Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Ransom Virus removed but can't boot up
Message
<blockquote data-quote="SoDawg81" data-source="post: 98497" data-attributes="member: 4630"><p>I ran the OTL fix and I ran combofix. A couple of notes. Combofix ran for a very long time, when I came back screen was on the log screen below.</p><p></p><p>I manually rebooted just to make sure and I will note that Spybot S&D came up with warings that files had been changed. I told it to accept changes.</p><p></p><p>Here is log file:</p><p>ComboFix 13-01-17.04 - Greg Henning 01/19/2013 21:45:03.1.4 - x64</p><p>Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4009.1961 [GMT -7:00]</p><p>Running from: c:\users\Greg Henning\Desktop\ComboFix.exe</p><p>AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}</p><p>SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}</p><p>SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}</p><p> * Created a new restore point</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>C:\a</p><p>c:\a\lp.crx</p><p>c:\windows\iun6002.exe</p><p>c:\windows\SysWow64\c.bat</p><p>c:\windows\SysWow64\Packet.dll</p><p>c:\windows\SysWow64\pthreadVC.dll</p><p>c:\windows\SysWow64\v.vbs</p><p>c:\windows\SysWow64\WanPacket.dll</p><p>c:\windows\SysWow64\wpcap.dll</p><p>.</p><p>.</p><p>((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 )))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>2013-01-20 06:23 . 2013-01-20 06:23 -------- d-----w- c:\users\Default\AppData\Local\temp</p><p>2013-01-20 04:37 . 2013-01-20 04:37 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4C77BA6E-092A-4584-87BC-F6DDB611D2C7}\offreg.dll</p><p>2013-01-19 16:35 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4C77BA6E-092A-4584-87BC-F6DDB611D2C7}\mpengine.dll</p><p>2013-01-19 03:45 . 2013-01-19 18:05 -------- d-----w- c:\programdata\Spybot - Search & Destroy</p><p>2013-01-19 03:45 . 2013-01-19 03:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy</p><p>2013-01-18 16:30 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll</p><p>2013-01-14 16:06 . 2013-01-14 16:06 340203458 ----a-w- C:\regbkp.reg</p><p>2013-01-13 16:36 . 2013-01-13 16:36 -------- d-----w- c:\program files\CCleaner</p><p>2013-01-13 16:28 . 2013-01-13 16:28 -------- d-----w- C:\_OTL</p><p>2013-01-11 18:52 . 2013-01-11 18:52 -------- d-----w- c:\users\Greg Henning\AppData\Local\Programs</p><p>2013-01-11 18:02 . 2013-01-11 18:02 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys</p><p>2013-01-10 19:43 . 2013-01-10 21:44 12872 ----a-w- c:\windows\system32\bootdelete.exe</p><p>2013-01-10 17:10 . 2013-01-10 17:10 -------- d-----w- c:\program files\HitmanPro</p><p>2013-01-10 17:10 . 2013-01-10 19:43 -------- d-----w- c:\programdata\HitmanPro</p><p>2013-01-09 04:32 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll</p><p>2013-01-09 04:32 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll</p><p>2013-01-09 04:32 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll</p><p>2013-01-09 04:30 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe</p><p>2013-01-09 04:30 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys</p><p>2012-12-27 16:40 . 2012-12-27 16:40 -------- d-----w- C:\TDSSKiller_Quarantine</p><p>2012-12-27 16:35 . 2012-12-27 16:35 208216 ----a-w- c:\windows\system32\drivers\51632886.sys</p><p>2012-12-27 16:18 . 2012-12-27 16:18 208216 ----a-w- c:\windows\system32\drivers\65925223.sys</p><p>2012-12-22 07:56 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll</p><p>2012-12-22 07:56 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll</p><p>2012-12-22 07:56 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll</p><p>2012-12-22 07:56 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll</p><p>.</p><p>.</p><p>.</p><p>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>2013-01-09 16:09 . 2012-04-20 14:20 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl</p><p>2013-01-09 16:09 . 2012-04-20 14:20 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe</p><p>2013-01-09 07:04 . 2012-04-14 16:31 67599240 ----a-w- c:\windows\system32\MRT.exe</p><p>2012-12-20 19:10 . 2012-12-20 19:10 741 ----a-w- c:\windows\SysWow64\lod1.vbs</p><p>2012-12-14 23:49 . 2012-10-02 00:37 24176 ----a-w- c:\windows\system32\drivers\mbam.sys</p><p>2012-11-30 04:45 . 2013-01-09 04:31 44032 ----a-w- c:\windows\apppatch\acwow64.dll</p><p>2012-11-28 16:34 . 2012-11-28 16:34 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26CA7A6E-0807-4182-A2F5-FA3414545751}\gapaengine.dll</p><p>2012-11-14 07:06 . 2012-12-12 00:29 17811968 ----a-w- c:\windows\system32\mshtml.dll</p><p>2012-11-14 06:32 . 2012-12-12 00:29 10925568 ----a-w- c:\windows\system32\ieframe.dll</p><p>2012-11-14 06:11 . 2012-12-12 00:29 2312704 ----a-w- c:\windows\system32\jscript9.dll</p><p>2012-11-14 06:04 . 2012-12-12 00:29 1346048 ----a-w- c:\windows\system32\urlmon.dll</p><p>2012-11-14 06:04 . 2012-12-12 00:29 1392128 ----a-w- c:\windows\system32\wininet.dll</p><p>2012-11-14 06:02 . 2012-12-12 00:29 1494528 ----a-w- c:\windows\system32\inetcpl.cpl</p><p>2012-11-14 06:02 . 