[1972vet]

Lemme bring your attention to two unusual stuff i noticed on the PC

1. I have yahoo toolbar installed in my PC so if i click on it to be removed in control panel, i'll suddenly notice that ma CPU (fan) speed is high, if i open taskmanager it will display an AU_.exe process eating up my CPU at bout 50%, i just googled it and discovered that it might have been installed with activeX but i've been unable to uninstall it.

2 Whenever i try to search stuff in my firefox address bar, i noticed that the search engine has changed to bing, so i resort to using the Google search bar, i'm thinking maybe itz a malware or something coz i cant find any bing toolbar in my programs neither is it in my add-ons

Please post what you think about this....

...I dont think it is a hard disk failure coz as i posted earlier i have linux installed on the same PC and it works perfectly.

Point (1):
The file AU_.exe is, in your case I believe, harmless. I believe so because of some of the work we've done so far. The file is most probably left over from some failed uninstall string. And, most likely, the file is located in some temp folder. You can remove it simply by cleaning out your temp files. We will do that more in depth later, but for now just navigate to c:\programData\Temp...and take note of what's there. Let me know on your next reply.

Point (2):
Search engine preference has little to do with any toolbar(s), rather it is an option you select in the browser itself. With Firefox opened, look to the upper right side, just to the right of the address bar. You should see the search bar there. Click on the icon in that search bar for a drop down menu of options available. You might see Google, Yahoo, Bing, Amazon...just scroll to and select the engine you want to use.

Point (3):
I agree (although not with the same reasoning) that it's not likely a hard disk "impending" failure .

Along with your next reply, include the names of software that you want to remove but have been unable to successfully uninstall. I will try to locate these in the cf log and we can try another script attempt to remove them. I'm also waiting for the results from those scans I recommended previously. Thanks!

[Advertisements]

That's an interesting cf log...from the looks of it, perhaps you copied only about half of the script that I wrote. Only half of it was executed, so we need to try this again:

Please open a blank notepad as before and copy/paste all of the Bold text below in it's entirety, into the blank notepad. The text I want you to copy appears between the lines that extend across the page:
__________________________________________________________________________________________________________________________________________


Killall::

file::
c:\windows\SysWow64\shoBF4E.tmp
c:\windows\SysWow64\shoF306.tmp
c:\windows\system32\Tweak7SystemService.exe

rootkit::
c:\windows\SysWow64\certsentry.dll
c:\windows\system32\certsentry.dll

driver::
Tweak7SystemService

firefox::
FF - ProfilePath - c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\
FF - ExtSQL: 2013-03-21 15:50; [email protected]; c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\extensions\

_____________________________________________________________________________________________________________________________________________
...Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[1972vet]

That's an interesting cf log...from the looks of it, perhaps you copied only about half of the script that I wrote. Only half of it was executed, so we need to try this again:

Please open a blank notepad as before and copy/paste all of the Bold text below in it's entirety, into the blank notepad. The text I want you to copy appears between the lines that extend across the page:
__________________________________________________________________________________________________________________________________________


Killall::

file::
c:\windows\SysWow64\shoBF4E.tmp
c:\windows\SysWow64\shoF306.tmp
c:\windows\system32\Tweak7SystemService.exe

rootkit::
c:\windows\SysWow64\certsentry.dll
c:\windows\system32\certsentry.dll

driver::
Tweak7SystemService

firefox::
FF - ProfilePath - c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\
FF - ExtSQL: 2013-03-21 15:50; [email protected]; c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\extensions\

_____________________________________________________________________________________________________________________________________________
...Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[whizzhard]

