Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer slow, Malwarebyte shows no malicious items [Solved]

Started by heathermb769 , Sep 08 2012 06:03 PM

  • This topic is locked This topic is locked

#1
heathermb769
Posted 08 September 2012 - 06:03 PM

heathermb769

    Member

  • Member
  • PipPipPip
  • 107 posts
Hi and thanks in advance for your help.

My laptop has suddenly started running very slowly, in both surfing and documents. I am running Windows 7, its a ASUS laptop, with two hard drives, one with 75 Gigs and one with 208 gigs.

I have Windows Firewall, and Malwarebytes. Two weeks ago, Malwarebytes came up with:

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|JKUjoyGXkp.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\JKUjoyGXkp.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\JKUjoyGXkp.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

Scans have run clean since but computer is still painfully slow. Any advice or suggestions? OTL Log posted below:

OTL logfile created on: 9/8/2012 6:35:02 PM - Run 1
OTL by OldTimer - Version 3.2.61.2 Folder = C:\Users\Heather Laptop\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.97 Gb Total Physical Memory | 2.52 Gb Available Physical Memory | 63.51% Memory free
7.93 Gb Paging File | 5.91 Gb Available in Paging File | 74.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 74.52 Gb Total Space | 10.67 Gb Free Space | 14.32% Space Free | Partition Type: NTFS
Drive D: | 208.91 Gb Total Space | 178.98 Gb Free Space | 85.67% Space Free | Partition Type: NTFS

