System Progressive No Internet
- Thread starter s12eaton
- Start date
- Jan 24, 2011
- 9,378
Hello s12eaton and welcome to the malwaretips.com forums!
I'm Jack and I am going to try to assist you with your problem. Please take note of the below:
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to back up any personal files and folders before you start.
<hr />
This infection is known to disable the network adapter and delete Windows services to protect itself from being removed.
Lets quickly check if your network adapter is disabled:
If none,of the above works,then we will need to transfer some files via an USB stick:
STEP 1 : Run a scan with Combofix
Download ComboFix from one of the following locations:
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
<ul>
<li>Close any open browsers.</li>
<li><>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</> </em>performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</></li>
<li>Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
How to run the Combofix scan :
Additional notes:
<ol><li> DO NOT mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li>DO NOT "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li>IF after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>
STEP 2: Run the Complete Internet Repair utility.
<ol><li>Download <a title="External link" href="http://www.datum-forensics.com/down/comintrep.exe" rel="nofollow external" rel="nofollow">Complete Internet Repair utility</a>to your desktop</li>
<li>Unzip all the files to their own folder on the desktop</li>
<li>Within the folder double click <>CIntRep</></li>
<li>Select the following items,then press the GO button.
<ul><li>Reset Interent Protocol (TCP/IP)</li>
<li>Repair Winsock (Reset Catalog)</li>
<li>Renew Internet Connection</li>
<li>Flush DNS Resolver Cache</li>
<li>Reset Windows Firewall Configuration</li>
<li>Reset the default hosts fie</li></ul>
</li>
</ol>
STEP 3: Run a scan with Farbar Service Scanner
<ol> <li>Download Farbar Service Scanner from the below link.
<><a title="External link" href="http://download.bleepingcomputer.com/farbar/FSS.exe" rel="external">FABAR SERVICE SCANNER</a></> <em> (This link will automatically download Farbar Service Scanner on your computer)</em></li>
<li>Run the ulity and checkmark all the boxes</li>
<li> Click on the Scan button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/09/fabar.png" /></li>
<li>Add the log that will produce in your next reply.</li></ol>
What's next?
Please post in your next reply:
1.Combofix log
2.Complete Internet Repair utility log
3.Fabar log
4.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
I'm Jack and I am going to try to assist you with your problem. Please take note of the below:
- I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine!
- The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
- If you don't know, stop and ask! Don't keep going on.
- Please reply to this thread. Do not start a new topic.
- Refrain from running self fixes as this will hinder the malware removal process.
- It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to back up any personal files and folders before you start.
<hr />
This infection is known to disable the network adapter and delete Windows services to protect itself from being removed.
Lets quickly check if your network adapter is disabled:
- Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.
- Right-click the network adapter, and then select Enable to enable it.
- Click Start
- In the Start search box type System Restore and press enter.
If none,of the above works,then we will need to transfer some files via an USB stick:
STEP 1 : Run a scan with Combofix
Please read and follow very carefully the below instructions
Download ComboFix from one of the following locations:
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
<ul>
<li>Close any open browsers.</li>
<li><>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</> </em>performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</></li>
<li>Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
How to run the Combofix scan :
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- Combofix will now start scanning your computer.
- When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Additional notes:
<ol><li> DO NOT mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li>DO NOT "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li>IF after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>
STEP 2: Run the Complete Internet Repair utility.
<ol><li>Download <a title="External link" href="http://www.datum-forensics.com/down/comintrep.exe" rel="nofollow external" rel="nofollow">Complete Internet Repair utility</a>to your desktop</li>
<li>Unzip all the files to their own folder on the desktop</li>
<li>Within the folder double click <>CIntRep</></li>
<li>Select the following items,then press the GO button.
<ul><li>Reset Interent Protocol (TCP/IP)</li>
<li>Repair Winsock (Reset Catalog)</li>
<li>Renew Internet Connection</li>
<li>Flush DNS Resolver Cache</li>
<li>Reset Windows Firewall Configuration</li>
<li>Reset the default hosts fie</li></ul>
</li>
</ol>
STEP 3: Run a scan with Farbar Service Scanner
<ol> <li>Download Farbar Service Scanner from the below link.
<><a title="External link" href="http://download.bleepingcomputer.com/farbar/FSS.exe" rel="external">FABAR SERVICE SCANNER</a></> <em> (This link will automatically download Farbar Service Scanner on your computer)</em></li>
<li>Run the ulity and checkmark all the boxes</li>
<li> Click on the Scan button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/09/fabar.png" /></li>
<li>Add the log that will produce in your next reply.</li></ol>
What's next?
Please post in your next reply:
1.Combofix log
2.Complete Internet Repair utility log
3.Fabar log
4.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
Last edited:
Thanks for the help so far. Now the only issue I have is that my home page has been changed to:
hxxp://www.searchnu.com/406 If I try and change it to anything else, I go back to having no connection to the internet. Here are the logs from what I ran.
ComboFix 12-11-14.01 - Scott 11/16/2012 9:35.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3963.2338 [GMT -6:00]
Running from: c:\users\Scott\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-16 to 2012-11-16 )))))))))))))))))))))))))))))))
.
.
