . 2012-11-14 06:42 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-10-09 18:17 . 2012-11-14 06:42 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-10-09 17:40 . 2012-11-14 06:42 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40 . 2012-11-14 06:42 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2012-10-04 16:40 . 2012-12-13 12:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-10-03 17:56 . 2012-11-14 06:42 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-10-03 17:44 . 2012-11-14 06:42 303104 ----a-w- c:\windows\system32\nlasvc.dll
2012-10-03 17:44 . 2012-11-14 06:42 70656 ----a-w- c:\windows\system32\nlaapi.dll
2012-10-03 17:44 . 2012-11-14 06:42 246272 ----a-w- c:\windows\system32\netcorehc.dll
2012-10-03 17:44 . 2012-11-14 06:42 18944 ----a-w- c:\windows\system32\netevent.dll
2012-10-03 17:44 . 2012-11-14 06:42 216576 ----a-w- c:\windows\system32\ncsi.dll
2012-10-03 17:42 . 2012-11-14 06:42 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-10-03 16:42 . 2012-11-14 06:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll
2012-10-03 16:42 . 2012-11-14 06:42 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
2012-10-03 16:42 . 2012-11-14 06:42 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2012-10-03 16:07 . 2012-11-14 06:42 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-09-25 22:47 . 2012-11-14 06:43 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-09-25 22:46 . 2012-11-14 06:43 95744 ----a-w- c:\windows\system32\synceng.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-05 216064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-16 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R4 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe [2012-06-16 138272]
R4 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1308000.00E\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1308000.00E\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [2012-04-02 1160824]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1308000.00E\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20120613.007\IDSvia64.sys [2012-06-14 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1308000.00E\Ironx64.SYS [2012-04-18 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1308000.00E\SYMNETS.SYS [2012-04-18 405624]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-06-05 138912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-25 c:\windows\Tasks\HPCeeScheduleForPrincess.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-43448670.sys
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Lexmark 730 Series - c:\program files (x86) (x86)\Lexmark 730 Series\Install\x64\Uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1E61ED7C-7CB8-49D6-B9E9-AB4C880C8414}"=hex:51,66,7a,6c,4c,1d,38,12,12,ee,72,
1a,8a,32,b8,0c,c6,ff,e8,0c,8d,52,c0,00
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:38,c9,76,ef,64,b2,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-16 17:01:22
ComboFix-quarantined-files.txt 2012-12-17 01:01
.
Pre-Run: 186,636,967,936 bytes free
Post-Run: 186,571,673,600 bytes free
.
- - End Of File - - 48AF70D5B07C7E3E77C4C45C404224B2

The secrets to life are hidden behind the word Cliché.


Report •

#48
December 16, 2012 at 17:14:54
Now that I have Re-downloaded and run ComboFix, whenever I visit this page I get a Security Alert popup telling me "you are viewing pages over a secure connection".. Ok, never bothered to tell me that before.. Furthermore; I thought only websites with a "https:" were 'Secure' ?