2012-12-12 00:29 237056 ----a-w- c:\windows\system32\url.dll</p><p>2012-11-14 05:59 . 2012-12-12 00:29 85504 ----a-w- c:\windows\system32\jsproxy.dll</p><p>2012-11-14 05:58 . 2012-12-12 00:29 816640 ----a-w- c:\windows\system32\jscript.dll</p><p>2012-11-14 05:57 . 2012-12-12 00:29 599040 ----a-w- c:\windows\system32\vbscript.dll</p><p>2012-11-14 05:57 . 2012-12-12 00:29 173056 ----a-w- c:\windows\system32\ieUnatt.exe</p><p>2012-11-14 05:55 . 2012-12-12 00:29 2144768 ----a-w- c:\windows\system32\iertutil.dll</p><p>2012-11-14 05:55 . 2012-12-12 00:29 729088 ----a-w- c:\windows\system32\msfeeds.dll</p><p>2012-11-14 05:53 . 2012-12-12 00:29 96768 ----a-w- c:\windows\system32\mshtmled.dll</p><p>2012-11-14 05:52 . 2012-12-12 00:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb</p><p>2012-11-14 05:46 . 2012-12-12 00:29 248320 ----a-w- c:\windows\system32\ieui.dll</p><p>2012-11-14 02:09 . 2012-12-12 00:29 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll</p><p>2012-11-14 01:58 . 2012-12-12 00:29 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl</p><p>2012-11-14 01:57 . 2012-12-12 00:29 1129472 ----a-w- c:\windows\SysWow64\wininet.dll</p><p>2012-11-14 01:49 . 2012-12-12 00:29 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe</p><p>2012-11-14 01:48 . 2012-12-12 00:29 420864 ----a-w- c:\windows\SysWow64\vbscript.dll</p><p>2012-11-14 01:44 . 2012-12-12 00:29 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb</p><p>2012-11-09 05:45 . 2012-12-11 20:45 2048 ----a-w- c:\windows\system32\tzres.dll</p><p>2012-11-09 04:42 . 2012-12-11 20:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll</p><p>2012-11-03 16:42 . 2012-04-10 07:52 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll</p><p>2012-11-03 16:42 . 2012-04-10 07:52 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll</p><p>2012-11-03 16:42 . 2012-04-10 07:52 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll</p><p>2012-11-02 05:59 . 2012-12-11 20:44 478208 ----a-w- c:\windows\system32\dpnet.dll</p><p>2012-11-02 05:11 . 2012-12-11 20:44 376832 ----a-w- c:\windows\SysWow64\dpnet.dll</p><p>2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx</p><p>2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>*Note* empty entries & legit default entries are not shown </p><p>REGEDIT4</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]</p><p>@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 129272 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]</p><p>@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 129272 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]</p><p>@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 129272 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll</p><p>.</p><p>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"PlayOn"="c:\program files (x86)\MediaMall\PlayOn.exe" [2012-09-10 53248]</p><p>"Logitech Vid"="c:\program files (x86)\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]</p><p>"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]</p><p>"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-11-28 59280]</p><p>"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-11-28 59280]</p><p>"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-18 911160]</p><p>"GoogleChromeAutoLaunch_0F2652F2B693065CA93E1F10A2E3FE34"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2013-01-08 1248360]</p><p>"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]</p><p>"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]</p><p>"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472]</p><p>"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]</p><p>"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]</p><p>"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]</p><p>"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-09-29 12105344]</p><p>"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]</p><p>"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]</p><p>"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]</p><p>"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]</p><p>"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]</p><p>"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]</p><p>"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1637496]</p><p>"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-01-15 452016]</p><p>"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]</p><p>"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]</p><p>.</p><p>c:\users\Greg Henning\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\</p><p>Dropbox.lnk - c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-12-21 28538560]</p><p>MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-4-10 576000]</p><p>.</p><p>c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\</p><p>HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]</p><p>"ConsentPromptBehaviorAdmin"= 0 (0x0)</p><p>"ConsentPromptBehaviorUser"= 3 (0x3)</p><p>"EnableUIADesktopToggle"= 0 (0x0)</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]</p><p>"aux2"=wdmaud.drv</p><p>.</p><p>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]</p><p>Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]</p><p>@="Service"</p><p>.