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\users\Scott\AppData\Local\temp
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-14 19:48 . 2012-11-14 19:48 -------- d-----w- c:\program files\HitmanPro
2012-11-14 19:38 . 2012-11-14 19:38 -------- d-----w- c:\programdata\HitmanPro
2012-11-14 18:31 . 2012-11-14 18:31 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2012-11-14 18:30 . 2012-11-14 18:30 -------- d-----w- c:\programdata\Malwarebytes
2012-11-14 18:30 . 2012-11-14 18:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-14 18:30 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-20 22:58 . 2012-10-21 22:13 -------- d-----w- C:\temp
2012-10-20 22:11 . 2012-10-20 22:11 -------- d-----w- c:\windows\system32\kodak
2012-10-20 22:11 . 2012-06-28 17:14 78848 ----a-w- c:\windows\system32\Spool\prtprocs\x64\EKAiO2PPR.dll
2012-10-20 22:09 . 2012-10-21 00:24 -------- d-----w- c:\users\Scott\AppData\Local\Eastman_Kodak_Company
2012-10-20 22:08 . 2012-10-20 22:08 -------- d-----w- c:\users\Scott\AppData\Local\Eastman Kodak Company
2012-10-20 22:07 . 2012-10-20 22:07 -------- d-----w- c:\windows\SysWow64\kodak
2012-10-20 21:59 . 2012-11-16 15:25 -------- d-----w- c:\programdata\Kodak
2012-10-20 04:31 . 2012-10-20 04:31 -------- d-----w- c:\windows\Hewlett-Packard
2012-10-20 04:27 . 2012-06-01 20:30 376832 ----a-w- c:\windows\system32\hpbrprtmon.dll
2012-10-20 04:27 . 2012-06-01 20:26 171008 ----a-w- c:\windows\system32\hpbprtmonui.dll
2012-10-20 04:27 . 2012-06-01 20:30 355840 ----a-w- c:\windows\system32\hpbprtmon.dll
2012-10-20 04:22 . 2012-10-20 04:22 -------- d-----w- C:\HP_ePrint_Mobile
2012-10-19 20:42 . 2012-10-19 20:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\HP
2012-10-19 18:59 . 2012-10-19 18:59 -------- d-----w- c:\program files (x86)\Hewlett-Packard
2012-10-19 18:57 . 2012-10-19 18:57 -------- d-----w- c:\program files (x86)\Microsoft
2012-10-19 18:54 . 2012-10-26 19:25 -------- d-----w- c:\users\Scott\AppData\Roaming\HpUpdate
2012-10-19 18:51 . 2012-10-20 21:56 -------- d-----w- c:\program files (x86)\HP
2012-10-19 18:50 . 2012-10-20 02:33 -------- d-----w- c:\program files\HP
2012-10-19 18:49 . 2012-10-19 20:46 -------- d-----w- c:\users\Scott\AppData\Local\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-10 08:07 . 2006-11-02 12:35 65309168 ----a-w- c:\windows\system32\mrt.exe
2012-10-09 01:37 . 2012-04-01 15:10 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-09 01:37 . 2011-06-22 19:32 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-13 13:45 . 2012-10-09 18:34 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-13 13:28 . 2012-10-09 18:34 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-08-29 16:05 . 2012-08-29 16:05 100344 ----a-w- c:\windows\HPBroker.dll
2012-08-29 11:40 . 2012-10-09 18:33 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 16:07 . 2012-10-09 18:33 218624 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 15:53 . 2012-10-09 18:33 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-24 11:15 . 2012-09-22 08:00 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-08-24 10:39 . 2012-09-22 08:00 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-08-24 10:31 . 2012-09-22 08:00 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 10:22 . 2012-09-22 08:00 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-08-24 10:21 . 2012-09-22 08:00 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 10:20 . 2012-09-22 08:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 10:18 . 2012-09-22 08:00 237056 ----a-w- c:\windows\system32\url.dll
2012-08-24 10:17 . 2012-09-22 08:00 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-08-24 10:14 . 2012-09-22 08:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 10:14 . 2012-09-22 08:00 816640 ----a-w- c:\windows\system32\jscript.dll
2012-08-24 10:13 . 2012-09-22 08:00 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 10:12 . 2012-09-22 08:00 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-08-24 10:11 . 2012-09-22 08:00 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-08-24 10:10 . 2012-09-22 08:00 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-08-24 10:09 . 2012-09-22 08:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-24 10:04 . 2012-09-22 08:00 248320 ----a-w- c:\windows\system32\ieui.dll
2012-08-24 06:59 . 2012-09-22 08:00 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-08-24 06:51 . 2012-09-22 08:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-08-24 06:51 . 2012-09-22 08:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 08:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 08:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-08-24 06:43 . 2012-09-22 08:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-08-21 18:01 . 2012-09-21 03:30 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01 . 2009-09-12 22:33 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 18:01 . 2009-09-12 22:33 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn9\yt.dll" [2012-06-11 1524056]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Swag_Bucks\prxtbSwag.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}]
2011-10-31 13:37 88976 ----a-w- c:\progra~2\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{99079a25-328f-4bd4-be04-00955acaa0a7}"= "c:\progra~2\WI371A~1\Datamngr\ToolBar\searchqudtx.dll" [2011-10-31 88976]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{99079a25-328f-4bd4-be04-00955acaa0a7}]
.