ComboFix 13-03-21.02 - Shawlhar 24-Mar-13 9:01.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2254 [GMT 1:00]
Running from: c:\users\Shawlhar\Downloads\Programs\ComboFix.exe
Command switches used :: c:\users\Shawlhar\Downloads\Programs\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\Tweak7SystemService.exe"
"c:\windows\SysWow64\shoBF4E.tmp"
"c:\windows\SysWow64\shoF306.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Tweak7SystemService.exe
c:\windows\SysWow64\shoBF4E.tmp
c:\windows\SysWow64\shoF306.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Tweak7SystemService
.
.
((((((((((((((((((((((((( Files Created from 2013-02-24 to 2013-03-24 )))))))))))))))))))))))))))))))
.
.
2073-10-27 09:55 . 2013-03-20 11:17 2404352 ----a-w- c:\program files (x86)\Microsoft Games\Halo Custom Edition\haloce.exe
2073-10-27 09:55 . 2009-10-03 17:32 1118208 ----a-w- c:\program files (x86)\Microsoft Games\Halo Custom Edition\Strings.dll
2073-10-27 09:55 . 2009-10-03 17:32 1835008 ----a-w- c:\program files (x86)\Microsoft Games\Halo Custom Edition\haloceded.exe
2013-03-24 08:31 . 2013-03-24 08:31 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-03-24 08:31 . 2013-03-24 08:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-24 02:05 . 2013-01-31 05:08 180464 ----a-w- c:\windows\system32\SynTPCo16.dll
2013-03-24 02:05 . 2013-01-31 05:08 1035504 ----a-w- c:\windows\system32\SynCOM.dll
2013-03-24 02:05 . 2013-01-31 05:08 467184 ----a-w- c:\windows\system32\drivers\SynTP.sys
2013-03-24 02:05 . 2013-01-31 05:08 229616 ----a-w- c:\windows\system32\SynTPAPI.dll
2013-03-24 01:41 . 2013-02-04 17:44 312864 ----a-w- c:\windows\SysWow64\fmod_event.dll
2013-03-24 01:41 . 2013-02-04 17:44 804384 ----a-w- c:\windows\SysWow64\fmodex.dll
2013-03-23 11:47 . 2013-03-23 11:47 -------- d-----w- c:\program files\CPUID
2013-03-21 02:05 . 2013-03-21 02:04 310688 ----a-w- c:\windows\system32\javaws.exe
2013-03-21 02:05 . 2013-03-21 02:04 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-21 02:04 . 2013-03-21 02:04 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-03-21 02:04 . 2013-03-21 02:04 188832 ----a-w- c:\windows\system32\javaw.exe
2013-03-21 02:04 . 2013-03-21 02:04 188320 ----a-w- c:\windows\system32\java.exe
2013-03-21 02:04 . 2013-03-21 02:04 -------- d-----w- c:\program files\Java
2013-03-21 01:51 . 2013-03-22 19:56 -------- d-----w- c:\users\Shawlhar\AppData\Local\ElevatedDiagnostics
2013-03-20 23:07 . 2013-03-24 00:26 -------- d-----w- c:\users\Shawlhar\AppData\Roaming\vlc
2013-03-20 23:06 . 2013-03-20 23:06 -------- d-----w- c:\program files\VideoLAN
2013-03-20 23:01 . 2013-03-20 23:01 -------- d-----w- c:\program files (x86)\Auslogics
2013-03-20 12:01 . 2013-03-20 22:47 -------- d-----w- c:\program files (x86)\SpeedFan
2013-03-20 11:46 . 2013-03-20 11:46 -------- d-----w- c:\program files (x86)\FileHippo.com
2013-03-20 07:08 . 2013-03-20 07:08 -------- d-----w- c:\users\Shawlhar\AppData\Roaming\VSRevoGroup
2013-03-19 17:16 . 2013-01-13 19:24 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2013-03-19 17:03 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-03-19 17:02 . 2012-12-07 13:20 441856 ----a-w- c:\windows\system32\Wpc.dll
2013-03-19 10:18 . 2013-03-19 10:19 -------- d-----w- c:\program files\Microsoft Silverlight
2013-03-19 10:17 . 2013-03-19 10:19 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-03-19 07:00 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll
2013-03-19 06:43 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 06:43 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 06:43 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 06:43 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-03-19 06:43 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-03-19 06:16 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-03-19 06:16 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-03-19 06:16 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-03-19 05:27 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-03-19 05:23 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-03-19 05:23 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-18 18:58 . 2013-03-18 18:58 -------- d-----w- c:\users\Shawlhar\AppData\Roaming\Malwarebytes
2013-03-18 18:58 . 2013-03-18 18:58 -------- d-----w- c:\programdata\Malwarebytes
2013-03-18 18:58 . 2013-03-18 18:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-18 18:58 . 2012-12-14 15:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-15 14:50 . 2013-03-15 14:50 47368 ----a-w- c:\windows\SysWow64\certsentry.dll
2013-03-15 14:50 . 2013-03-15 14:50 56072 ----a-w- c:\windows\system32\certsentry.dll
2013-03-14 23:36 . 2013-03-14 23:36 34840 ----a-w- c:\windows\system32\drivers\cnnctfy3.sys
2013-03-14 23:33 . 2013-03-20 07:51 -------- d-----w- c:\program files (x86)\Connectify
2013-03-14 23:33 . 2013-03-14 23:45 -------- d-----w- c:\programdata\Connectify
2013-03-08 14:47 . 2013-03-08 14:47 -------- d-----w- c:\programdata\IDM
2013-03-08 13:37 . 2013-03-15 07:33 -------- d-s---w- c:\programdata\Shared Space
2013-03-08 13:28 . 2013-03-15 09:23 -------- d-----w- c:\programdata\COMODO
2013-03-08 13:26 . 2013-03-08 13:26 -------- d-----w- c:\users\Shawlhar\AppData\Local\Comodo
2013-03-08 13:26 . 2013-03-15 14:49 -------- d-----w- c:\program files (x86)\Comodo
2013-03-08 13:26 . 2013-03-08 13:26 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2013-03-07 16:16 . 2013-03-07 16:16 -------- d-----w- c:\windows\system32\drivers\NSTx64\7DD03000.01A
2013-03-07 15:46 . 2013-03-08 14:45 -------- d-----w- c:\windows\system32\drivers\NAVx64\1403000.024
2013-03-07 14:52 . 2013-03-07 14:52 -------- d-----w- c:\program files (x86)\BlueStacks
2013-03-07 14:51 . 2013-03-07 14:52 -------- d-----w- c:\programdata\BlueStacks
2013-03-01 12:04 . 2012-11-22 00:43 165112 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-24 08:35 . 2013-03-24 08:35 0 ----a-w- c:\windows\SysWow64\sho908B.tmp
2013-03-23 14:20 . 2013-03-23 14:20 0 ----a-w- c:\windows\SysWow64\sho77E4.tmp