</p><p>R1 bgfesahw;bgfesahw;c:\windows\system32\drivers\bgfesahw.sys [x]</p><p>R1 cjalkamt;cjalkamt;c:\windows\system32\drivers\cjalkamt.sys [x]</p><p>R1 ikzvbpnb;ikzvbpnb;c:\windows\system32\drivers\ikzvbpnb.sys [x]</p><p>R1 oancaagb;oancaagb;c:\windows\system32\drivers\oancaagb.sys [x]</p><p>R1 qtusguiv;qtusguiv;c:\windows\system32\drivers\qtusguiv.sys [x]</p><p>R1 rjtwmsxm;rjtwmsxm;c:\windows\system32\drivers\rjtwmsxm.sys [x]</p><p>R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]</p><p>R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-01-10 108904]</p><p>R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]</p><p>R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]</p><p>R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]</p><p>R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]</p><p>R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]</p><p>R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944]</p><p>R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888]</p><p>R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-07-27 158976]</p><p>R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-08 30304]</p><p>R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-01-11 36680]</p><p>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]</p><p>R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]</p><p>R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]</p><p>R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-09-30 80384]</p><p>R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-09-30 180736]</p><p>R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]</p><p>R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]</p><p>R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]</p><p>R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]</p><p>R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]</p><p>R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-13 1255736]</p><p>S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]</p><p>S2 MediaMall Server;MediaMall Server;c:\program files (x86)\MediaMall\MediaMallServer.exe [2012-09-10 3057528]</p><p>S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112]</p><p>S2 osubsvc;Microsoft Office 2010 Subscription Agent;c:\program files\Common Files\Microsoft Shared\OFFICE14\osa.exe [2011-11-16 607048]</p><p>S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]</p><p>S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]</p><p>S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888]</p><p>S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [2012-01-18 25632]</p><p>S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440]</p><p>S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\DRIVERS\AE2500w764.sys [2011-03-29 1254464]</p><p>S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]</p><p>S3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]</p><p>S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-14 413800]</p><p>.</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]</p><p>hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]</p><p>2013-01-12 18:28 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe</p><p>.</p><p>Contents of the 'Scheduled Tasks' folder</p><p>.</p><p>2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job</p><p>- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 16:09]</p><p>.</p><p>2013-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3334729812-3173734214-3854604701-1003UA.job</p><p>- c:\users\Greg Henning\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-15 23:17]</p><p>.</p><p>.</p><p>--------- X64 Entries -----------</p><p>.</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]</p><p>@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]</p><p>@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]</p><p>@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]</p><p>@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"</p><p>[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]</p><p>2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960]</p><p>"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704]</p><p>"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328]</p><p>"OfficeSubscriptionAgent"="c:\program files\Common Files\Microsoft Shared\OFFICE14\osaui.exe" [2011-11-16 1028416]</p><p>"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]</p><p>"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]</p><p>"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2779024]</p><p>.</p><p>------- Supplementary Scan -------</p><p>.</p><p>uLocal Page = c:\windows\system32\blank.htm</p><p>uStart Page = hxxp://utmost.org/</p><p>mLocal Page = c:\windows\SysWOW64\blank.htm</p><p>uInternet Settings,ProxyOverride = *.local</p><p>Trusted Zone: sharepoint.com\it11</p><p>Trusted Zone: sharepoint.com\it11-admin</p><p>Trusted Zone: sharepoint.com\it11-my</p><p>TCP: DhcpNameServer = 192.168.2.1</p><p>.</p><p>- - - - ORPHANS REMOVED - - - -</p><p>.</p><p>Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe</p><p>AddRemove-Karaoke Anything!1.0 - c:\windows\iun6002.exe</p><p>.