Anyway, here is the latest log:
ComboFix 12-12-14.01 - Princess 12/16/2012 16:50:48.2.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1979.1152 [GMT -8:00]
Running from: c:\users\Princess\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-11-17 to 2012-12-17 )))))))))))))))))))))))))))))))
.
.
2012-12-17 00:58 . 2012-12-17 00:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-17 00:58 . 2012-12-17 00:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-12-17 00:58 . 2012-12-17 00:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-14 14:19 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{959AC148-F323-4E68-AB61-D59F0C4C2D9B}\mpengine.dll
2012-12-13 16:44 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-12-13 16:44 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-13 11:07 . 2012-11-14 05:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-13 09:04 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-13 09:04 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-12-13 08:30 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-13 08:30 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-13 08:30 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-13 08:30 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-12 22:41 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-11-18 11:36 . 2012-11-18 11:36 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-11-18 11:36 . 2012-11-18 11:36 -------- d-----w- c:\program files (x86)\QuickTime
2012-11-18 11:35 . 2012-08-21 21:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-18 11:34 . 2012-11-18 11:34 -------- d-----w- c:\program files\iPod
2012-11-18 11:34 . 2012-11-18 11:35 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-11-18 11:34 . 2012-11-18 11:35 -------- d-----w- c:\program files\iTunes
2012-11-18 11:30 . 2012-11-18 11:30 -------- d-----w- c:\program files\Bonjour
2012-11-18 11:30 . 2012-11-18 11:30 -------- d-----w- c:\program files (x86)\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-13 11:16 . 2010-05-08 21:26 67413224 ----a-w- c:\windows\system32\MRT.exe
2012-11-20 04:23 . 2012-05-08 21:07 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-20 04:23 . 2011-11-19 22:52 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-25 11:12 . 2012-10-25 11:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-10-25 11:12 . 2012-10-25 11:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-10-16 08:38 . 2012-11-27 19:32 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-27 19:32 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-27 19:32 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-09 18:17 . 2012-11-14 06:42 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-10-09 18:17 . 2012-11-14 06:42 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-10-09 17:40 . 2012-11-14 06:42 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40 . 2012-11-14 06:42 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
2012-10-04 16:40 . 2012-12-13 12:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-10-03 17:56 . 2012-11-14 06:42 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-10-03 17:44 . 2012-11-14 06:42 303104 ----a-w- c:\windows\system32\nlasvc.dll
2012-10-03 17:44 . 2012-11-14 06:42 70656 ----a-w- c:\windows\system32\nlaapi.dll
2012-10-03 17:44 . 2012-11-14 06:42 246272 ----a-w- c:\windows\system32\netcorehc.dll
2012-10-03 17:44 . 2012-11-14 06:42 18944 ----a-w- c:\windows\system32\netevent.dll
2012-10-03 17:44 . 2012-11-14 06:42 216576 ----a-w- c:\windows\system32\ncsi.dll
2012-10-03 17:42 . 2012-11-14 06:42 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-10-03 16:42 . 2012-11-14 06:42 18944 ----a-w- c:\windows\SysWow64\netevent.dll
2012-10-03 16:42 . 2012-11-14 06:42 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
2012-10-03 16:42 . 2012-11-14 06:42 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
2012-10-03 16:07 . 2012-11-14 06:42 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-09-25 22:47 . 2012-11-14 06:43 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2012-09-25 22:46 . 2012-11-14 06:43 95744 ----a-w- c:\windows\system32\synceng.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-05 216064]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-16 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
R4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R4 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe [2012-06-16 138272]
R4 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1308000.00E\SYMDS64.SYS [2011-08-16 451192]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1308000.00E\SYMEFA64.SYS [2012-05-22 1129120]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [2012-04-02 1160824]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1308000.00E\ccSetx64.sys [2012-06-07 167072]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20120613.007\IDSvia64.sys [2012-06-14 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1308000.00E\Ironx64.SYS [2012-04-18 190072]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1308000.00E\SYMNETS.SYS [2012-04-18 405624]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-02-13 292864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-06-05 138912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-23 215040]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-25 c:\windows\Tasks\HPCeeScheduleForPrincess.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 12:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2009-07-14 495104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-43448670.sys
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Lexmark 730 Series - c:\program files (x86) (x86)\Lexmark 730 Series\Install\x64\Uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.8.0.14\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{1E61ED7C-7CB8-49D6-B9E9-AB4C880C8414}"=hex:51,66,7a,6c,4c,1d,38,12,12,ee,72,
1a,8a,32,b8,0c,c6,ff,e8,0c,8d,52,c0,00
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:38,c9,76,ef,64,b2,cd,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_110_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_110.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-16 17:01:22
ComboFix-quarantined-files.txt 2012-12-17 01:01
.
Pre-Run: 186,636,967,936 bytes free
Post-Run: 186,571,673,600 bytes free
.
- - End Of File - - 48AF70D5B07C7E3E77C4C45C404224B2


Report •

#49
December 16, 2012 at 17:19:54
"Anyways, here is the latest log"
Thanks, more problems fixed.