[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Skype"="c:\program files (x86)\Skype\\Phone\Skype.exe" [2012-07-13 17418928]
"ANT Agent"="c:\program files (x86)\Garmin\ANT Agent\ANT Agent.exe" [2012-03-23 14749544]
"gStart"="c:\program files (x86)\Garmin\Training Center\gStart.exe" [2008-08-13 1891416]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-08-29 59280]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-09-10 59280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AprvRemoveLegacyExcelKeys"="c:\program files (x86)\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn" [X]
"AprvRemoveLegacyWordKeys"="c:\program files (x86)\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn" [X]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"PCMAgent"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ApproveItForOfficeSetup"="c:\program files (x86)\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe" [2010-01-26 155648]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"ArcSoft MediaImpression Monitor"="c:\program files (x86)\Kodak\MediaImpression\ArcMonitor.exe" [2010-07-20 80384]
"Sprint SmartView"="c:\program files (x86)\Sprint\Sprint SmartView\SprintSV.exe" [2009-09-10 75072]
"RDVCHG"="c:\program files (x86)\Sprint\Sprint SmartView\RDVCHG.exe" [2009-09-10 316736]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
.
c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Scott\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
ApproveIt StartUp.lnk - c:\windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico [2011-8-12 9216]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Yahoo! Autosync.lnk - c:\program files (x86)\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-8-21 391680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\WI371A~1\Datamngr\datamngr.dll c:\progra~2\WI371A~1\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 01:38]
.
2012-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-25 23:30]
.
2012-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-25 23:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="E" [X]
"HotKeysCmds"="E" [X]
"Persistence"="E" [X]
"RtHDVCpl"="E" [X]
"Skytel"="E" [X]
"TPwrMain"="E" [X]
"HSON"="E" [X]
"SmoothView"="E" [X]
"00TCrdMain"="E" [X]
"SynTPEnh"="E" [X]
"acevents"="E" [X]
"accrdsub"="E" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\WI371A~1\Datamngr\x64\datamngr.dll c:\progra~2\WI371A~1\Datamngr\x64\IEBHO.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://att.yahoo.com
mDefault_Page_URL = hxxp://att.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: army.mil
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: ngbenefits
Trusted Zone: pentagon.mil\*.atrrs.army
TCP: DhcpNameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)
AddRemove-Move Networks Player - IE - c:\users\Scott\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-11-16 09:52:18
ComboFix-quarantined-files.txt 2012-11-16 15:52
ComboFix2.txt 2012-11-15 23:26
.
Pre-Run: 113,829,330,944 bytes free
Post-Run: 113,793,077,248 bytes free
.
- - End Of File - - 410BBA2AA165582CCDC159FA0689DE2D
./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[15/11/2012 17:32:11] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:12] TCP/IP interfaces reset successful.
[15/11/2012 17:32:12] TCP/IP v6 interfaces reset successful.
[15/11/2012 17:32:12] You may need to restart your computer for the settings to take effect.
[15/11/2012 17:32:12] Finished resetting the Internet Protocol (TCP/IP).
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:12] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:13] Successfully reset the Winsock Catalog.
[15/11/2012 17:32:13] Finished repairing Winsock
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:13] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:14] Successfully released TCP/IP connections.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:14] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:17] Successfully renewed TCP/IP adapters.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:17] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:19] Windows Event Log Service Configured.
[15/11/2012 17:32:19] Starting the Windows Event Log Service.....
[15/11/2012 17:32:19] Windows Event Log Service Started Successfully.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:19] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:19] Successfully flushed DNS Resolver Cache.
[15/11/2012 17:32:19] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[15/11/2012 17:32:22] Registration of the DNS resource records has been initiated.
[15/11/2012 17:32:23] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[15/11/2012 17:32:23] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:23] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:23] Could not reset Windows Firewall configuration.
[15/11/2012 17:32:23] Finished resetting the Windows Firewall configuraton.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:23] Restoring the default Windows HOSTS file, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:27] Writing data to the HOSTS file.....
[15/11/2012 17:32:27] HOSTS file created successfully.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:27] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:38] Your computer is restarting now.....
-----------------------------------------------------------------------------------------
./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[16/11/2012 09:12:45] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:47] TCP/IP interfaces reset successful.
[16/11/2012 09:12:48] TCP/IP v6 interfaces reset successful.
[16/11/2012 09:12:48] You may need to restart your computer for the settings to take effect.
[16/11/2012 09:12:48] Finished resetting the Internet Protocol (TCP/IP).
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:48] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Successfully reset the Winsock Catalog.
[16/11/2012 09:12:49] Finished repairing Winsock
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Successfully released TCP/IP connections.
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:55] Successfully renewed TCP/IP adapters.
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:55] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:57] Windows Event Log Service Configured.
[16/11/2012 09:12:57] Starting the Windows Event Log Service.....
[16/11/2012 09:12:57] Windows Event Log Service Started Successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:57] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:57] Successfully flushed DNS Resolver Cache.
[16/11/2012 09:12:57] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[16/11/2012 09:13:00] Registration of the DNS resource records has been initiated.
[16/11/2012 09:13:00] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[16/11/2012 09:13:00] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:00] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:01] Could not reset Windows Firewall configuration.
[16/11/2012 09:13:01] Finished resetting the Windows Firewall configuraton.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:01] Restoring the default Windows HOSTS file, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:17] Writing data to the HOSTS file.....
[16/11/2012 09:13:17] HOSTS file created successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:17] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:38] Your computer is restarting now.....
-----------------------------------------------------------------------------------------
./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[16/11/2012 09:55:56] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:57] TCP/IP interfaces reset successful.
[16/11/2012 09:55:57] TCP/IP v6 interfaces reset successful.
[16/11/2012 09:55:57] You may need to restart your computer for the settings to take effect.
[16/11/2012 09:55:57] Finished resetting the Internet Protocol (TCP/IP).
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:57] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Successfully reset the Winsock Catalog.
[16/11/2012 09:55:58] Finished repairing Winsock
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Successfully released TCP/IP connections.