</p><p>.</p><p>.</p><p>--------------------- LOCKED REGISTRY KEYS ---------------------</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="FlashBroker"</p><p>"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</p><p>"Enabled"=dword:00000001</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</p><p>@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="IFlashBroker5"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</p><p>@="{00020424-0000-0000-C000-000000000046}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>"Version"="1.0"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="FlashBroker"</p><p>"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</p><p>"Enabled"=dword:00000001</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</p><p>@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="Shockwave Flash Object"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]</p><p>@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"</p><p>"ThreadingModel"="Apartment"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]</p><p>@="0"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]</p><p>@="ShockwaveFlash.ShockwaveFlash.11"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]</p><p>@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]</p><p>@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]</p><p>@="1.0"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]</p><p>@="ShockwaveFlash.ShockwaveFlash"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="Macromedia Flash Factory Object"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]</p><p>@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"</p><p>"ThreadingModel"="Apartment"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]</p><p>@="FlashFactory.FlashFactory.1"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]</p><p>@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]</p><p>@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]</p><p>@="1.0"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]</p><p>@="FlashFactory.FlashFactory"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="IFlashBroker5"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</p><p>@="{00020424-0000-0000-C000-000000000046}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>"Version"="1.0"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]</p><p>@Denied: (A) (Everyone)</p><p>"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]</p><p>@Denied: (A) (Everyone)</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]</p><p>"Key"="ActionsPane3"</p><p>"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]</p><p>@Denied: (Full) (Everyone)</p><p>.</p><p>Completion time: 2013-01-19 23:34:42</p><p>ComboFix-quarantined-files.txt 2013-01-20 06:34</p><p>.</p><p>Pre-Run: 473,059,057,664 bytes free</p><p>Post-Run: 472,682,942,464 bytes free</p><p>.</p><p>- - End Of File - - 91D5F9249D21269D05B9B351A774F5F7</p><p></p><p></p><p>[/b]Here is OTL Log:<strong></strong></p><p><strong></strong></p><p><strong>All processes killed</strong></p><p><strong>========== OTL ==========</strong></p><p><strong>64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.</strong></p><p><strong>Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.</strong></p><p><strong>Registry value HKEY_USERS\S-1-5-21-3334729812-3173734214-3854604701-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.</strong></p><p><strong>Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.</strong></p><p><strong>Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate deleted successfully.</strong></p><p><strong>Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate not found.</strong></p><p><strong>Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.</strong></p><p><strong>Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.</strong></p><p><strong>C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job moved successfully.</strong></p><p><strong>C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job moved successfully.</strong></p><p><strong>C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3334729812-3173734214-3854604701-1003Core.job moved successfully.</strong></p><p><strong>C:\Users\Greg Henning\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.</strong></p><p><strong>========== FILES ==========</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.directrev.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.doubleclick.net not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:c.atdmt.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:cdn.interclick.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:exch-w.atdmt.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleads.g.doubleclick.net not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com not found.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:view.atdmt.com not found.