Computer Name: HEATHERLAPTOP | User Name: Heather Laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/08 18:34:04 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Users\Heather Laptop\Downloads\OTL.exe
PRC - [2012/01/23 00:43:08 | 000,247,728 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2012/01/23 00:43:08 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2011/02/18 11:47:12 | 000,079,192 | ---- | M] (Research In Motion Limited) -- C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
PRC - [2010/09/12 09:35:39 | 000,872,518 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\soffice.exe
PRC - [2010/07/04 20:13:56 | 000,095,576 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe
PRC - [2010/05/21 11:36:28 | 003,824,472 | ---- | M] (AOL Inc.) -- C:\Program Files (x86)\AIM\aim.exe
PRC - [2010/03/23 10:54:55 | 000,028,496 | ---- | M] (AOL Inc.) -- C:\Program Files (x86)\AOL 9.5\waol.exe
PRC - [2010/03/23 10:54:54 | 000,054,608 | ---- | M] (AOL Inc.) -- C:\Program Files (x86)\AOL 9.5\shellmon.exe
PRC - [2010/02/10 09:19:09 | 000,041,800 | ---- | M] (AOL Inc.) -- C:\Program Files (x86)\Common Files\aol\1278338091\ee\aolsoftware.exe
PRC - [2009/11/11 09:01:17 | 003,054,136 | ---- | M] (ASUS) -- C:\Windows\AsScrPro.exe
PRC - [2009/09/24 17:50:02 | 000,053,888 | ---- | M] () -- C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
PRC - [2009/07/24 14:32:50 | 001,593,344 | ---- | M] () -- C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
PRC - [2009/07/07 15:20:56 | 008,493,624 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
PRC - [2009/05/25 13:38:04 | 000,079,120 | ---- | M] (IBM) -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.0.20090525-1200\win32\x86\symphony.exe
PRC - [2009/05/18 19:59:10 | 000,428,600 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe
PRC - [2009/05/18 19:58:38 | 000,305,720 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
PRC - [2009/04/24 01:24:44 | 000,178,744 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
PRC - [2009/04/20 15:09:30 | 000,159,744 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
PRC - [2009/04/02 01:05:34 | 000,098,304 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
PRC - [2008/12/22 21:15:34 | 000,174,648 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
PRC - [2008/08/14 01:00:08 | 000,113,208 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
PRC - [2008/08/14 00:59:56 | 000,301,624 | ---- | M] () -- C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe
PRC - [2008/08/14 00:59:52 | 000,100,920 | ---- | M] () -- C:\Program Files (x86)\ASUS\ATK Hotkey\AsLdrSrv.exe
PRC - [2008/08/13 20:21:56 | 002,482,176 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
PRC - [2007/11/30 15:20:44 | 000,051,768 | ---- | M] () -- C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
PRC - [2007/08/08 04:08:40 | 000,094,208 | ---- | M] () -- C:\Program Files\ATKGFNEX\GFNEXSrv.exe
PRC - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files (x86)\Common Files\aol\acs\AOLacsd.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/09/12 09:36:51 | 000,077,824 | ---- | M] () -- C:\Users\Heather Laptop\IBM\Lotus\Symphony\.config\org.eclipse.osgi\bundles\435\1\.cp\lib\win32\officebean.dll
MOD - [2010/09/12 09:36:33 | 000,073,728 | ---- | M] () -- C:\Users\Heather Laptop\IBM\Lotus\Symphony\.config\org.eclipse.osgi\bundles\426\1\.cp\lib\win32\seditorReg.dll
MOD - [2010/09/12 09:36:32 | 000,077,824 | ---- | M] () -- C:\Users\Heather Laptop\IBM\Lotus\Symphony\.config\org.eclipse.osgi\bundles\436\1\.cp\lib\win32\officebean.dll
MOD - [2010/09/12 09:35:47 | 010,727,489 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.writer.lib.win32_3.5.0.20090908-0900\sw645mi.dll
MOD - [2010/09/12 09:35:46 | 000,036,864 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\xslt4cMessages_1_7_0.dll
MOD - [2010/09/12 09:35:45 | 001,794,123 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\udkservice1.dll
MOD - [2010/09/12 09:35:45 | 001,749,055 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\sal3.dll
MOD - [2010/09/12 09:35:45 | 001,437,784 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\log4pt.dll
MOD - [2010/09/12 09:35:45 | 000,286,720 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\xerces-depdom_2_6.dll
MOD - [2010/09/12 09:35:45 | 000,147,524 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\reg3.dll
MOD - [2010/09/12 09:35:45 | 000,118,854 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\urp_uno.dll
MOD - [2010/09/12 09:35:45 | 000,098,375 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\sysdtrans.dll
MOD - [2010/09/12 09:35:45 | 000,098,304 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\uwinapi.dll
MOD - [2010/09/12 09:35:45 | 000,073,794 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\vos3MSC.dll
MOD - [2010/09/12 09:35:45 | 000,049,230 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\jvmaccess3MSC.dll