2013-03-21 02:04 . 2011-05-13 20:11 963488 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-20 06:43 . 2012-04-26 16:48 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-20 06:43 . 2011-10-19 20:13 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-19 17:21 . 2013-03-19 17:21 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-03-19 17:21 . 2013-03-19 17:21 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2013-03-19 17:21 . 2013-03-19 17:21 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-03-19 17:21 . 2013-03-19 17:21 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-03-19 17:21 . 2013-03-19 17:21 1766912 ----a-w- c:\windows\SysWow64\wininet.dll
2013-03-19 17:21 . 2013-03-19 17:21 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-03-04 13:53 . 2011-10-26 00:12 72013344 ----a-w- c:\windows\system32\MRT.exe
2013-02-20 18:44 . 2011-11-16 21:37 2672 --sha-w- c:\programdata\KGyGaAvL.sys
2013-02-12 05:45 . 2013-03-19 17:02 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-19 17:02 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-19 17:02 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-19 17:02 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-19 17:02 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-19 17:02 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-08 14:45 . 2013-02-08 14:45 36736 ----a-w- c:\windows\system32\drivers\tap0901.sys
2013-01-31 05:08 . 2013-03-24 02:05 114416 ----a-w- c:\windows\SysWow64\SynTPCOM.dll
2013-01-31 05:08 . 2013-03-24 02:05 532208 ----a-w- c:\windows\SysWow64\SynCOM.dll
2013-01-17 09:49 . 2013-01-17 04:21 177312 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-01-13 19:53 . 2013-03-19 17:16 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2013-01-13 19:53 . 2013-03-19 17:16 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-01-13 19:43 . 2013-03-19 17:16 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2013-01-13 19:02 . 2013-03-19 17:16 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-01-13 18:34 . 2013-03-19 17:16 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-01-13 17:26 . 2013-03-19 17:16 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2013-01-04 04:51 . 2013-03-19 06:16 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-03-19 06:16 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-01-04 02:47 . 2013-03-19 06:16 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-03-19 06:16 2048 ----a-w- c:\windows\SysWow64\user.exe
2012-12-29 20:59 . 2012-12-29 20:59 28664 ----a-w- c:\windows\SysWow64\speedfan.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
c:\program files (x86)\Ask.com\GenericAskToolbar.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2013-03-02 3573624]
"L09AXLRD_4111624"="c:\program files (x86)\Microsoft Student\Microsoft Student with Encarta Premium 2009 DVD\EDICT.EXE" [2008-06-03 351000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 BstHdAndroidSvc;BlueStacks Android Service;c:\program files (x86)\BlueStacks\HD-Service.exe BstHdAndroidSvc Android [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-07-08 123856]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-10-11 117248]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2012-10-11 13952]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [2012-10-11 421888]
R3 ewusbnet;HUAWEI USB-NDIS miniport; [x]
R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2007-11-13 124416]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2007-10-09 80896]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [2012-10-11 98304]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [2012-10-11 28672]
R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys [2012-10-11 223744]
R3 nmwcdnsucx64;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsucx64.sys [2011-08-17 12800]
R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys [2011-08-17 171008]
R3 qcusbser;Mobile Connector;c:\windows\system32\DRIVERS\qcusbser.sys [2008-09-01 118144]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 ToolkitDisk;ToolkitDisk;c:\windows\system32\Drivers\toolkitdisk.sys [2011-11-05 62552]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-08-20 147288]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 68440]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-26 1255736]
R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
R4 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files (x86)\BlueStacks\HD-LogRotatorService.exe [2013-02-15 384888]
R4 Connectify;Connectify;c:\program files (x86)\Connectify\ConnectifyService.exe [2013-02-19 217088]
R4 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [2013-03-12 2074768]
R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R4 GLO NETPRO. RunOuc;GLO NETPRO. OUC;c:\program files (x86)\GLO NETPRO\UpdateDog\ouc.exe [2012-10-11 655712]
R4 GtDetectSc;GtDetectSc;c:\program files (x86)\Option\GlobeTrotter Connect\GtDetectSc.exe [2007-12-18 312320]
R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
R4 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480]
R4 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [2011-03-14 346976]
R4 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2010-12-28 1817088]
R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-12-07 167424]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1403000.024\SYMDS64.SYS [2013-01-22 493656]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1403000.024\SYMEFA64.SYS [2013-01-31 1139800]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\BASHDefs\20130301.001\BHDrvx64.sys [2013-01-16 1388120]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAVx64\1403000.024\ccSetx64.sys [2012-11-16 168096]
S1 ccSet_NST;Norton Identity Safe Settings Manager;c:\windows\system32\drivers\NSTx64\7DD01000.020\ccSetx64.sys [2012-08-07 168096]
S1 cnnctfy3;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy3.sys [2013-03-14 34840]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\IPSDefs\20130322.001\IDSvia64.sys [2013-03-06 513184]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1403000.024\Ironx64.SYS [2012-11-16 224416]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAVx64\1403000.024\SYMNETS.SYS [2013-01-31 432800]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-08-20 224088]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-08-20 130904]
S2 BstHdDrv;BlueStacks Hypervisor;c:\program files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [2013-02-15 71032]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2012-11-22 165112]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 NAV;Norton AntiVirus;c:\program files (x86)\Norton AntiVirus\Engine\20.3.0.36\ccSvcHst.exe [2012-12-24 144520]
S2 NCO;Norton Identity Safe;c:\program files (x86)\Norton Identity Safe\Engine\2013.1.0.32\ccSvcHst.exe [2012-08-19 143928]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-23 2320920]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2011-02-10 31088]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-03-07 138912]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2012-10-11 87040]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-08-30 289280]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2012-11-23 878184]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-08-20 166232]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1397294529-3170872516-2112063622-1000Core1cd8649b698b801.job
- c:\users\Shawlhar\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-26 00:52]
.
2013-03-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1397294529-3170872516-2112063622-1000UA.job
- c:\users\Shawlhar\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-26 00:52]
.
2013-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ce1b466152ff3d.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 11:09]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-18 11:09]
.
2013-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1397294529-3170872516-2112063622-1000Core1ce23f94ea112eb.job
- c:\users\Shawlhar\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-20 14:37]
.
2013-03-18 c:\windows\Tasks\HPCeeScheduleForShawlhar.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07 23496 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-10 392984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-10 167704]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z008&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = <local>
IE: Download FLV video content with IDM - c:\program files (x86)\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth
TCP: DhcpNameServer = 198.6.1.2 4.2.2.2 8.8.8.8
TCP: Interfaces\{141A3F81-F276-4A08-9819-353D6DAA02E6}: NameServer = 10.109.5.97 10.199.212.120
TCP: Interfaces\{8784BAD3-0F16-4198-95E4-C07A58FF16C3}: NameServer = 8.8.8.8 8.8.4.4
FF - ProfilePath - c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z008&form=ZGAADF&q=
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2013-03-21 14:07; [email protected]; c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\extensions\[email protected]
FF - ExtSQL: 2013-03-21 15:50; [email protected]; c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\extensions\[email protected]
FF - ExtSQL: 2013-03-22 09:59; {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}; c:\users\Shawlhar\AppData\Roaming\Mozilla\Firefox\Profiles\ic548cx7.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D3B22A92-87A2-47B6-B3E6-A64877B5C242} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\services\NAV]
"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\20.3.0.36\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\20.3.0.36\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\services\NCO]
"ImagePath"="\"c:\program files (x86)\Norton Identity Safe\Engine\2013.1.0.32\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files (x86)\Norton Identity Safe\Engine\2013.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1397294529-3170872516-2112063622-1000_Classes\Wow6432Node\CLSID\{4297f579-1fa7-42d2-b77c-25c2baa9f727}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000022
"Therad"=dword:00000010
"SpecVersion"=dword:00000025
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-1397294529-3170872516-2112063622-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):7e,c9,87,24,6d,bb,b1,ca,69,81,22,09,9d,99,af,a1,e6,a4,96,1c,23,
cf,4e,b7,ba,89,1d,ca,c0,ca,92,b9,41,8d,49,f1,de,62,02,27,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1397294529-3170872516-2112063622-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):57,66,29,f8,f2,2e,e3,ef,be,be,b8,0c,9c,ad,8f,80,99,ad,9b,d7,3c,
10,98,70,5e,55,f4,09,d1,4d,11,65,76,50,1e,da,4f,fc,4a,e2,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1397294529-3170872516-2112063622-1000_Classes\Wow6432Node\CLSID\{ebb2be72-d148-4785-9119-ebe56a4cf955}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000015a
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,f7,e1,2c,63,a1,ec,2b,5b,c2,d2,f7,88,0a,b0,6a,32,7f,54,1d,cc,13,33,\
.
[HKEY_LOCAL_MACHINE\software\BlueStacks]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0016\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0017\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0018\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0019\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0020\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0021\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0022\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0023\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0024\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0025\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0026\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0027\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0028\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0029\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0030\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0031\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0032\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0033\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0034\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0035\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0036\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0037\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0038\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0039\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
.
**************************************************************************
.
Completion time: 2013-03-24 09:57:12 - machine was rebooted
ComboFix-quarantined-files.txt 2013-03-24 08:57
ComboFix2.txt 2013-03-22 14:29
.
Pre-Run: 52,344,360,960 bytes free
Post-Run: 51,606,249,472 bytes free
.
- - End Of File - - E27FD69CD9E47765E4200A33EA019BE2

[whizzhard]

Yahoo toolbar and Java™6 update 22 are the stubborn programs ive been trying to remove

I believe google is the default search provider in firefox, lemme make it clear to you coz i dont think you understand what i meant the other time, if i search anything in the address bar of firefox am not talkin bout the search bar, the default search provider was google until recently when i noticed that it has suddenly changed to bing, i mean if i type something like "who am I" into the address bar, it should search that string with google and not bing.


The scannow command did not find any error in windows it wrote "windows resource protection did not find any integrity violations" and i also run the check disk utility which displayed the volume is clean.

Just removed java6.22 through regedit.

Edited by whizzhard, 24 March 2013 - 04:28 PM.

[whizzhard]

CF stores the script i been using in a folder named Qoobox in my C:, i just cross checked with the one you posted and found out that i did copied the whole txt.

[1972vet]

...just navigate to c:\programData\Temp...and take note of what's there. Let me know on your next reply.

I still need you to answer that question.

Since you've used regedit to remove Java6 update 22, the remaining application you want to remove is the yahoo toolbar. I've not known that to be stubborn, so just look for the uninstall string to execute it. Let me know what happens.

IMPORTANT NOTE for others who may be reading through this thread:
I don't recommend that anyone venture to the registry to try what this user has done...unless you consider yourself an expert in the way of the intricacies within the inner workings of Windows and the registry. Users can reduce their systems to nothing more than an expensive paperweight if not careful.

...on to business

...google is the default search provider in firefox, lemme make it clear to you coz i dont think you understand what i meant the other time, if i search anything in the address bar of firefox am not talkin bout the search bar, the default search provider was google until recently when i noticed that it has suddenly changed to bing, i mean if i type something like "who am I" into the address bar, it should search that string with google and not bing.

According to the log(s) you've produced, firefox reports exactly the same thing as you:
FF - prefs.js: browser.search.selectedEngine - Google
...so you must be mistaking. If Bing were the default selection then the entry above wouldn't report it as google. I know of NO malware which changes search engine preference to Bing. Certainly, malware will tamper with search engine preferences by redirecting your searches regardless of the default selection but you haven't reported such redirections, neither do any logs support such a complaint.

As to the reason why combofix doesn't seem to respond the way I expect, I'm also puzzled (as you seem to be)...you also seem to be a bit more computer savvy than I first thought and obviously familiar with combofix and related folders/files. There are two comodo security suite files that combofix seems unable to remove (along with most of the rest of each script I've written), yet we've confirmed that you have copied them correctly.

As combofix would indeed enter into a wrestling match with both Symamtec and Comodo (there are others), then I could pass this off as interference due to some remaining comodo security suite files. It is also quite obvious that you have had issues with uninstalling applications properly so I wouldn't think it of any value to pursue this further.

Since we've undergone most troubleshooting and malware searching that might otherwise be at issue, I am left to assume any remaining issues might relate to your tampering with the registry.

Have you considered performing one of the HP recoveries, either destructive or non-destructive? As I understand it, HP offers those two...the non-destructive recovery would be similar to a "Repair Install" of the operating system yet would leave all the files/folders intact, that you created yourself since the original installation. Is this an attractive option for you?

[whizzhard]

{01FB4998-33C4-4431-85ED-079E3EEFE75D} and {DEC235ED-58A4-4517-A278-C41E8DAEAB3B}, these are the two folders in temp and they are both empty, checked their properties to be sure.

I would not say im that computer savvy obviously not as much as you, i just happen to be google savvy.

Anything you say sir, i think the non destructive option is attractive enough, though i think the system hang issue has been resolved coz the PC does not hang in desktop, the only thing left now is the time it takes to boot, the time taken to boot to logon screen is fine, mostly less than a minute but once i enter the pass, it usually takes around 7-10 min for the windows to be useable, lemme mention that i was able to use the PC immediately i logged in recently but subsequent log on were still 7-10min, i was plain amazed coz the system response was immediate and that was yesterday

The problem of programs displaying not responding is now very much less frequent when compared to what it was before i your response, even when it does happen, the program normalize in less time so i can say itz pretty much fixed though not completely.

And bout the registry issue i was real meticulous coz i created system restore point just in case, even though it no longer appeared in my control panel, i went ahead and dloaded microsoft fixit which still found it and successfully removed it

[whizzhard]

I know my selected search engine is google, that is exactly what is in on the right side with the google logo and if i click the drop down list i have other search of which bing is not even listed so this issue of bing just coming out of nowhere and taking over my search in the address bar is both enigmatic and frustrating.

One more time, thanks for your help so far which i sure dont deserve. Your time, resource, skill, knowledge, e.t.c are mostly appreciated.


THANKS

[whizzhard]

I just found a solution to that, it seems i installed a program that edited my preference in the about:config settings. i was able to reset it using the guide on this page, i also though about it before but i dont know where to look in config.
http://support.mozil...web-address-bar

[1972vet]

Tell me then...are you happy with the system as it is or are you wanting to perform the non-destructive recovery?

[whizzhard]

the laptop is far better than before but since you recommended it and none of my file would be lost, then i guess i will try it.

[1972vet]

Then you should read through This HP Tutorial for performing a system recovery.

With newer HP products, and depending on the operating system, HP has offered several recovery options. With any of these, you should be offered the opportunity to backup your files prior to the full execution of the recovery. You would then be able to use those backed up files to transfer back to your freshly recovered system, all of your previously created files and installed software that you use.

Older models used the nomenclature of "destructive" and "non-destructive" recovery options. The difference being, a destructive recovery would wipe the disk clean before recovering the operating system...and non-destructive simply over wrote Windows with a fresh copy of the operating system, leaving all other files/folders in place. This technique is performed a bit different with their newer systems so you must read that online tutorial carefully.

You will need to investigate which of these recovery options you have and determine which one would be best for you. If you have any questions, you should contact HP customer support...tell them you'd like to perform a recovery of your operating system but would also like to keep your installed software and other files/folders you may have created previously. Let me know how this turns out for you.

[1972vet]

Still with us whizzhard? Can you share with us, how this turned out for you?

[1972vet]

Due to lack of response, this topic will now be closed to prevent others from posting here. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[1972vet]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.