</strong></p><p><strong>========== COMMANDS ==========</strong></p><p> <strong></strong></p><p><strong>[EMPTYTEMP]</strong></p><p> <strong></strong></p><p><strong>User: All Users</strong></p><p> <strong></strong></p><p><strong>User: Default</strong></p><p><strong>->Temp folder emptied: 0 bytes</strong></p><p><strong>->Temporary Internet Files folder emptied: 0 bytes</strong></p><p><strong>->Flash cache emptied: 0 bytes</strong></p><p> <strong></strong></p><p><strong>User: Default User</strong></p><p><strong>->Temp folder emptied: 0 bytes</strong></p><p><strong>->Temporary Internet Files folder emptied: 0 bytes</strong></p><p><strong>->Flash cache emptied: 0 bytes</strong></p><p> <strong></strong></p><p><strong>User: Greg Henning</strong></p><p><strong>->Temp folder emptied: 72109 bytes</strong></p><p><strong>->Temporary Internet Files folder emptied: 20514376 bytes</strong></p><p><strong>->Java cache emptied: 511095 bytes</strong></p><p><strong>->Google Chrome cache emptied: 13369722 bytes</strong></p><p><strong>->Flash cache emptied: 602 bytes</strong></p><p> <strong></strong></p><p><strong>User: Public</strong></p><p> <strong></strong></p><p><strong>%systemdrive% .tmp files removed: 0 bytes</strong></p><p><strong>%systemroot% .tmp files removed: 0 bytes</strong></p><p><strong>%systemroot%\System32 .tmp files removed: 0 bytes</strong></p><p><strong>%systemroot%\System32 (64bit) .tmp files removed: 0 bytes</strong></p><p><strong>%systemroot%\System32\drivers .tmp files removed: 0 bytes</strong></p><p><strong>Windows Temp folder emptied: 27218 bytes</strong></p><p><strong>%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes</strong></p><p><strong>%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes</strong></p><p><strong>RecycleBin emptied: 0 bytes</strong></p><p> <strong></strong></p><p><strong>Total Files Cleaned = 33.00 mb</strong></p><p> <strong></strong></p><p> <strong></strong></p><p><strong>OTL by OldTimer - Version 3.2.69.0 log created on 01192013_213544</strong></p><p><strong></strong></p><p><strong>Files\Folders moved on Reboot...</strong></p><p><strong>C:\Users\Greg Henning\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.</strong></p><p><strong>File\Folder C:\Users\Greg Henning\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VY6HMVIJ\0[2].htm not found!</strong></p><p><strong></strong></p><p><strong>PendingFileRenameOperations files...</strong></p><p><strong></strong></p><p><strong>Registry entries deleted on Reboot...</strong></p><p><strong></strong></p></blockquote><p></p>
[QUOTE="SoDawg81, post: 98497, member: 4630"] I ran the OTL fix and I ran combofix. A couple of notes. Combofix ran for a very long time, when I came back screen was on the log screen below. I manually rebooted just to make sure and I will note that Spybot S&D came up with warings that files had been changed. I told it to accept changes. Here is log file: ComboFix 13-01-17.04 - Greg Henning 01/19/2013 21:45:03.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4009.1961 [GMT -7:00] Running from: c:\users\Greg Henning\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\a c:\a\lp.crx c:\windows\iun6002.exe c:\windows\SysWow64\c.bat c:\windows\SysWow64\Packet.dll c:\windows\SysWow64\pthreadVC.dll c:\windows\SysWow64\v.vbs c:\windows\SysWow64\WanPacket.dll c:\windows\SysWow64\wpcap.dll . . ((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 ))))))))))))))))))))))))))))))) . . 2013-01-20 06:23 . 2013-01-20 06:23 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-01-20 04:37 . 2013-01-20 04:37 76232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4C77BA6E-092A-4584-87BC-F6DDB611D2C7}\offreg.dll 2013-01-19 16:35 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4C77BA6E-092A-4584-87BC-F6DDB611D2C7}\mpengine.dll 2013-01-19 03:45 . 2013-01-19 18:05 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-01-19 03:45 . 2013-01-19 03:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2013-01-18 16:30 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-01-14 16:06 . 2013-01-14 16:06 340203458 ----a-w- C:\regbkp.reg 2013-01-13 16:36 . 2013-01-13 16:36 -------- d-----w- c:\program files\CCleaner 2013-01-13 16:28 . 2013-01-13 16:28 -------- d-----w- C:\_OTL 2013-01-11 18:52 . 2013-01-11 18:52 -------- d-----w- c:\users\Greg Henning\AppData\Local\Programs 2013-01-11 18:02 . 2013-01-11 18:02 36680 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2013-01-10 19:43 . 2013-01-10 21:44 12872 ----a-w- c:\windows\system32\bootdelete.exe 2013-01-10 17:10 . 2013-01-10 17:10 -------- d-----w- c:\program files\HitmanPro 2013-01-10 17:10 . 2013-01-10 19:43 -------- d-----w- c:\programdata\HitmanPro 2013-01-09 04:32 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll 2013-01-09 04:32 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll 2013-01-09 04:32 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll 2013-01-09 04:30 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe 2013-01-09 04:30 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys 2012-12-27 16:40 . 2012-12-27 16:40 -------- d-----w- C:\TDSSKiller_Quarantine 2012-12-27 16:35 . 2012-12-27 16:35 208216 ----a-w- c:\windows\system32\drivers\51632886.sys 2012-12-27 16:18 . 