MOD - [2010/09/12 09:35:45 | 000,036,934 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\mcnttype.dll
MOD - [2010/09/12 09:35:45 | 000,032,837 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\rmcxt3.dll
MOD - [2010/09/12 09:35:45 | 000,024,641 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\jpipe.dll
MOD - [2010/09/12 09:35:44 | 000,647,244 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\basicservice.uno.dll
MOD - [2010/09/12 09:35:44 | 000,094,283 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\emser645mi.dll
MOD - [2010/09/12 09:35:44 | 000,094,273 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\dnd.dll
MOD - [2010/09/12 09:35:44 | 000,061,509 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.system.win32_3.5.0.20090908-0900\ftransl.dll
MOD - [2010/09/12 09:35:42 | 002,854,984 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\ucpchelp1.dll
MOD - [2010/09/12 09:35:42 | 002,400,323 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\vcl645mi.dll
MOD - [2010/09/12 09:35:42 | 000,299,083 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\xcr645mi.dll
MOD - [2010/09/12 09:35:42 | 000,110,661 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\uui645mi.dll
MOD - [2010/09/12 09:35:41 | 002,981,961 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\svt645mi.dll
MOD - [2010/09/12 09:35:41 | 002,326,598 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\sb645mi.dll
MOD - [2010/09/12 09:35:41 | 001,921,103 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\i18npool645mi.dll
MOD - [2010/09/12 09:35:41 | 001,716,292 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\sax.uno.dll
MOD - [2010/09/12 09:35:41 | 001,224,776 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\tk645mi.dll
MOD - [2010/09/12 09:35:41 | 000,413,764 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\so645mi.dll
MOD - [2010/09/12 09:35:41 | 000,286,792 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\go645mi.dll
MOD - [2010/09/12 09:35:41 | 000,139,343 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\localedata_en.dll
MOD - [2010/09/12 09:35:40 | 008,671,299 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.framework.win32_3.5.0.20090908-0900\svx645mi.dll
MOD - [2010/09/12 09:35:40 | 006,660,166 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.framework.win32_3.5.0.20090908-0900\sfx645mi.dll
MOD - [2010/09/12 09:35:40 | 000,696,398 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.infra.win32_3.5.0.20090908-0900\dbtools2.dll
MOD - [2010/09/12 09:35:39 | 001,421,381 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.framework.win32_3.5.0.20090908-0900\frm645mi.dll
MOD - [2010/09/12 09:35:39 | 000,872,518 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\soffice.exe
MOD - [2010/09/12 09:35:39 | 000,397,382 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.framework.win32_3.5.0.20090908-0900\ofa645mi.dll
MOD - [2010/09/12 09:35:39 | 000,155,724 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.framework.win32_3.5.0.20090908-0900\lng645mi.dll
MOD - [2010/09/12 09:35:38 | 001,601,610 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\desktp645mi.dll
MOD - [2010/09/12 09:35:38 | 000,204,883 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\oleautobridge.uno.dll
MOD - [2010/09/12 09:35:38 | 000,041,034 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\scn645mi.dll
MOD - [2010/09/12 09:34:15 | 000,098,304 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.swt.browser.dom.ie_6.2.0.20090525-1200\os\win32\x86\comex.dll
MOD - [2010/09/12 09:34:15 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.swt.browser.dom.ie_6.2.0.20090525-1200\os\win32\x86\tlogpsdll.dll
MOD - [2010/05/21 11:31:45 | 000,176,128 | ---- | M] () -- C:\Program Files (x86)\AIM\nssckbi.dll
MOD - [2010/03/23 10:54:55 | 000,081,920 | ---- | M] () -- C:\Program Files (x86)\AOL 9.5\xmltok.dll
MOD - [2010/03/23 10:54:55 | 000,053,248 | ---- | M] () -- C:\Program Files (x86)\AOL 9.5\xmlparse.dll
MOD - [2010/03/23 10:54:55 | 000,045,056 | ---- | M] () -- C:\Program Files (x86)\AOL 9.5\zlib.dll
MOD - [2010/03/23 10:54:54 | 000,118,784 | ---- | M] () -- c:\Program Files (x86)\Common Files\aol\1278338091\ee\services\proxyprovider\ver1_0_0_1\proxyprovider.dll
MOD - [2009/09/24 17:50:02 | 000,053,888 | ---- | M] () -- C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
MOD - [2009/07/24 14:32:50 | 001,593,344 | ---- | M] () -- C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
MOD - [2009/05/25 13:38:06 | 000,051,200 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.dee.win32.x86_6.5.0.200905251200\jre\bin\j9zlib24.dll
MOD - [2009/05/25 13:38:04 | 000,081,920 | ---- | M] () -- C:\Program Files (x86)\IBM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.0.20090525-1200\win32\x86\eclipse_1114.dll
MOD - [2007/11/30 15:20:44 | 000,051,768 | ---- | M] () -- C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe


========== Services (SafeList) ==========

SRV:64bit: - [2009/09/17 15:36:34 | 000,359,552 | ---- | M] (ASUSTeK Computer Inc.) [Auto | Running] -- C:\Windows\SysNative\FBAgent.exe -- (AFBAgent)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2007/08/08 04:08:40 | 000,094,208 | ---- | M] () [Auto | Running] -- C:\Program Files\ATKGFNEX\GFNEXSrv.exe -- (ATKGFNEXSrv)
SRV - [2012/04/25 06:25:16 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/01/23 00:43:08 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/14 21:03:42 | 000,044,312 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\Game Park\GameConsole\OberonGameConsoleService.exe -- (OberonGameConsoleService)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/08/14 00:59:52 | 000,100,920 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Hotkey\AsLdrSrv.exe -- (ASLDRService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\aol\acs\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/15 11:01:50 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/16 18:23:46 | 000,074,240 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/08/25 20:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/06/14 10:32:54 | 000,016,448 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TFsExDisk.sys -- (TFsExDisk)
DRV:64bit: - [2010/04/26 22:25:22 | 000,161,280 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscemdm.sys -- (sscemdm)
DRV:64bit: - [2010/04/26 22:25:22 | 000,127,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscebus.sys -- (sscebus)
DRV:64bit: - [2010/04/26 22:25:22 | 000,018,944 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscemdfl.sys -- (sscemdfl)
DRV:64bit: - [2010/04/26 22:25:20 | 000,172,104 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdmdm.sys -- (sscdmdm)
DRV:64bit: - [2010/04/26 22:25:20 | 000,136,264 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdbus.sys -- (sscdbus)
DRV:64bit: - [2010/04/26 22:25:20 | 000,019,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV:64bit: - [2009/07/27 03:04:35 | 000,058,880 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009/07/20 05:29:39 | 000,015,416 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\kbfiltr.sys -- (kbfiltr)
DRV:64bit: - [2009/07/20 03:33:41 | 007,058,432 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw1v64.sys -- (NETw1v64)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:10:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rootmdm.sys -- (ROOTMODEM)
DRV:64bit: - [2009/07/08 23:11:41 | 000,140,800 | ---- | M] (ELAN Microelectronic Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ETD.sys -- (ETD)
DRV:64bit: - [2009/06/19 22:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/06/10 16:35:57 | 000,056,832 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SiSG664.sys -- (SiSGbeLH)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/04 06:54:35 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/05/26 09:32:37 | 000,040,448 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AmUStor.sys -- (AmUStor)
DRV:64bit: - [2009/05/25 16:13:09 | 000,138,752 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2009/05/20 04:11:05 | 001,799,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\snp2uvc.sys -- (SNP2UVC)
DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/12 21:07:19 | 000,015,928 | ---- | M] (ASUS) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ATK64AMD.sys -- (MTsensor)
DRV:64bit: - [2009/01/09 15:02:08 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2008/12/08 17:35:52 | 000,061,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2008/05/23 21:27:28 | 000,154,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV:64bit: - [2007/07/24 15:11:32 | 000,014,904 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\ATKGFNEX\ASMMAP64.sys -- (ASMMAP64)
DRV:64bit: - [2006/11/29 18:24:49 | 000,024,064 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wanatw64.sys -- (wanatw)
DRV - [2010/06/14 10:32:54 | 000,016,448 | ---- | M] (Teruten Inc) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\TFsExDisk.Sys -- (TFsExDisk)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)


[2011/05/21 13:13:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Heather Laptop\AppData\Roaming\Mozilla\Extensions
[2011/05/21 13:13:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Heather Laptop\AppData\Roaming\Mozilla\Extensions\[email protected]