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:02] Successfully renewed TCP/IP adapters.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:02] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:04] Windows Event Log Service Configured.
[16/11/2012 09:56:04] Starting the Windows Event Log Service.....
[16/11/2012 09:56:04] Windows Event Log Service Started Successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:04] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:04] Successfully flushed DNS Resolver Cache.
[16/11/2012 09:56:04] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[16/11/2012 09:56:08] Registration of the DNS resource records has been initiated.
[16/11/2012 09:56:08] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[16/11/2012 09:56:08] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:08] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:08] Could not reset Windows Firewall configuration.
[16/11/2012 09:56:08] Finished resetting the Windows Firewall configuraton.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:08] Restoring the default Windows HOSTS file, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:12] Writing data to the HOSTS file.....
[16/11/2012 09:56:12] HOSTS file created successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:12] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:14] Your computer is restarting now.....
-----------------------------------------------------------------------------------------
Farbar Service Scanner Version: 09-11-2012
Ran by Scott (administrator) on 16-11-2012 at 10:01:40
Running from "C:\Users\Scott\Desktop"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-15 21:09] - [2012-01-03 08:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 18:11] - [2012-03-30 06:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E
C:\Windows\System32\dnsrslvr.dll
[2011-04-14 21:37] - [2011-03-02 10:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2009-12-02 20:16] - [2009-04-11 01:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-12-02 20:17] - [2009-04-11 01:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2009-12-02 20:16] - [2009-04-11 01:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-12-02 20:18] - [2009-04-11 01:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-10-09 12:33] - [2012-06-01 18:20] - 0174592 ____A (Microsoft Corporation) CA78B312C44E4D52E842C2C8BD48E452
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-12-02 20:18] - [2009-04-11 01:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF
**** End of log ****
hxxp://www.searchnu.com/406 If I try and change it to anything else, I go back to having no connection to the internet. Here are the logs from what I ran.
ComboFix 12-11-14.01 - Scott 11/16/2012 9:35.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3963.2338 [GMT -6:00]
Running from: c:\users\Scott\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-16 to 2012-11-16 )))))))))))))))))))))))))))))))
.
.
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\users\Scott\AppData\Local\temp
2012-11-16 15:48 . 2012-11-16 15:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-14 19:48 . 2012-11-14 19:48 -------- d-----w- c:\program files\HitmanPro
2012-11-14 19:38 . 2012-11-14 19:38 -------- d-----w- c:\programdata\HitmanPro
2012-11-14 18:31 . 2012-11-14 18:31 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2012-11-14 18:30 . 2012-11-14 18:30 -------- d-----w- c:\programdata\Malwarebytes
2012-11-14 18:30 . 2012-11-14 18:30 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-14 18:30 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-20 22:58 . 2012-10-21 22:13 -------- d-----w- C:\temp
2012-10-20 22:11 . 2012-10-20 22:11 -------- d-----w- c:\windows\system32\kodak
2012-10-20 22:11 . 2012-06-28 17:14 78848 ----a-w- c:\windows\system32\Spool\prtprocs\x64\EKAiO2PPR.dll
2012-10-20 22:09 . 2012-10-21 00:24 -------- d-----w- c:\users\Scott\AppData\Local\Eastman_Kodak_Company
2012-10-20 22:08 . 2012-10-20 22:08 -------- d-----w- c:\users\Scott\AppData\Local\Eastman Kodak Company
2012-10-20 22:07 . 2012-10-20 22:07 -------- d-----w- c:\windows\SysWow64\kodak
2012-10-20 21:59 . 2012-11-16 15:25 -------- d-----w- c:\programdata\Kodak
2012-10-20 04:31 . 2012-10-20 04:31 -------- d-----w- c:\windows\Hewlett-Packard
2012-10-20 04:27 . 2012-06-01 20:30 376832 ----a-w- c:\windows\system32\hpbrprtmon.dll
2012-10-20 04:27 . 2012-06-01 20:26 171008 ----a-w- c:\windows\system32\hpbprtmonui.dll
2012-10-20 04:27 . 2012-06-01 20:30 355840 ----a-w- c:\windows\system32\hpbprtmon.dll
2012-10-20 04:22 . 2012-10-20 04:22 -------- d-----w- C:\HP_ePrint_Mobile
2012-10-19 20:42 . 2012-10-19 20:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\HP
2012-10-19 18:59 . 2012-10-19 18:59 -------- d-----w- c:\program files (x86)\Hewlett-Packard
2012-10-19 18:57 . 2012-10-19 18:57 -------- d-----w- c:\program files (x86)\Microsoft
2012-10-19 18:54 . 2012-10-26 19:25 -------- d-----w- c:\users\Scott\AppData\Roaming\HpUpdate
2012-10-19 18:51 . 2012-10-20 21:56 -------- d-----w- c:\program files (x86)\HP
2012-10-19 18:50 . 2012-10-20 02:33 -------- d-----w- c:\program files\HP
2012-10-19 18:49 . 2012-10-19 20:46 -------- d-----w- c:\users\Scott\AppData\Local\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-10 08:07 . 2006-11-02 12:35 65309168 ----a-w- c:\windows\system32\mrt.exe
2012-10-09 01:37 . 2012-04-01 15:10 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-09 01:37 . 2011-06-22 19:32 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-13 13:45 . 2012-10-09 18:34 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-13 13:28 . 2012-10-09 18:34 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-08-29 16:05 . 2012-08-29 16:05 100344 ----a-w- c:\windows\HPBroker.dll