2012-12-27 16:18 208216 ----a-w- c:\windows\system32\drivers\65925223.sys 2012-12-22 07:56 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-22 07:56 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-22 07:56 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-22 07:56 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-09 16:09 . 2012-04-20 14:20 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-01-09 16:09 . 2012-04-20 14:20 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-01-09 07:04 . 2012-04-14 16:31 67599240 ----a-w- c:\windows\system32\MRT.exe 2012-12-20 19:10 . 2012-12-20 19:10 741 ----a-w- c:\windows\SysWow64\lod1.vbs 2012-12-14 23:49 . 2012-10-02 00:37 24176 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-30 04:45 . 2013-01-09 04:31 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2012-11-28 16:34 . 2012-11-28 16:34 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26CA7A6E-0807-4182-A2F5-FA3414545751}\gapaengine.dll 2012-11-14 07:06 . 2012-12-12 00:29 17811968 ----a-w- c:\windows\system32\mshtml.dll 2012-11-14 06:32 . 2012-12-12 00:29 10925568 ----a-w- c:\windows\system32\ieframe.dll 2012-11-14 06:11 . 2012-12-12 00:29 2312704 ----a-w- c:\windows\system32\jscript9.dll 2012-11-14 06:04 . 2012-12-12 00:29 1346048 ----a-w- c:\windows\system32\urlmon.dll 2012-11-14 06:04 . 2012-12-12 00:29 1392128 ----a-w- c:\windows\system32\wininet.dll 2012-11-14 06:02 . 2012-12-12 00:29 1494528 ----a-w- c:\windows\system32\inetcpl.cpl 2012-11-14 06:02 . 2012-12-12 00:29 237056 ----a-w- c:\windows\system32\url.dll 2012-11-14 05:59 . 2012-12-12 00:29 85504 ----a-w- c:\windows\system32\jsproxy.dll 2012-11-14 05:58 . 2012-12-12 00:29 816640 ----a-w- c:\windows\system32\jscript.dll 2012-11-14 05:57 . 2012-12-12 00:29 599040 ----a-w- c:\windows\system32\vbscript.dll 2012-11-14 05:57 . 2012-12-12 00:29 173056 ----a-w- c:\windows\system32\ieUnatt.exe 2012-11-14 05:55 . 2012-12-12 00:29 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-11-14 05:55 . 2012-12-12 00:29 729088 ----a-w- c:\windows\system32\msfeeds.dll 2012-11-14 05:53 . 2012-12-12 00:29 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-11-14 05:52 . 2012-12-12 00:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-11-14 05:46 . 2012-12-12 00:29 248320 ----a-w- c:\windows\system32\ieui.dll 2012-11-14 02:09 . 2012-12-12 00:29 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll 2012-11-14 01:58 . 2012-12-12 00:29 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2012-11-14 01:57 . 2012-12-12 00:29 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-11-14 01:49 . 2012-12-12 00:29 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2012-11-14 01:48 . 2012-12-12 00:29 420864 ----a-w- c:\windows\SysWow64\vbscript.dll 2012-11-14 01:44 . 2012-12-12 00:29 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-11-09 05:45 . 2012-12-11 20:45 2048 ----a-w- c:\windows\system32\tzres.dll 2012-11-09 04:42 . 2012-12-11 20:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2012-11-03 16:42 . 2012-04-10 07:52 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll 2012-11-03 16:42 . 2012-04-10 07:52 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll 2012-11-03 16:42 . 2012-04-10 07:52 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll 2012-11-02 05:59 . 2012-12-11 20:44 478208 ----a-w- c:\windows\system32\dpnet.dll 2012-11-02 05:11 . 2012-12-11 20:44 376832 ----a-w- c:\windows\SysWow64\dpnet.dll 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PlayOn"="c:\program files (x86)\MediaMall\PlayOn.exe" [2012-09-10 53248] "Logitech Vid"="c:\program files (x86)\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928] "iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-11-28 59280] "ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-11-28 59280] "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-18 911160] "GoogleChromeAutoLaunch_0F2652F2B693065CA93E1F10A2E3FE34"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2013-01-08 1248360] "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336] "PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2012-09-29 12105344] "hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376] "CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1637496] "IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-01-15 452016] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544] . c:\users\Greg Henning\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-12-21 28538560] MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-4-10 576000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux2"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R1 bgfesahw;bgfesahw;c:\windows\system32\drivers\bgfesahw.sys [x] R1 cjalkamt;cjalkamt;c:\windows\system32\drivers\cjalkamt.sys [x] R1 ikzvbpnb;ikzvbpnb;c:\windows\system32\drivers\ikzvbpnb.sys [x] R1 oancaagb;oancaagb;c:\windows\system32\drivers\oancaagb.sys [x] R1 qtusguiv;qtusguiv;c:\windows\system32\drivers\qtusguiv.sys [x] R1 rjtwmsxm;rjtwmsxm;c:\windows\system32\drivers\rjtwmsxm.sys [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-01-10 108904] R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184] R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344] R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-08 160944] R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888] R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-07-27 158976] R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-08 30304] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-01-11 36680] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-09-30 80384] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-09-30 180736] R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-13 1255736] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S2 MediaMall Server;MediaMall Server;c:\program files (x86)\MediaMall\MediaMallServer.exe [2012-09-10 3057528] S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112] S2 osubsvc;Microsoft Office 2010 Subscription Agent;c:\program files\Common Files\Microsoft Shared\OFFICE14\osa.exe [2011-11-16 607048] S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848] S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888] S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [2012-01-18 25632] S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440] S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\DRIVERS\AE2500w764.sys [2011-03-29 1254464] S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136] S3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-14 413800] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-01-12 18:28 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe . Contents of the 'Scheduled Tasks' folder . 2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 16:09] . 2013-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3334729812-3173734214-3854604701-1003UA.job - c:\users\Greg Henning\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-15 23:17] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 162552 ----a-w- c:\users\Greg Henning\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-04 167960] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-04 391704] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-04 418328] "OfficeSubscriptionAgent"="c:\program files\Common Files\Microsoft Shared\OFFICE14\osaui.exe" [2011-11-16 1028416] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2779024] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://utmost.org/ mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local Trusted Zone: sharepoint.com\it11 Trusted Zone: sharepoint.com\it11-admin Trusted Zone: sharepoint.com\it11-my TCP: DhcpNameServer = 192.168.2.1 . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe AddRemove-Karaoke Anything!1.0 - c:\windows\iun6002.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-01-19 23:34:42 ComboFix-quarantined-files.txt 2013-01-20 06:34 . Pre-Run: 473,059,057,664 bytes free Post-Run: 472,682,942,464 bytes free . - - End Of File - - 91D5F9249D21269D05B9B351A774F5F7 [/b]Here is OTL Log:[b] All processes killed ========== OTL ========== 64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully. Registry value HKEY_USERS\S-1-5-21-3334729812-3173734214-3854604701-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found. Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate deleted successfully. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\FlashPlayerUpdate not found. Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully. Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully. C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job moved successfully. C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job moved successfully. C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3334729812-3173734214-3854604701-1003Core.job moved successfully. C:\Users\Greg Henning\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully. ========== FILES ========== File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.directrev.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.doubleclick.net not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:c.atdmt.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:cdn.interclick.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:exch-w.atdmt.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleads.g.doubleclick.net not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com not found. File\Folder C:\Users\Greg Henning\AppData\Local\Google\Chrome\User Data\Default\Cookies:view.atdmt.com not found. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Greg Henning ->Temp folder emptied: 72109 bytes ->Temporary Internet Files folder emptied: 20514376 bytes ->Java cache emptied: 511095 bytes ->Google Chrome cache emptied: 13369722 bytes ->Flash cache emptied: 602 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 27218 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 33.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 01192013_213544 Files\Folders moved on Reboot... C:\Users\Greg Henning\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. File\Folder C:\Users\Greg Henning\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VY6HMVIJ\0[2].htm not found! PendingFileRenameOperations files... Registry entries deleted on Reboot... [/b] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