What time zone are you please?

"It said it found 8 more things and I think it dealt with them but I can't find any trace of the program or the log . . .?"
Make sure this is done. Control Panel > Folder Options or My Computer or Windows Explorer > Tools > Folder Options,
tick/check > Show hidden files and folders.

Did you look here, as per my post #1
The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
Or,
Copy & paste this >EsetOnlineScanner< into UltraSearch.


Report •

#50
December 16, 2012 at 17:22:47
John - in Post #10 when you referenced me saying "it isn't letting me reply"
I was talking about this site, I will sign in with my username and type a response, then when I hit "Submit Follow Up" it continously tells me that I need to Create an Account (which I already did!) or connect via FaceBook

It finally started letting me when I did the Facebook sign-in.

It was doing that again just now, that's why there are mulitples of the same response ↑

The secrets to life are hidden behind the word Cliché.


Report •

#51
December 16, 2012 at 17:33:56
""it isn't letting me reply""
No idea what is going on there MissElizabeth, will have to deal with that once I know you are clean. At the moment I'm trying to remember all you are telling me & stay focused on the malware issues, maybe by the time we are finished, it will have resolved itself.

Report •

#52
December 16, 2012 at 17:39:15
What time zone are you please?
I am in California, USA - so Pacific Time ? ( -8 hours)

"It said it found 8 more things and I think it dealt with them but I can't find any trace of the program or the log . . .?"
Make sure this is done. Control Panel > Folder Options or My Computer or Windows Explorer > Tools > Folder Options,
tick/check > Show hidden files and folders.

Ok, did that.

Did you look here, as per my post #1
The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt".

That was the first place I looked. When I open C > Program Files, Eset is not in there.

You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
Or,
Copy & paste this >EsetOnlineScanner< into UltraSearch.

Ok I have to leave for a few hours, I will get back to this when I come back.
ttys!

The secrets to life are hidden behind the word Cliché.


Report •

#53
December 16, 2012 at 17:50:08
"Ok I have to leave for a few hours, I will get back to this when I come back.
ttys!"

Thanks for letting me know, I shall carry on finishing some jobs outside.

If you don't find the ESET log, run ESET again please.


Report •

#54
December 17, 2012 at 00:52:14
Hello again
I copied + pasted "EsetOnlineScanner" into UltraSearch, no results found

Running the scan again..
(site recognized my computer or vice-versa, because it tells me only the updates necessary will be downloaded)
Anyway it takes almost 3 hours so I'll be back . ;)

The secrets to life are hidden behind the word Cliché.


Report •

#55
December 17, 2012 at 02:12:51
"(site recognized my computer or vice-versa, because it tells me only the updates necessary will be downloaded)"
Perfect.
"Anyway it takes almost 3 hours so I'll be back . ;)"
Thought you would be in bed.
http://www.timeanddate.com/worldclo...
I will go to bed in about 3 hours.
http://www.timeanddate.com/worldclo...

Report •

#56
December 17, 2012 at 06:17:14
I keep weird hours ;)

Ok so it ran again, I was right here to witness it's completion, it found Zero threats this time. But it still did not create a log in the place where it's supposed to be. I checked with UltraSearch too.

Soon I may just light it on fire...

The secrets to life are hidden behind the word Cliché.


Report •

#57
December 17, 2012 at 12:41:28
I'm up early, dawn is just breaking on this beautiful Tuesday morning.
With a bit of luck, we can nail the rest of your problems today.

Being involved in removing malware from infected computers, it is very clear that no matter what brand of antivirus ( AV ) is used, they all can get infected if the user is conned.
Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"

No need to buy an AV, I personally use MSE ( It's free ) I would now like you to uninstall Norton.