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4:64bit: - HKLM..\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (AlcorMicro Co., Ltd.)
O4:64bit: - HKLM..\Run: [EeeStorageBackup] C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe (ECAREME)
O4:64bit: - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronic Corp.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe (ASUS)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe (ASUS)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Setwallpaper] c:\programdata\SetWallpaper.cmd File not found
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [Adobe] C:\Users\Heather Laptop\AppData\Local\Adobe\tlddrjrd.dll (Hewlett-Packard)
O4 - HKCU..\Run: [AOL Fast Start] C:\Program Files (x86)\AOL 9.5\AOL.EXE (AOL Inc.)
O4 - HKCU..\Run: [AutoStartNPSAgent] C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKCU..\Run: [Calendarscope] "C:\Program Files (x86)\Calendarscope\csde.exe" File not found
O4 - HKCU..\Run: [SODCPreLoad] C:\Program Files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\preload.exe ()
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.cvsphoto....veX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1E6D3C2C-F51F-412C-A277-3D58065593F0}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9FE4A055-D1C6-430F-965D-459EAEC944CC}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{9c53ab90-826a-11e0-858d-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{9c53ab90-826a-11e0-858d-00038a000015}\Shell\AutoRun\command - "" = F:\KODAK_Software_Downloader.exe
O33 - MountPoints2\{b75e1e98-6465-11e0-89cf-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{b75e1e98-6465-11e0-89cf-00038a000015}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========


========== Files - Modified Within 30 Days ==========

[2012/09/08 18:41:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/09/08 17:51:01 | 000,000,914 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/08 17:51:01 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/08 08:34:54 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/08 08:34:54 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/08 08:27:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/08 08:27:12 | 3193,737,216 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/06 21:44:08 | 000,726,444 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/09/06 21:44:08 | 000,624,412 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/09/06 21:44:08 | 000,106,756 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/09/03 15:53:56 | 000,002,338 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/08/19 20:41:19 | 000,002,059 | ---- | M] () -- C:\Windows\SysNative\AutoRunFilter.ini
[2012/08/19 08:06:25 | 000,019,580 | ---- | M] () -- C:\Users\Heather Laptop\Documents\Girls56SummerHoops.pdf
[2012/08/16 06:48:55 | 000,380,056 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/11 09:17:49 | 000,001,107 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/08/19 08:06:24 | 000,019,580 | ---- | C] () -- C:\Users\Heather Laptop\Documents\Girls56SummerHoops.pdf
[2012/03/24 10:48:47 | 000,000,406 | ---- | C] () -- C:\Windows\ka.ini
[2011/07/26 21:18:16 | 000,005,632 | ---- | C] () -- C:\Users\Heather Laptop\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/11 08:36:38 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe

========== LOP Check ==========

[2010/09/21 18:12:44 | 000,000,000 | -HSD | M] -- C:\Users\Heather Laptop\AppData\Roaming\.#
[2010/07/25 17:57:52 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\acccore
[2010/10/30 14:15:06 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Amazon
[2010/06/24 05:53:53 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Asus WebStorage
[2010/08/10 23:00:13 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Blackberry Desktop
[2011/08/09 22:07:57 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Dropbox
[2010/11/30 22:07:45 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Duality Software
[2011/02/23 14:24:14 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\EeeStorageUploader
[2010/06/26 09:44:59 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\GameConsole
[2011/01/17 19:03:38 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\LegalSounds
[2012/05/03 21:12:38 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\ML
[2010/08/10 21:30:59 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Research In Motion
[2012/03/03 23:48:09 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\Samsung
[2010/06/28 21:27:31 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\SanDisk
[2011/02/23 14:24:10 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\temp
[2011/05/21 13:13:19 | 000,000,000 | ---D | M] -- C:\Users\Heather Laptop\AppData\Roaming\TomTom
[2012/07/16 21:00:49 | 000,032,566 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:B88E99C8
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:A724744F

< End of report >
  • 0

Advertisements

#2
heathermb769
Posted 08 September 2012 - 06:15 PM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
I also am noticing that when I click on a link and select "Open in New Tab," it shows in the tab "drugcalculator.net" before it eventually goes to "Loading" and then eventually to the page.
  • 0

#3
emeraldnzl
Posted 08 September 2012 - 07:12 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello heathermb769,

Please download aswMBR.exe ( 4.5mb ) to your desktop.

Double click the aswMBR.exe to run it.