2012-08-29 11:40 . 2012-10-09 18:33 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 16:07 . 2012-10-09 18:33 218624 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 15:53 . 2012-10-09 18:33 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-24 11:15 . 2012-09-22 08:00 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-08-24 10:39 . 2012-09-22 08:00 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-08-24 10:31 . 2012-09-22 08:00 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 10:22 . 2012-09-22 08:00 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-08-24 10:21 . 2012-09-22 08:00 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 10:20 . 2012-09-22 08:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 10:18 . 2012-09-22 08:00 237056 ----a-w- c:\windows\system32\url.dll
2012-08-24 10:17 . 2012-09-22 08:00 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-08-24 10:14 . 2012-09-22 08:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 10:14 . 2012-09-22 08:00 816640 ----a-w- c:\windows\system32\jscript.dll
2012-08-24 10:13 . 2012-09-22 08:00 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 10:12 . 2012-09-22 08:00 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-08-24 10:11 . 2012-09-22 08:00 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-08-24 10:10 . 2012-09-22 08:00 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-08-24 10:09 . 2012-09-22 08:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-24 10:04 . 2012-09-22 08:00 248320 ----a-w- c:\windows\system32\ieui.dll
2012-08-24 06:59 . 2012-09-22 08:00 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-08-24 06:51 . 2012-09-22 08:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-08-24 06:51 . 2012-09-22 08:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 08:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 08:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-08-24 06:43 . 2012-09-22 08:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-08-21 18:01 . 2012-09-21 03:30 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01 . 2009-09-12 22:33 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 18:01 . 2009-09-12 22:33 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn9\yt.dll" [2012-06-11 1524056]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Swag_Bucks\prxtbSwag.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}]
2011-10-31 13:37 88976 ----a-w- c:\progra~2\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{99079a25-328f-4bd4-be04-00955acaa0a7}"= "c:\progra~2\WI371A~1\Datamngr\ToolBar\searchqudtx.dll" [2011-10-31 88976]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files (x86)\Swag_Bucks\prxtbSwag.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{99079a25-328f-4bd4-be04-00955acaa0a7}]
.
[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Skype"="c:\program files (x86)\Skype\\Phone\Skype.exe" [2012-07-13 17418928]
"ANT Agent"="c:\program files (x86)\Garmin\ANT Agent\ANT Agent.exe" [2012-03-23 14749544]
"gStart"="c:\program files (x86)\Garmin\Training Center\gStart.exe" [2008-08-13 1891416]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-08-29 59280]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-09-10 59280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AprvRemoveLegacyExcelKeys"="c:\program files (x86)\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Excel\Addins\OfficeAddIn.OfficeAddIn" [X]
"AprvRemoveLegacyWordKeys"="c:\program files (x86)\ApproveIt\Support\Tools\AprvClean.exe -k HKCU SOFTWARE\Microsoft\Office\Word\Addins\OfficeAddIn.OfficeAddIn" [X]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"PCMAgent"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"YMailAdvisor"="c:\program files (x86)\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ApproveItForOfficeSetup"="c:\program files (x86)\ApproveIt\Support\Tools\ApproveItForOfficeSetup.exe" [2010-01-26 155648]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"ArcSoft MediaImpression Monitor"="c:\program files (x86)\Kodak\MediaImpression\ArcMonitor.exe" [2010-07-20 80384]
"Sprint SmartView"="c:\program files (x86)\Sprint\Sprint SmartView\SprintSV.exe" [2009-09-10 75072]
"RDVCHG"="c:\program files (x86)\Sprint\Sprint SmartView\RDVCHG.exe" [2009-09-10 316736]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
.
c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Scott\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
ApproveIt StartUp.lnk - c:\windows\Installer\{4E01B649-0023-4EB5-9263-57DE317C3418}\Icon9557F1BC1.ico [2011-8-12 9216]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Yahoo! Autosync.lnk - c:\program files (x86)\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-8-21 391680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\WI371A~1\Datamngr\datamngr.dll c:\progra~2\WI371A~1\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 01:38]
.
2012-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-25 23:30]
.
2012-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-25 23:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Scott\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="E" [X]
"HotKeysCmds"="E" [X]
"Persistence"="E" [X]
"RtHDVCpl"="E" [X]
"Skytel"="E" [X]
"TPwrMain"="E" [X]
"HSON"="E" [X]
"SmoothView"="E" [X]
"00TCrdMain"="E" [X]
"SynTPEnh"="E" [X]
"acevents"="E" [X]
"accrdsub"="E" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\WI371A~1\Datamngr\x64\datamngr.dll c:\progra~2\WI371A~1\Datamngr\x64\IEBHO.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://att.yahoo.com
mDefault_Page_URL = hxxp://att.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: army.mil
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: ngbenefits
Trusted Zone: pentagon.mil\*.atrrs.army
TCP: DhcpNameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
WebBrowser-{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - (no file)
AddRemove-Move Networks Player - IE - c:\users\Scott\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-11-16 09:52:18
ComboFix-quarantined-files.txt 2012-11-16 15:52
ComboFix2.txt 2012-11-15 23:26
.
Pre-Run: 113,829,330,944 bytes free
Post-Run: 113,793,077,248 bytes free
.
- - End Of File - - 410BBA2AA165582CCDC159FA0689DE2D
./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[15/11/2012 17:32:11] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:12] TCP/IP interfaces reset successful.
[15/11/2012 17:32:12] TCP/IP v6 interfaces reset successful.
[15/11/2012 17:32:12] You may need to restart your computer for the settings to take effect.
[15/11/2012 17:32:12] Finished resetting the Internet Protocol (TCP/IP).
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:12] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:13] Successfully reset the Winsock Catalog.
[15/11/2012 17:32:13] Finished repairing Winsock
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:13] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:14] Successfully released TCP/IP connections.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:14] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:17] Successfully renewed TCP/IP adapters.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:17] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:19] Windows Event Log Service Configured.
[15/11/2012 17:32:19] Starting the Windows Event Log Service.....
[15/11/2012 17:32:19] Windows Event Log Service Started Successfully.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:19] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:19] Successfully flushed DNS Resolver Cache.
[15/11/2012 17:32:19] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[15/11/2012 17:32:22] Registration of the DNS resource records has been initiated.
[15/11/2012 17:32:23] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[15/11/2012 17:32:23] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:23] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:23] Could not reset Windows Firewall configuration.
[15/11/2012 17:32:23] Finished resetting the Windows Firewall configuraton.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:23] Restoring the default Windows HOSTS file, Please wait.....
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:27] Writing data to the HOSTS file.....
[15/11/2012 17:32:27] HOSTS file created successfully.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:27] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[15/11/2012 17:32:38] Your computer is restarting now.....
-----------------------------------------------------------------------------------------
./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[16/11/2012 09:12:45] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:47] TCP/IP interfaces reset successful.
[16/11/2012 09:12:48] TCP/IP v6 interfaces reset successful.
[16/11/2012 09:12:48] You may need to restart your computer for the settings to take effect.
[16/11/2012 09:12:48] Finished resetting the Internet Protocol (TCP/IP).
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:48] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Successfully reset the Winsock Catalog.
[16/11/2012 09:12:49] Finished repairing Winsock
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Successfully released TCP/IP connections.
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:49] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:55] Successfully renewed TCP/IP adapters.
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:55] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:57] Windows Event Log Service Configured.
[16/11/2012 09:12:57] Starting the Windows Event Log Service.....
[16/11/2012 09:12:57] Windows Event Log Service Started Successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:57] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:12:57] Successfully flushed DNS Resolver Cache.
[16/11/2012 09:12:57] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[16/11/2012 09:13:00] Registration of the DNS resource records has been initiated.
[16/11/2012 09:13:00] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[16/11/2012 09:13:00] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:00] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:01] Could not reset Windows Firewall configuration.
[16/11/2012 09:13:01] Finished resetting the Windows Firewall configuraton.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:01] Restoring the default Windows HOSTS file, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:17] Writing data to the HOSTS file.....
[16/11/2012 09:13:17] HOSTS file created successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:17] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[16/11/2012 09:13:38] Your computer is restarting now.....
-----------------------------------------------------------------------------------------
./
(o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[16/11/2012 09:55:56] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:57] TCP/IP interfaces reset successful.
[16/11/2012 09:55:57] TCP/IP v6 interfaces reset successful.
[16/11/2012 09:55:57] You may need to restart your computer for the settings to take effect.
[16/11/2012 09:55:57] Finished resetting the Internet Protocol (TCP/IP).
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:57] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Successfully reset the Winsock Catalog.
[16/11/2012 09:55:58] Finished repairing Winsock
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Successfully released TCP/IP connections.
-----------------------------------------------------------------------------------------
[16/11/2012 09:55:58] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:02] Successfully renewed TCP/IP adapters.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:02] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:04] Windows Event Log Service Configured.
[16/11/2012 09:56:04] Starting the Windows Event Log Service.....
[16/11/2012 09:56:04] Windows Event Log Service Started Successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:04] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:04] Successfully flushed DNS Resolver Cache.
[16/11/2012 09:56:04] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[16/11/2012 09:56:08] Registration of the DNS resource records has been initiated.
[16/11/2012 09:56:08] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[16/11/2012 09:56:08] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:08] Resetting the Windows Firewall configuraton, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:08] Could not reset Windows Firewall configuration.
[16/11/2012 09:56:08] Finished resetting the Windows Firewall configuraton.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:08] Restoring the default Windows HOSTS file, Please wait.....
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:12] Writing data to the HOSTS file.....
[16/11/2012 09:56:12] HOSTS file created successfully.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:12] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[16/11/2012 09:56:14] Your computer is restarting now.....
-----------------------------------------------------------------------------------------
Farbar Service Scanner Version: 09-11-2012
Ran by Scott (administrator) on 16-11-2012 at 10:01:40
Running from "C:\Users\Scott\Desktop"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7
C:\Windows\System32\drivers\afd.sys
[2012-02-15 21:09] - [2012-01-03 08:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-11 18:11] - [2012-03-30 06:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E
C:\Windows\System32\dnsrslvr.dll
[2011-04-14 21:37] - [2011-03-02 10:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0
C:\Windows\System32\mpssvc.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C
C:\Windows\System32\bfe.dll
[2009-12-02 20:16] - [2009-04-11 01:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-12-02 20:17] - [2009-04-11 01:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1
C:\Windows\System32\wscsvc.dll
[2009-12-02 20:16] - [2009-04-11 01:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A
C:\Windows\System32\wbem\WMIsvc.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-12-02 20:18] - [2009-04-11 01:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C
C:\Windows\System32\es.dll
[2009-12-02 20:17] - [2009-04-11 01:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF
C:\Windows\System32\cryptsvc.dll
[2012-10-09 12:33] - [2012-06-01 18:20] - 0174592 ____A (Microsoft Corporation) CA78B312C44E4D52E842C2C8BD48E452
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-12-02 20:18] - [2009-04-11 01:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF
**** End of log ****
- Jan 24, 2011
- 9,378
Glad to see that everything is running ok now!Lets run a scan with the following tools:
STEP 1: Run a scan with Kaspersky TDSSKiller
<ol>
<li>Download Kaspersky TDSKiller from the below link.
<><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">KASPERKSY TDSSKILLER DOWNLOAD LINK</a></> <em>(This link will automatically download Kaspersky TDSSKiller on your computer)</em>
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</>
<img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />
If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>VERY IMPORTANT!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. DO NOT choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>
<hr />
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode
<ol>
<li>Download <>Malwarebytes Chameleon from the below link and extract it to a folder in a convenient location
<a title="External link" href="http://downloads.malwarebytes.org/file/chameleon" rel="nofollow external">MALWREBYTES CHAMELEON DOWNLOAD LINK</a> </>(This link will automatically download Malwarebytes Chameleon on your computer)</li>
<li>Make certain that your infected PC is connected to the internet and then open the folder you created or copied, on your infected computer and double-click on svchost.exe.
If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window.</em></li>
<li>Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo</li>
<li>Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click <>OK</> when it says that the database was updated successful</li>
<li>Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan</li>
<li>Upon completion of the scan, if anything has been detected, click on <>Show Result</></li>
<li>Have Malwarebytes Anti-Malware remove any threats that are detected and click <>Yes</> if prompted to reboot your computer to allow the removal process to complete</li>
<li>After your computer restarts, open <>Malwarebytes Anti-Malware</> and perform a Full System scan to verify that there are no remaining threats</li>
Please add both logs in your next reply.
</ol>
What's next?
Please add in your next reply:
1.Kaspersky TDSSKiller logs
2.Malwarebytes log
3.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
STEP 1: Run a scan with Kaspersky TDSSKiller
<ol>
<li>Download Kaspersky TDSKiller from the below link.
<><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">KASPERKSY TDSSKILLER DOWNLOAD LINK</a></> <em>(This link will automatically download Kaspersky TDSSKiller on your computer)</em>
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</>
<img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />
If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>VERY IMPORTANT!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. DO NOT choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>
<hr />
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode
<ol>
<li>Download <>Malwarebytes Chameleon from the below link and extract it to a folder in a convenient location
<a title="External link" href="http://downloads.malwarebytes.org/file/chameleon" rel="nofollow external">MALWREBYTES CHAMELEON DOWNLOAD LINK</a> </>(This link will automatically download Malwarebytes Chameleon on your computer)</li>
<li>Make certain that your infected PC is connected to the internet and then open the folder you created or copied, on your infected computer and double-click on svchost.exe.
If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window.</em></li>
<li>Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo</li>
<li>Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click <>OK</> when it says that the database was updated successful</li>
<li>Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan</li>
<li>Upon completion of the scan, if anything has been detected, click on <>Show Result</></li>
<li>Have Malwarebytes Anti-Malware remove any threats that are detected and click <>Yes</> if prompted to reboot your computer to allow the removal process to complete</li>
<li>After your computer restarts, open <>Malwarebytes Anti-Malware</> and perform a Full System scan to verify that there are no remaining threats</li>
Please add both logs in your next reply.
</ol>
What's next?
Please add in your next reply:
1.Kaspersky TDSSKiller logs
2.Malwarebytes log
3.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
Last edited:
Of course, I get a new email on my phone saying you have replied, so I go to my laptop and no internet connection. It is not even going to the searchnu page. Do I just start over and run the scans again from the beginning? Please advise. This thing sucks!!
I now have internet back. The only issue I figured out is that when I turned my McAfee back on, I lost internet connection again. I figured it out, turned it back off and now I can get back on the internet. Thanks for all your help getting this figured out.
- Jan 24, 2011
- 9,378
- Jan 24, 2011
- 9,378
Ok,lets run the following scans:
STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
STEP 2: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />
STEP 3: Run a scan with OTL by OldTimer
<ol><li>Download the OTL utility using the below link :
<><a title="External link" href="http://oldtimer.geekstogo.com/OTL.exe" rel="nofollow external">OTL DOWNLOAD LINK</a> <em>(This link will automatically download OTL on your computer)</em></></li>
<li>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.</li>
<li>When the window appears, <>underneath Output</> at the top change it to <>Minimal Output</>.</li>
<li>Check the boxes beside <>LOP Check</> and <>Purity Check</>.</li>
<li>Click the<> Run Scan</> button.</li>
<li>When the scan completes, it will open two notepad windows. <>OTL.Txt</> and <>Extras.Txt</>. These are saved in the same location as OTL.
<>Please post this 2 logs in your first reply.</>.</li></ol>
<hr />
What's next?
Please add in your next reply:
1.ESET log
2. Kaspersky Virus Removal log
3.OTL logs
4.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
STEP 2: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />
STEP 3: Run a scan with OTL by OldTimer
<ol><li>Download the OTL utility using the below link :
<><a title="External link" href="http://oldtimer.geekstogo.com/OTL.exe" rel="nofollow external">OTL DOWNLOAD LINK</a> <em>(This link will automatically download OTL on your computer)</em></></li>
<li>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.</li>
<li>When the window appears, <>underneath Output</> at the top change it to <>Minimal Output</>.</li>
<li>Check the boxes beside <>LOP Check</> and <>Purity Check</>.</li>
<li>Click the<> Run Scan</> button.</li>
<li>When the scan completes, it will open two notepad windows. <>OTL.Txt</> and <>Extras.Txt</>. These are saved in the same location as OTL.
<>Please post this 2 logs in your first reply.</>.</li></ol>
<hr />
What's next?
Please add in your next reply:
1.ESET log
2. Kaspersky Virus Removal log
3.OTL logs
4.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
Last edited:
Ran ESET scan Nothing found.
Kasp scan no threats.
OTL logs attached.
No problems with internet so far.
Kasp scan no threats.
OTL logs attached.
No problems with internet so far.
- Jan 24, 2011
- 9,378
Lets run the following tools:
STEP 1: Run a scan with AdwCleaner
<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>
<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
NEXT,
<ul>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Uninstall</>.</li>
<li>Confirm with <>yes</>.</li>
</ul>
<hr />
STEP 2: Run a HitmanPro scan and remove any malicious file.
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
</ol>
Add to your next post, any log that HitmanPro might generate.
<hr />
STEP 3: Run a scan with Security Check
<ol><li>Download <>Security Check</> from the below link:
<a href="http://screen317.spywareinfoforum.org/SecurityCheck.exe" target="_blank">SECURITY CHECK DOWNLOAD LINK</a> (This link will automatically download Security Check on your computer)</li>
<li>Double-click <>SecurityCheck.exe</></li>
<li>Follow the onscreen instructions inside of the black box.</li>
<li>A <>Notepad</> document should open automatically called <>checkup.txt</>; please post the contents of that document.
</ol>
<hr/>
What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):
1.Security Check log
2.AdwCleaner log
3.HitmanPro Log
4.Let me know if you had any problems with the above instructions and also let me know how things are running now!
STEP 1: Run a scan with AdwCleaner
<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>
<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
NEXT,
<ul>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Uninstall</>.</li>
<li>Confirm with <>yes</>.</li>
</ul>
<hr />
STEP 2: Run a HitmanPro scan and remove any malicious file.
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
</ol>
Add to your next post, any log that HitmanPro might generate.
<hr />
STEP 3: Run a scan with Security Check
<ol><li>Download <>Security Check</> from the below link:
<a href="http://screen317.spywareinfoforum.org/SecurityCheck.exe" target="_blank">SECURITY CHECK DOWNLOAD LINK</a> (This link will automatically download Security Check on your computer)</li>
<li>Double-click <>SecurityCheck.exe</></li>
<li>Follow the onscreen instructions inside of the black box.</li>
<li>A <>Notepad</> document should open automatically called <>checkup.txt</>; please post the contents of that document.
</ol>
<hr/>
What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):
1.Security Check log
2.AdwCleaner log
3.HitmanPro Log
4.Let me know if you had any problems with the above instructions and also let me know how things are running now!
Last edited:
logs you requested. When ADW uninstalled, it deleted the log. Do you want me to rerun that one so you can see the log?
Hitman log would not allow me to attach the log so I copied and pasted it here:
Hitman log would not allow me to attach the log so I copied and pasted it here:
Code:
HitmanPro 3.6.2.174
www.hitmanpro.com
Computer name . . . . : SCOTT-PC
Windows . . . . . . . : 6.0.2.6002.X64/2
User name . . . . . . : Scott-PC\Scott
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2012-11-23 14:19:50
Scan mode . . . . . . : Normal
Scan duration . . . . : 11m 27s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 42
Objects scanned . . . : 7,159,075
Files scanned . . . . : 67,662
Remnants scanned . . : 592,863 files / 6,498,550 keys
Potential Unwanted Programs _________________________________________________
C:\Users\Scott\AppData\LocalLow\DataMngr\ (SearchQU)
C:\Users\Scott\AppData\LocalLow\DataMngr\{7CA1F051-A4FB-4143-B263-02B41E571EED} (SearchQU)
HKLM\SOFTWARE\Classes\AppID\BrowserConnection.DLL\ (SearchQU)
HKLM\SOFTWARE\Classes\AppID\DnsBHO.DLL\ (SearchQU)
HKLM\SOFTWARE\Classes\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}\ (SearchQU)
HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}\ (SearchQU)
HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1\ (SearchQU)
HKLM\SOFTWARE\Classes\BrowserConnection.Loader\ (SearchQU)
HKLM\SOFTWARE\Classes\DnsBHO.BHO.1\ (SearchQU)
HKLM\SOFTWARE\Classes\DnsBHO.BHO\ (SearchQU)
HKLM\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\ (SearchQU)
HKLM\SOFTWARE\Classes\Interface\{44B619BC-3D2B-4990-AA4F-9AA366921792}\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\BrowserConnection.DLL\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\DnsBHO.DLL\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\BrowserConnection.Loader.1\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\BrowserConnection.Loader\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\DnsBHO.BHO.1\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\DnsBHO.BHO\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}\ (SearchQU)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{44B619BC-3D2B-4990-AA4F-9AA366921792}\ (SearchQU)
HKU\S-1-5-21-2715086387-575502159-2664894679-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0},\ (SearchQU)
Cookies _____________________________________________________________________
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\2CMNBXXA.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\3MC5NMS2.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\64BJN7P4.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\84Z0XMDM.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\8FRIXUFW.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\9QNQF5WT.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\BDSXA6AR.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\BR6SENWC.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\FOC52VKQ.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\HDJM5LON.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\IS3QZH8T.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\LZVF9I35.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\OD94UHMB.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\ONRH93IK.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\Q4JA4HFS.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\UJD76QD7.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\WO0IOWZG.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\WWNYG798.txt
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\YUEFGKJZ.txtSimilar threads
- Locked