13: Use the Norton Removal Tool to remove a failed installation or a damaged Norton product.
http://www.softpedia.com/get/Tweak/...
http://us.norton.com/support/kb/web...

14: Install Microsoft Security Essentials ( MSE )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.techsupportalert.com/bes...
http://www.cnet.com.au/microsoft-se...
http://windows.microsoft.com/en-US/...
Can Microsoft Security Essentials ( MSE ) protect me from online banking and shopping.
http://answers.microsoft.com/en-us/...


Report •

#58
December 17, 2012 at 12:53:56
If you are online now, just a quick response, to let me know please.

After installing MSE, run a Quick scan.

A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom.

15: Run SUPERAntiSpyware
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.superantispyware.com/ind...


Report •

#59
December 17, 2012 at 13:51:28
16: SUPERAntiSpyware will find a lot of tracking cookies. If you want to block the tracking cookies, I use Ghostery for the occasional times I use IE. When it wants to update, it asks you to close the browser & then click Ok. Then it reopens IE.
http://www.ghostery.com/download-ie

17: Run Hitman Pro
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...


Report •

#60
December 17, 2012 at 13:58:08
Good day to you ! I am awake / online now. Getting started on removing Norton.
I always wondered, if you remove it - what happens to the things it's Quarantined ? do you happen to know ?

The secrets to life are hidden behind the word Cliché.


Report •

#61
December 17, 2012 at 14:01:14
"what happens to the things it's Quarantined"
Hi, the Norton tool will take care of that.

Report •

#62
December 17, 2012 at 14:09:27
Ok I ran the Norton Removal Tool. Out of curiousity I typed in "Norton" in the UltraSearch and a whole slew of results came up. (mostly logos, .jpegs, .pngs) Does that matter?

Also, when downloading Microsoft Security Essentials, how do I know if I need the 32-bit or 64-bit ? I've seen settings on my computer for both . .

The secrets to life are hidden behind the word Cliché.


Report •

#63
December 17, 2012 at 14:12:29
" (mostly logos, .jpegs, .pngs) Does that matter?"
You are getting into the swing of things, not at this stage.

Your logs show you are 64-bit.


Report •

#64
December 17, 2012 at 14:42:59
Ok Quick Scan completed, found no threats.

Onto the SuperAntiSpyware now . .

The secrets to life are hidden behind the word Cliché.


Report •

#65
December 17, 2012 at 16:01:27
SuperAnitSpyware scan completed, tracking cookies removed

Onto Hitman Pro . .

The secrets to life are hidden behind the word Cliché.


Report •

#66
December 17, 2012 at 16:12:38
Hitman Pro scan complete. It found a bunch of things associated with Google Chrome (which I only used temporarily and didn't like, because it wasn't compatible with my auto-insurance website)

Log:
[code]
HitmanPro 3.7.0.182
www.hitmanpro.com

Computer name . . . . : PRINCESS-PC
Windows . . . . . . . : 6.1.1.7601.X64/1
User name . . . . . . : Princess-PC\Princess
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2012-12-17 16:05:45
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 29s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 18

Objects scanned . . . : 1,373,183
Files scanned . . . . : 14,406
Remnants scanned . . : 377,385 files / 981,392 keys

Potential Unwanted Programs _________________________________________________

HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL\ (Claro)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\priam_bho.DLL\ (Claro)
HKLM\SYSTEM\ControlSet001\services\eventlog\Application\WajamUpdater\ (Claro)
HKLM\SYSTEM\ControlSet002\services\eventlog\Application\WajamUpdater\ (Claro)
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\WajamUpdater\ (Claro)

Cookies _____________________________________________________________________

C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.turn.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.wsod.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.adengage.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.associatedcontent.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.comicbookresources.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.fatvine.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.filmlush.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.mail.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.roiserver.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.thesmokinggun.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.townhall.com
C:\Users\Princess\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com


[/code]

The secrets to life are hidden behind the word Cliché.


Report •

#67
December 17, 2012 at 16:17:59
"It found a bunch of things associated with Google Chrome'
Beautiful.

18: Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/download...

19: Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings ) Reboot when finished.
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/wiseregi...


Report •

#68
December 17, 2012 at 16:45:22
20: Run AdwCleaner again

21: Run UnHackMe ( 30 days evaluation period )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.greatis.com/unhackme/ind...

22: Run Hitman Pro again.


Report •

#69
December 17, 2012 at 16:48:52
Later Miss Elizabeth....Merry Christmas and Happy Holidays to you and your family!

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#70
December 17, 2012 at 17:00:03
✓ wise disk cleaner
✓ wise registry cleaner

The secrets to life are hidden behind the word Cliché.


Report •

#71
December 17, 2012 at 17:04:30
"✓ wise disk cleaner
✓ wise registry cleaner"
Good.
I use those & others, every day on all comps I work on.

I will be going out soon as we get the results of my post #68


Report •

#72
December 17, 2012 at 17:07:53
I clicked on AdwCleaner, and hit the "Delete" button like you told me last time
And again, it required no further input from me.. asked to reboot my computer so I allowed it to, and when it came back on it said Registry Clean.

The secrets to life are hidden behind the word Cliché.


Report •

#73
December 17, 2012 at 17:15:30
I downloaded and Unzipped "UnHack Me", do you have a tutorial you could refer me to because there are options all over the place, in different windows.. (greek to me)

The secrets to life are hidden behind the word Cliché.


Report •

#74
December 17, 2012 at 17:20:07
Most of the stuff I am getting you, is by googling. See if you can find something you understand.

unhackme tutorial
http://is.gd/UQPaTb


Report •

#75
December 17, 2012 at 17:25:58
The "Check Me Now" button finishes pretty quickly and says there are no malware found. But then all this other stuff pops up saying I can:
• Scan for Malware
• Clean / Protect / Backup
-If I choose Scan for Malware, I have 4 more options:
•Send Report
•Scan Windows Startup
•Online MultiAntivirus Scan
•Reveal hidden or infected files
-If I "X" out of that screen another thing pops up "Reg Run Assistant" asking if I want to scan for viruses.

If I "x" out of that, RegRunReanimator pops up with tons of tabs / buttons / options

The secrets to life are hidden behind the word Cliché.


Report •

#76
December 17, 2012 at 17:27:28
"Most of the stuff I am getting you, is by googling. See if you can find something you understand."

I see. Mmkay trial & error then, eh ? Have a good time Out !

The secrets to life are hidden behind the word Cliché.


Report •

#77
December 17, 2012 at 17:31:55
I'm still here, just downloaded UnHackMe to have a look.

Report •

#78
December 17, 2012 at 17:43:28
UnHackMe has a Help file.

1: Click on > Check Me Now!
If nothing found, you get a 2nd window.

2: Click on > Scan for Malware.

3: "If I choose Scan for Malware, I have 4 more options"
Do the last 3 options.


Report •

#79
December 17, 2012 at 17:45:32
Did both of those. It found one questionable thing pertaining to Microsoft Excel
(which oddly enough, when you told me to run "Unhide" it revealed 2 things on my desktop, both claiming to be Microsoft excel documents. I deleted them)

The secrets to life are hidden behind the word Cliché.


Report •

#80
December 17, 2012 at 17:49:37
Note I just edited, forgot to add 3:

Report •

#81
December 17, 2012 at 17:56:31
3: "If I choose Scan for Malware, I have 4 more options"
Do the last 3 options.

I can do 2 out of those 3. (Scan Windows Startup, Online Virus Scan)
That's when it found the Excel thing, which I told it to remove.

The last (4th)option requires a RegRunWarrior CD

The secrets to life are hidden behind the word Cliché.


Report •

#82
December 17, 2012 at 18:05:07
"The last (4th)option requires a RegRunWarrior CD"
Ok, move on.

22: Run Hitman Pro again.


Report •

#83
December 17, 2012 at 18:21:38
Ran Hitman Pro again. It found 0 threat but "5 traces" - 3 of which were "wajam updaters" which I have noticed a few times being removed by these tools we're using, so I told it to delete them.
Restarted.

The secrets to life are hidden behind the word Cliché.


Report •

#84
December 17, 2012 at 18:30:17
Going out now, here is stuff to do whilst I'm out.

"3 of which were "wajam updaters" which I have noticed a few times being removed by these tools we're using, so I told it to delete them.
Restarted"
Good.

What I wanted to do was see if any of the stuff from your post #66 was still there.

23: Run CCleaner ( This is a slim version that dos'nt install the Yahoo toolbar )
http://www.freewarefiles.com/CClean...
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.piriform.com/ccleaner/bu...
Open CCleaner, 4 boxes on the left, click on > Cleaner, the 1st Tab is Windows > Uncheck all.
2nd Tab is Applications, uncheck everything except in the Google Chrome section, in that section, Check everything.
Now click > Run Cleaner.

24: "Downloaded the Security check, ran it.. Here is the log:"
Thanks, to get your comp secure, you now need to update the following.
Your Java version is out of Date.
Your Adobe Reader is out of Date!
I use a FREE PDF program, let me know if you want to get rid of Adobe & I will give you the tool to remove it fully, it is huge & gets into every corner of your comp.

25: Reduce your Java Cache ( I set mine to 100mb )
http://steveshank.com/cgi-bin/artic...
Dumping Java cache improves browser performance
http://windowssecrets.com/2009/11/1...

"I was right here to witness it's completion"
Best way.
"But it still did not create a log in the place where it's supposed to be. I checked with UltraSearch too
Soon I may just light it on fire..."
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...
Sorry to put you through that, part of leaving no stone unturned, had to be sure. You were so badly infected, it was touch & go, if we could remove everything.

"(I personally created a Restore Point in the summer of 2010)"
I do not rely on System Restore too much, I set mine to Minimum.
Once a computer is infected, so are the restore points & it is too hard to find a clean point. Every day a new point is made & I doubt if it would save points up to 2010, even if the saving is set to maximum. You would also use a huge amount of HDD space.
How long are restore points saved?
http://windows.microsoft.com/en-AU/...
What is system protection?
http://windows.microsoft.com/en-AU/...
Restore points are saved until the disk space System Restore reserves is filled up. As new restore points are created, old ones are deleted. If you turn off system protection (the feature that creates restore points) on a disk, all restore points are deleted from that disk. When you turn system protection back on, new restore points are created. For more information about system protection, see What is system protection?

26: Now your comp is clean, we need to clear all the infected restore points. Turning System Restore OFF & then ON will remove them.
http://www.recipester.org/Recipe:Di...

27: Uninstall Combofix.

"Text Delay, Comp unresponsive at times. Weird W-N-C appears"
How are your issues?

"how do I know if I need the 32-bit or 64-bit ? I've seen settings on my computer for both"
How to View the Basic Information of Your Computer in Windows 7
http://www.windows7teacher.com/perf...
http://www.yoingco.com/how_to_view_...


Report •

#85
December 17, 2012 at 18:33:30
Here are the other 2 things it found but I wasn't sure what to do with .. (not sure if that extension means Apple ID ?)

priam_bho.DLL\
HKLM\SOFTWARE\Classes\AppID

priam_bho.DLL\
HKLM\SOFTWARE\Classes\Wow6432Node\AppID

The secrets to life are hidden behind the word Cliché.


Report •

#86
December 17, 2012 at 18:46:42
"What I wanted to do was see if any of the stuff from your post #66 was still there."

Actually, yes, those are the 5 things it found in post #66 !

Going to get started on 23.

Re: 24. I noticed it said Adobe was out-of-date that day and I updated it.
Also, Java used to notify me from time to time, that it needed to update, and it hasn't done so in quite a while, I will try to get it to do so this evening, along with 25,26,27.

The secrets to life are hidden behind the word Cliché.


Report •

#87
December 17, 2012 at 22:16:48
27: Delete AdwCleaner, download the latest version & Run again. Reboot

The reason we ran UnHackMe is because when I googled wajamupdater, it came up often as the best tool to use.

"(not sure if that extension means Apple ID ?)"
Not Apple, it's App, short for Application.

28: Copy & Paste WAJAM into UltraSearch, right click anything it finds & Delete.

29: Use this version RegSeeker to find & delete the registry entries below, if they are still there.
http://www.load.to/wRLdJMMaH5/RegSe...
My screenshots show what to do with the 1st of the registry entries below. Repeat the process for each entry.
In other words, delete the EXACT match.
http://i.imgur.com/rtx7W.gif
http://i.imgur.com/CfJPe.gif
Upload screenshots as per my post #7, if you are not sure you have got the right entry.
Use Snipping Tool to capture screen shots in windows 7
http://www.windows7home.net/use-sni...
HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL\ (Claro)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\priam_bho.DLL\ (Claro)
HKLM\SYSTEM\ControlSet001\services\eventlog\Application\WajamUpdater\ (Claro)
HKLM\SYSTEM\ControlSet002\services\eventlog\Application\WajamUpdater\ (Claro)
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\WajamUpdater\ (Claro)


Report •

#88
December 17, 2012 at 23:15:35
Once I update Java, I remembered that recently when I was in the Windows Update folder, it told me there were problems that needed to be reported( in order to try to find solutions) and when I gave it permission to, it told me "problems not reported, try again later" or something to that effect. It was like I was being blocked from even trying. So this evening I went into that folder and there were quite a few Security Updates available, my friend.
I attempted to install them, and all hell broke loose.
That "receiving" connection appeared in the Wireless Network Connections, and suddenly my WLAN informs me that it has been disabled, and I watched the connection light on my laptop go from Blue - to Red. So I pushed it twice, it did come back on, (Blue) but then the system became unstable, It was flashing (going to black screen and then back) and then everything was BIG, like when you're in Windows Safe Mode. I just didn't touch anything this entire time and it went back to normal after about 10 seconds. Then Windows Updates tells me all the updates failed. :-/

So I restarted, just because, and then only selected a few of the updates at a time, and proceeded to wait and wait while they downloaded and installed. During this time I kept checking the Wireless Network Connections, and at one point "receiving" was back AND a new one, "ogp" appeared, but just for a moment. Neither are there now and I am going to TRY to go about the rest of your directions.
Just keeping you informed on it's *behavior*.

The secrets to life are hidden behind the word Cliché.


Report •

#89
December 17, 2012 at 23:18:13
"Just keeping you informed on it's *behavior"
Thank you.

Report •

#90
December 17, 2012 at 23:41:46
Status Check:
• Where are we with 23. CCleaner? (Do I need to do anything else with it?)
24. Done. Java & Adobe are updated.
25. Done. I deleted temporary files like the site said, and moved the capacity down to 100.
Before I move on to 26 Turn System Restore Off/On, have you established ; is priam_bho something harmful ? because HitmanPro will let me deal with it right there.
Also, there are no more traces of "wajam", I re-ran Hitman & checked UltraSearch.
- - -
Nevermind, I just Google'd Priam & found out it's connected to Wajam.
Hitman Pro let me delete it and asked me to restart. We're good there.

The secrets to life are hidden behind the word Cliché.


Report •

#91
December 18, 2012 at 00:23:12
"I attempted to install them, and all hell broke loose"
I wouldn't use any of those files, after all the problems you have had & what just happened, I would say they are corrupted ( not infected )

Did you put a stronger password in, as per my post #7?

"Where are we with 23. CCleaner? (Do I need to do anything else with it?)"
No, if you cleaned out all of Google Chrome, that's it for now. I have it installed all the time.


Report •

#92
December 18, 2012 at 00:37:06
I wouldn't use any of those files, after all the problems you have had & what just happened, I would say they are corrupted ( not infected )
These were Control Panel > System & Security > Windows Updates. Some are marked optional, others Important / Security. Anyway it's too late now I already installed them and restarted.

Did you put a stronger password in, as per my post #7?
I do not use a password to get on the internet. My landlord (lives on the same property as me) created a Guest Account (dlink_guest)for me on the Wireless network when I moved in. It is open, does not require a password.

Re: Google Chrome, I only used it for a couple days, over a year ago. Any traces of it that are showing up in these scans are just little pieces that didn't uninstall.

Should I still go ahead with the System Restore Off / On ?

The secrets to life are hidden behind the word Cliché.


Report •

#93
December 18, 2012 at 00:45:58
"Anyway it's too late now I already installed them and restarted"
That's fine, I thought they wouldn't install.

"I do not use a password to get on the internet"
Ignore this if it dosn't apply, but I am talking about a stronger password in the router.

"Should I still go ahead with the System Restore Off / On ?"
If you are happy with the stability of the comp. Yes.


Report •

#94
December 18, 2012 at 01:46:55
Ok, then I guess I will wait a day or two to see how it's running when I'm going about doing my usual things..

I meant to address this earlier:
"Sorry to put you through that, part of leaving no stone unturned, had to be sure. You were so badly infected, it was touch & go, if we could remove everything."

Are you kidding? No need to apologize to me, you have been really helpful and nice!
It's a pity we couldn't voice conference while doing some of this stuff, I bet you have a really cool accent :-D

Thanks for all your help John from Australia !

The secrets to life are hidden behind the word Cliché.


Report •

#95
December 18, 2012 at 02:07:48
"I meant to address this earlier"
A few things I meant to address as well, but trying to keep my head clear & stay ahead of you, by visualizing what was happening & then documenting what I thought would be the best next move, kept me very busy.

"I bet you have a really cool accent :-D"
That made me really laugh, because it reminded me of our holiday in Europe last year. I was doing some business in Frome - UK, dealing with a female, when 2 other female staff joined us. I looked at them wondering what was going on, when they said, excuse us, we just love listening to your Australian accent.

Well, all the best & fingers crossed, looks like we nailed it today.


Report •

#96
December 18, 2012 at 02:18:00
What is your opinion on the whole PC -vs- MAC ?
they say MACs have way less (if any) trouble at all with viruses and such . . .

The secrets to life are hidden behind the word Cliché.


Report •

#97
December 18, 2012 at 02:37:26
I use PC myself, because I can't justify the cost difference.

MAC's are coming more & more under attack.

I have a heap of spare HDD's on which I have different Linux versions installed, they are called distro's. You can also run Linux direct from a thumb drive or CD.
They also have very few attacks.

I will be sticking to PC for a while, I only upgrade when a motherboard or CPU blows, this comp is about 6 years old, never had a virus.


Report •

#98
December 24, 2012 at 10:24:41
Merry Christmas John ! :)

The secrets to life are hidden behind the word Cliché.


Report •

#99
December 24, 2012 at 22:26:47
Merry Christmas John...

Report •

#100
December 27, 2012 at 03:49:13
MissElizabeth & SAI,F thank you & a belated Merry Xmas to both of you.

Had a comp I was fixing for a very depressed person, just got it finished before travelling 430km's to the family Xmas.

Back home now, 2 comps waiting to be fixed.
Neither of them urgent, so they will probably take about a week.

Happy New Year folks.


Report •

Ask Question