Posted ImageClick the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

After that

Please download Farbar Service Scanner and run.
  • Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update

[*]Press Scan
[*]A log (FSS.txt) will be created in the same directory the tool is run.
[*]Copy and paste the log back here.
[/list]So when you return please post
  • aswMBR log
  • FSS.txt
  • 0

#4
heathermb769
Posted 09 September 2012 - 08:24 AM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
I have downloaded the aswMBR.exe, but when I double click on it, I get a popup asking me if I want to let it make changes to my computer. I select yes, and then nothing happens.
  • 0

#5
heathermb769
Posted 09 September 2012 - 08:57 AM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
Here is the FSS log, however... I'll keep trying with the other scan.

Farbar Service Scanner Version: 06-08-2012
Ran by Heather Laptop (administrator) on 09-09-2012 at 10:55:50
Running from "C:\Users\Heather Laptop\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#6
emeraldnzl
Posted 09 September 2012 - 01:07 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

I'll keep trying with the other scan.


Try right clicking on it and running as Administrator. :)
  • 0

#7
heathermb769
Posted 09 September 2012 - 01:26 PM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
I have tried that as well. I get the hourglass, then it returns to idle state without running the program.
  • 0

#8
emeraldnzl
Posted 09 September 2012 - 01:31 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Try this one:

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • Click on Scan

    Posted Image
  • Wait for the scan to finish.
  • The report is created on your desktop.
  • Click on the Delete button

    Posted Image
  • The report is created on your desktop.
  • Next click on the ShortcutsFix button.

    Posted Image
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of all the RKreport.txt files from your desktop in your next Reply.
  • 0

#9
heathermb769
Posted 09 September 2012 - 01:34 PM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
The link appears to bring me to a page in French - is that normal?
  • 0

#10
emeraldnzl
Posted 09 September 2012 - 01:37 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Yes that one has been developed by a French malware fighter. It's Okay. :cool:
  • 0

Advertisements

#11
heathermb769
Posted 09 September 2012 - 01:45 PM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
Bien, lol....

Here are the reports.

(1)
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Heather Laptop [Admin rights]
Mode : Scan -- Date : 09/09/2012 15:37:26

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Registry Entries : 27 ¤¤¤
[RUN][BLACKLIST DLL] HKCU\[...]\Run : Adobe (rundll32.exe "C:\Users\Heather Laptop\AppData\Local\Adobe\tlddrjrd.dll",DllUnregisterServer) -> FOUND
[RUN][BLACKLIST DLL] HKUS\S-1-5-21-16999326-326163528-2076249188-1001[...]\Run : Adobe (rundll32.exe "C:\Users\Heather Laptop\AppData\Local\Adobe\tlddrjrd.dll",DllUnregisterServer) -> FOUND
[TASK][SUSP PATH] {0B89D2D6-A10F-4E37-938C-29BD256B7214} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {19DD3800-4182-4842-BB91-093E69144AB3} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {2E5B0125-F418-4325-9845-B239B1E0298A} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {471C8C2D-34A8-4DCB-983F-3B1B2012C91E} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {621C80C8-6DAB-4C0B-80DB-0F5751E69FC7} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {66D1DE74-AE81-4BA4-8F4A-ED1C94BA4B3C} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {7540A2B7-3CDA-4E17-9639-1819800B0D44} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {9D4E42E7-89DA-41CE-AB58-D90E577F1FD2} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {AA307921-D043-489C-988B-A5DB09EEF3EE} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {B2AD882C-CA3F-40C4-A9C7-8E7B5FD81A8C} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {B73CFA14-81D2-4B4A-A7CD-709EEF51F753} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {BD5F10DF-08B0-4050-B2EA-B07B95CBC5F5} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {CC3E9A07-A81E-4F1D-842E-26B0436ACB0F} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {D0FA13B2-3A1A-4D2E-B694-64ECDBEB7720} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {D51B37D9-321C-4461-84F8-4C2C1648B465} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {ED2E8C5D-6D7E-433D-9BC6-AB1C74D2D86E} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[TASK][SUSP PATH] {FDC9596E-60D3-4C21-93BC-70AE67A1084D} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320325AS +++++
--- User ---
[MBR] ac55952354a646fd8282312cff47d872
[BSP] 096b15d21f7088479deea16908118a22 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 14998 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30717952 | Size: 76311 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 187002880 | Size: 213935 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 12bdff23ab3ff0078c6abcf6b1634e28
[BSP] b81d9dd831a5073c9bd180ac694217f0 : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 14998 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30717952 | Size: 76311 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 187002880 | Size: 213935 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 12bdff23ab3ff0078c6abcf6b1634e28
[BSP] b81d9dd831a5073c9bd180ac694217f0 : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 14998 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30717952 | Size: 76311 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 187002880 | Size: 213935 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt



(2)
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Heather Laptop [Admin rights]
Mode : Remove -- Date : 09/09/2012 15:39:46

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Registry Entries : 23 ¤¤¤
[RUN][BLACKLIST DLL] HKCU\[...]\Run : Adobe (rundll32.exe "C:\Users\Heather Laptop\AppData\Local\Adobe\tlddrjrd.dll",DllUnregisterServer) -> DELETED
[TASK][SUSP PATH] {0B89D2D6-A10F-4E37-938C-29BD256B7214} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {19DD3800-4182-4842-BB91-093E69144AB3} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {2E5B0125-F418-4325-9845-B239B1E0298A} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {471C8C2D-34A8-4DCB-983F-3B1B2012C91E} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {621C80C8-6DAB-4C0B-80DB-0F5751E69FC7} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {66D1DE74-AE81-4BA4-8F4A-ED1C94BA4B3C} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {7540A2B7-3CDA-4E17-9639-1819800B0D44} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {9D4E42E7-89DA-41CE-AB58-D90E577F1FD2} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {AA307921-D043-489C-988B-A5DB09EEF3EE} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {B2AD882C-CA3F-40C4-A9C7-8E7B5FD81A8C} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {B73CFA14-81D2-4B4A-A7CD-709EEF51F753} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {BD5F10DF-08B0-4050-B2EA-B07B95CBC5F5} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {CC3E9A07-A81E-4F1D-842E-26B0436ACB0F} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {D0FA13B2-3A1A-4D2E-B694-64ECDBEB7720} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {D51B37D9-321C-4461-84F8-4C2C1648B465} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {ED2E8C5D-6D7E-433D-9BC6-AB1C74D2D86E} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[TASK][SUSP PATH] {FDC9596E-60D3-4C21-93BC-70AE67A1084D} : C:\Users\Heather Laptop\Desktop\aswMBR.exe -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320325AS +++++
--- User ---
[MBR] ac55952354a646fd8282312cff47d872
[BSP] 096b15d21f7088479deea16908118a22 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 14998 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30717952 | Size: 76311 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 187002880 | Size: 213935 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 12bdff23ab3ff0078c6abcf6b1634e28
[BSP] b81d9dd831a5073c9bd180ac694217f0 : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 14998 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30717952 | Size: 76311 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 187002880 | Size: 213935 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 12bdff23ab3ff0078c6abcf6b1634e28
[BSP] b81d9dd831a5073c9bd180ac694217f0 : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 14998 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30717952 | Size: 76311 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 187002880 | Size: 213935 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



(3)
RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Heather Laptop [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/09/2012 15:42:47

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 7 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 12 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 212 / Fail 0
My documents: Success 9 / Fail 9
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 1247 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 222 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[H:] \Device\HarddiskVolume4 -- 0x2 --> Restored

¤¤¤ Infection : Root.MBR ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  • 0

#12
emeraldnzl
Posted 09 September 2012 - 01:52 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
I have to go out now for a few hours. Do this one while I am away. I will check back in early afternoon N.Z. time. :)

Should run okay but if you have problems tell me and I will attend with a reply when I get back.

Now

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#13
heathermb769
Posted 09 September 2012 - 07:37 PM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
Well, here's the Combofix log. However, I no longer can connect to the internet on my laptop - I get an error:
"Illegal operation attempted on a registry key that has been marked for deletion." I get the error whether I try with IE, AOL, or Google Chrome. Luckily, my daughter's laptop is working :-)

Let me know what's next...

ComboFix 12-09-09.02 - Heather Laptop 09/09/2012 16:26:39.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2491 [GMT -4:00]
Running from: c:\users\Heather Laptop\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\programdata\yDS0gG50.exe
c:\users\Heather Laptop\AppData\Roaming\.#
c:\windows\msvcr71.dll
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-09 to 2012-09-09 )))))))))))))))))))))))))))))))
.
.
2012-09-09 20:58 . 2012-09-09 20:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-15 10:12 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 10:12 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 10:11 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 10:11 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 10:11 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2012-08-15 10:11 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 10:11 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 10:11 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 10:11 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 10:11 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 10:11 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 10:11 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 02:37 . 2010-06-26 21:23 62134624 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728]
"AutoStartNPSAgent"="c:\program files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-07-05 95576]
"AOL Fast Start"="c:\program files (x86)\AOL 9.5\AOL.EXE" [2010-03-23 29520]
"SODCPreLoad"="c:\program files (x86)\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.5.0.20090908-0900\preload.exe" [2010-09-12 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="c:\progra~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-31 32112]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2009-04-02 98304]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-07-07 8493624]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-04-20 159744]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\Heather Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-31 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 253088]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2009-05-26 40448]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-31 136176]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [2009-06-10 56832]
R3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\DRIVERS\sscebus.sys [2010-04-27 127488]
R3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\DRIVERS\sscemdfl.sys [2010-04-27 18944]
R3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\DRIVERS\sscemdm.sys [2010-04-27 161280]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2010-06-14 16448]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-26 1255736]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [2009-09-17 359552]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files (x86)\Asus\Game Park\GameConsole\OberonGameConsoleService.exe [2009-09-15 44312]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-01-23 92592]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2009-07-09 140800]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 138752]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [2009-07-27 58880]
S3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw1v64.sys [2009-07-20 7058432]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 10:25]
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-31 15:59]
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-31 15:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2010-11-05 01:57 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2010-11-05 01:57 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-26 59248]
"EeeStorageBackup"="c:\program files (x86)\ASUS\Asus WebStorage\BackupService.exe" [2009-08-25 947472]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-04-09 320000]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-07-30 617856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Calendarscope - c:\program files (x86)\Calendarscope\csde.exe
Wow6432Node-HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd
Wow6432Node-HKLM-Run-NPSStartup - (no file)
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Asus_ULSeries_ScreenSaver - c:\windows\system32\Asus_ULSeries_ScreenSaver.scr
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\SmartLogon\smartlogon.exe
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\Atouch64.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
.
**************************************************************************
.
Completion time: 2012-09-09 17:29:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-09 21:29
.
Pre-Run: 12,956,827,648 bytes free
Post-Run: 14,526,783,488 bytes free
.
- - End Of File - - BA5F4BFC3720C2476C66D6DE111BB54F
  • 0

#14
emeraldnzl
Posted 09 September 2012 - 07:54 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Well, here's the Combofix log. However, I no longer can connect to the internet on my laptop


ComboFix disconnects from the internet while running. The connection is automatically restored when it is finished. Sometimes if it is interrupted or doesn't quite finish properly the connection is not reastablished. Usually fixed with a reboot.

Reboot the infected machine now and tell me if that restores internet connection. :)
  • 0

#15
heathermb769
Posted 09 September 2012 - 07:57 PM

heathermb769

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 107 posts
Rebooting in process
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP