[Randu555]

Hi
I obtained the Arestocrat screen

Can you help me remove?

Thanks

Randu

[Advertisements]

Hello Randu555

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe or e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

[gringo_pr]

Hello Randu555

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe or e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

[Randu555]

Thanks for the quick response


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-04-2013
Ran by SYSTEM at 14-04-2013 21:38:23
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [IntelliType Pro] "c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe" [1464944 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2076272 2012-11-02] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [DisplaySwitch] "C:\ProgramData\SystemRoot.exe" [76568 2013-04-14] ()
HKU\User\...\Run: [PCShowServer] "C:\Users\User\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [525240 2012-10-15] (NDS Technologies)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-F9QLM.exe" /REG /REGSVRMODE [712264 2013-04-14] ()
HKLM-x32\...\Winlogon: [Shell] C:\ProgramData\SystemRoot.exe [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

4 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-09-08] (SUPERAntiSpyware.com)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22056 2013-01-27] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [379360 2013-01-27] (Microsoft Corporation)
2 NitroDriverReadSpool8; "C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe" [230408 2013-03-25] (Nitro PDF Software)
4 RealNetworks Downloader Resolver Service; "C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe" [38608 2012-11-29] ()
4 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 SupportSoft RemoteAssist; C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe [386424 2010-02-24] (SupportSoft, Inc.)
3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]

==================== Drivers (Whitelisted) =====================

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SWDUMon; C:\Windows\System32\Drivers\SWDUMon.sys [15712 2012-10-02] ()

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-04-14 21:38 - 2013-04-14 21:38 - 00000000 ____D C:\FRST
2013-04-14 20:27 - 2013-04-14 20:27 - 00003051 ____A C:\Users\User\Desktop\GringoIntr.txt
2013-04-14 20:15 - 2013-04-14 20:15 - 00890815 ____A C:\Users\User\Desktop\SecurityCheck.exe
2013-04-14 20:14 - 2013-04-14 20:14 - 00000470 ____A C:\Users\User\Desktop\defogger_disable.log
2013-04-14 20:14 - 2013-04-14 20:14 - 00000000 ____A C:\Users\User\defogger_reenable
2013-04-14 20:12 - 2013-04-14 20:12 - 00050477 ____A C:\Users\User\Downloads\Defogger.exe
2013-04-14 19:43 - 2013-04-14 19:43 - 00712264 ____A C:\Windows\is-F9QLM.exe
2013-04-14 19:43 - 2013-04-14 19:43 - 00011277 ____A C:\Windows\is-F9QLM.msg
2013-04-14 19:43 - 2013-04-14 19:43 - 00000392 ____A C:\Windows\is-F9QLM.lst
2013-04-14 19:38 - 2013-04-14 19:38 - 00276536 ____A C:\Windows\Minidump\041413-19546-01.dmp
2013-04-14 19:30 - 2013-04-14 19:30 - 00276528 ____A C:\Windows\Minidump\041413-18390-01.dmp
2013-04-14 18:54 - 2013-04-14 18:54 - 00276536 ____A C:\Windows\Minidump\041413-19765-01.dmp
2013-04-14 18:53 - 2013-04-14 18:53 - 02250054 ____A C:\ProgramData\1.bmp
2013-04-14 18:42 - 2013-04-14 18:42 - 00076568 ____A C:\ProgramData\SystemRoot.exe
2013-04-11 02:02 - 2013-02-21 02:30 - 01129984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 02046464 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-04-11 02:02 - 2013-02-21 02:29 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-04-11 02:02 - 2013-02-21 02:15 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-04-11 02:02 - 2013-02-21 02:14 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 02647040 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-04-11 02:02 - 2013-02-21 02:14 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-04-11 02:02 - 2013-02-19 04:01 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-11 02:02 - 2013-02-19 03:42 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-11 02:02 - 2013-02-19 03:10 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-04-11 02:02 - 2013-02-19 02:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-11 02:01 - 2013-02-21 02:30 - 01766912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-11 02:01 - 2013-02-21 02:29 - 14323200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-11 02:01 - 2013-02-21 02:29 - 13761024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-11 02:01 - 2013-02-21 02:29 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-11 02:01 - 2013-02-21 02:15 - 02240512 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-11 02:01 - 2013-02-21 02:14 - 19230208 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-11 02:01 - 2013-02-21 02:14 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-11 02:01 - 2013-02-21 02:14 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-10 09:05 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-10 09:05 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-10 09:05 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-10 09:05 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-10 09:05 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-10 09:05 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-10 09:05 - 2013-03-01 22:04 - 01655656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-10 09:05 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-10 09:05 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-10 09:05 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-10 09:05 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-10 09:05 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-10 09:05 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-10 09:05 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-04-08 11:11 - 2013-04-08 11:11 - 00002002 ____A C:\Users\Public\Desktop\Nitro Pro 8.lnk
2013-04-08 11:11 - 2013-04-08 11:11 - 00000000 ____D C:\Program Files\Common Files\Nitro
2013-04-08 11:11 - 2013-04-08 11:11 - 00000000 ____D C:\Program Files (x86)\Nitro
2013-04-08 11:11 - 2013-03-25 18:08 - 00029704 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll
2013-04-08 11:11 - 2013-03-25 18:08 - 00017928 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll
2013-03-25 18:45 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023x.sys
2013-03-25 18:45 - 2013-02-11 20:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-25 18:08 - 2013-03-25 18:08 - 00070152 ____A (Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE

==================== One Month Modified Files and Folders =======

2013-04-14 20:27 - 2013-04-14 20:27 - 00003051 ____A C:\Users\User\Desktop\GringoIntr.txt
2013-04-14 20:24 - 2009-07-13 21:13 - 00730448 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-14 20:15 - 2013-04-14 20:15 - 00890815 ____A C:\Users\User\Desktop\SecurityCheck.exe
2013-04-14 20:14 - 2013-04-14 20:14 - 00000470 ____A C:\Users\User\Desktop\defogger_disable.log
2013-04-14 20:14 - 2013-04-14 20:14 - 00000000 ____A C:\Users\User\defogger_reenable
2013-04-14 20:12 - 2013-04-14 20:12 - 00050477 ____A C:\Users\User\Downloads\Defogger.exe
2013-04-14 19:43 - 2013-04-14 19:43 - 00712264 ____A C:\Windows\is-F9QLM.exe
2013-04-14 19:43 - 2013-04-14 19:43 - 00011277 ____A C:\Windows\is-F9QLM.msg
2013-04-14 19:43 - 2013-04-14 19:43 - 00000392 ____A C:\Windows\is-F9QLM.lst
2013-04-14 19:43 - 2012-02-11 23:27 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-14 19:43 - 2011-04-04 20:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-14 19:38 - 2013-04-14 19:38 - 00276536 ____A C:\Windows\Minidump\041413-19546-01.dmp
2013-04-14 19:38 - 2011-07-14 16:04 - 388864468 ____A C:\Windows\MEMORY.DMP
2013-04-14 19:38 - 2011-07-14 16:04 - 00000000 ____D C:\Windows\Minidump
2013-04-14 19:35 - 2012-08-31 20:51 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-14 19:35 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-14 19:35 - 2009-07-13 20:51 - 00055405 ____A C:\Windows\setupact.log
2013-04-14 19:33 - 2011-08-04 02:14 - 00002005 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-04-14 19:30 - 2013-04-14 19:30 - 00276528 ____A C:\Windows\Minidump\041413-18390-01.dmp
2013-04-14 19:28 - 2011-03-28 17:29 - 01811824 ____A C:\Windows\WindowsUpdate.log
2013-04-14 19:11 - 2012-08-31 20:51 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-14 19:01 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-14 19:01 - 2009-07-13 20:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-14 18:54 - 2013-04-14 18:54 - 00276536 ____A C:\Windows\Minidump\041413-19765-01.dmp
2013-04-14 18:53 - 2013-04-14 18:53 - 02250054 ____A C:\ProgramData\1.bmp
2013-04-14 18:42 - 2013-04-14 18:42 - 00076568 ____A C:\ProgramData\SystemRoot.exe
2013-04-14 18:35 - 2012-04-13 05:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-14 18:35 - 2011-08-19 11:05 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3738071279-2821379665-3464394757-1000UA.job
2013-04-14 17:46 - 2011-08-19 11:05 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3738071279-2821379665-3464394757-1000Core.job
2013-04-12 07:12 - 2008-12-09 16:28 - 00000000 ____D C:\Users\User\Documents\1 Fresh Connect
2013-04-11 17:36 - 2011-08-19 11:05 - 00002367 ____A C:\Users\User\Desktop\Google Chrome.lnk
2013-04-11 15:25 - 2011-05-05 12:22 - 00000000 ____D C:\Users\User\Documents\My Scans
2013-04-11 02:23 - 2009-07-13 20:45 - 00421592 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-11 02:03 - 2011-04-04 11:44 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-04-11 02:03 - 2011-03-29 08:59 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-04-10 12:46 - 2005-01-11 18:45 - 00000000 ____D C:\Users\User\Documents\1 Randy
2013-04-08 11:11 - 2013-04-08 11:11 - 00002002 ____A C:\Users\Public\Desktop\Nitro Pro 8.lnk
2013-04-08 11:11 - 2013-04-08 11:11 - 00000000 ____D C:\Program Files\Common Files\Nitro
2013-04-08 11:11 - 2013-04-08 11:11 - 00000000 ____D C:\Program Files (x86)\Nitro
2013-04-08 11:08 - 2012-11-14 12:40 - 00000000 ____D C:\Users\User\AppData\Roaming\Downloaded Installations
2013-04-04 13:50 - 2011-04-04 20:01 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-04-02 02:34 - 2013-03-03 15:02 - 00282744 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-03-28 13:06 - 2012-11-14 12:43 - 00000000 ____D C:\Users\User\AppData\Roaming\Nitro
2013-03-25 18:08 - 2013-04-08 11:11 - 00029704 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalmon2.dll
2013-03-25 18:08 - 2013-04-08 11:11 - 00017928 ____A (Nitro PDF Software) C:\Windows\System32\nitrolocalui2.dll
2013-03-25 18:08 - 2013-03-25 18:08 - 00070152 ____A (Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
2013-03-20 20:22 - 2012-04-13 05:08 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-20 20:22 - 2011-05-18 14:52 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-18 22:04 - 2013-04-10 09:05 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-03-18 21:46 - 2013-04-10 09:05 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-03-18 21:04 - 2013-04-10 09:05 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-03-18 21:04 - 2013-04-10 09:05 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-03-18 20:47 - 2013-04-10 09:05 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-03-18 19:06 - 2013-04-10 09:05 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3738071279-2821379665-3464394757-1000\$3af376672910c53237868f0ddc354df4

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$3af376672910c53237868f0ddc354df4

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-31 18:42:11
Restore point made on: 2013-04-01 07:43:41
Restore point made on: 2013-04-04 19:54:02
Restore point made on: 2013-04-08 06:56:30
Restore point made on: 2013-04-08 11:09:56
Restore point made on: 2013-04-08 18:19:21
Restore point made on: 2013-04-11 02:00:59
Restore point made on: 2013-04-14 11:47:39
Restore point made on: 2013-04-14 18:00:21

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4086.24 MB
Available physical RAM: 3505.08 MB
Total Pagefile: 4084.39 MB
Available Pagefile: 3497.52 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

2 Drive c: () (Fixed) (Total:931.51 GB) (Free:732.69 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
5 Drive f: (WD SmartWare) (CDROM) (Total:0.43 GB) (Free:0 GB) UDF
6 Drive g: (My Book) (Fixed) (Total:930.86 GB) (Free:242.91 GB) NTFS
7 Drive h: () (Removable) (Total:14.9 GB) (Free:3.28 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 930 GB 0 B
Disk 2 Online 14 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 0956AE59

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 931 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: 0002AE3F

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 930 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G My Book NTFS Partition 930 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Disk ID: 00000000

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 14 GB Healthy

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 0956AE59

Partition 1:
=========
Hex: 8001010007FEFFFF3F00000082597074
Active: YES
Type: 07 (NTFS)
Size: 932 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 0002AE3F

Partition 1:
=========
Hex: 0020210007FEFFFF0008000000705B74
Active: NO
Type: 07 (NTFS)
Size: 931 GB

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 000021000CFEFFFF20000000E017DD01
Active: NO
Type: 0C
Size: 15 GB


Last Boot: 2013-04-14 12:50

==================== End Of Log =============================

Farbar Recovery Scan Tool (x64) Version: 11-04-2013
Ran by SYSTEM at 2013-04-14 21:41:20
Running from H:\

================== Search: "services.exe" ===================

C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows.old\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Old files\WINDOWS\system32\services.exe
[2004-08-12 06:05] - [2004-08-12 06:05] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\Old files\WINDOWS\system32\dllcache\services.exe
[2004-08-12 06:05] - [2004-08-12 06:05] - 0108032 ___AC (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\Old files\WINDOWS\ERDNT\cache\services.exe
[2010-04-28 20:47] - [2009-02-06 03:11] - 0110592 ___AC (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

C:\Old files\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2009-04-14 16:02] - [2009-02-06 03:06] - 0110592 ___AC (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6

====== End Of Search ======

[gringo_pr]

Hello Randu555



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

HKLM-x32\...\Run: [DisplaySwitch] "C:\ProgramData\SystemRoot.exe" [76568 2013-04-14] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM-x32\...\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-F9QLM.exe" /REG /REGSVRMODE [712264 2013-04-14] ()
HKLM-x32\...\Winlogon: [Shell] C:\ProgramData\SystemRoot.exe [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
C:\ProgramData\1.bmp
C:\ProgramData\SystemRoot.exe
C:\Windows\is-F9QLM.exe
C:\Windows\is-F9QLM.msg
C:\Windows\is-F9QLM.lst
C:\$Recycle.Bin\S-1-5-21-3738071279-2821379665-3464394757-1000\$3af376672910c53237868f0ddc354df4
C:\$Recycle.Bin\S-1-5-18\$3af376672910c53237868f0ddc354df4

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

[Randu555]

Hi Gringo
Restarted and no Arestcrat lock screen



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-04-2013
Ran by SYSTEM at 2013-04-14 22:17:54 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MSC Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\InnoSetupRegFile.0000000001 Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored successfully .
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).
C:\ProgramData\1.bmp moved successfully.
C:\ProgramData\SystemRoot.exe moved successfully.
C:\Windows\is-F9QLM.exe not found.
C:\Windows\is-F9QLM.msg not found.
C:\Windows\is-F9QLM.lst not found.
C:\$Recycle.Bin\S-1-5-21-3738071279-2821379665-3464394757-1000\$3af376672910c53237868f0ddc354df4 moved successfully.
C:\$Recycle.Bin\S-1-5-18\$3af376672910c53237868f0ddc354df4 moved successfully.

==== End of Fixlog ====

[gringo_pr]

Hello Randu555


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-

• Please download AdwCleaner by Xplode onto your desktop.
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+

Gringo

[Randu555]

AdwCleaner-Done

# AdwCleaner v2.200 - Logfile created 04/14/2013 at 22:38:04
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : User - RANDYDESKTOP
# Boot Mode : Normal
# Running from : C:\Users\User\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Common Files\spigot

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Classes\Installer\Features\90C64EA18BA25EE488BF80DCF07F2FFD
Key Deleted : HKLM\Software\Classes\Installer\Products\90C64EA18BA25EE488BF80DCF07F2FFD
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\DealioToolbar-stub-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\DealioToolbar-stub-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

*************************

AdwCleaner[S1].txt - [3255 octets] - [14/04/2013 22:38:04]

########## EOF - C:\AdwCleaner[S1].txt - [3315 octets] ##########


RogueKiller--Done

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : User [Admin rights]
Mode : Scan -- Date : 04/14/2013 22:47:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : PCShowServer ("C:\Users\User\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe") [7] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3738071279-2821379665-3464394757-1000[...]\Run : PCShowServer ("C:\Users\User\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe") [7] -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SAFEBOOT] HKLM\[...]\ControlSet001\SafeBoot : AlternateShell (C:\ProgramData\SystemRoot.exe) -> FOUND
[SAFEBOOT] HKLM\[...]\ControlSet002\SafeBoot : AlternateShell (C:\ProgramData\SystemRoot.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1001FALS-00E8B0 ATA Device +++++
--- User ---
[MBR] 91d4450360f23900633fb575cf96c020
[BSP] cd03d0a3a6584ed3f3ff17f6389666a6 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04142013_02d2247.txt >>
RKreport[1]_S_04142013_02d2247.txt

[gringo_pr]

Hello Randu555

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

[Randu555]

Computer is running well

When I opened IE browser, AVG Toolbar option to enable popped up - I said no
It also popped up a message that I was leaving secure connection - Do I want to continue? I said Yes

ComboFix ran in about 15 minutes without any problems

Log below

Thanks for being so good at this

ComboFix 13-04-14.01 - User 04/14/2013 23:10:41.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4086.2647 [GMT -7:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 192 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Local\assembly\tmp
c:\users\User\g2mdlhlpx.exe
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2013-03-15 to 2013-04-15 )))))))))))))))))))))))))))))))
.
.
2013-04-15 06:21 . 2013-04-15 06:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-15 05:38 . 2013-04-15 05:38 -------- d-----w- C:\FRST
2013-04-15 03:42 . 2013-04-15 03:42 -------- d-----w- c:\users\User\AppData\Local\Programs
2013-04-14 19:48 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1C924725-77E2-484F-868E-8000DB21E018}\mpengine.dll
2013-04-12 13:38 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-11 10:01 . 2013-02-21 10:30 817664 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-04-11 10:01 . 2013-02-21 10:15 1084928 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-04-11 10:01 . 2013-02-21 10:14 53248 ----a-w- c:\windows\system32\jsproxy.dll
2013-04-11 10:01 . 2013-02-21 10:30 1766912 ----a-w- c:\windows\SysWow64\wininet.dll
2013-04-11 10:01 . 2013-02-21 10:15 2240512 ----a-w- c:\windows\system32\wininet.dll
2013-04-11 10:01 . 2013-02-21 10:14 15404544 ----a-w- c:\windows\system32\ieframe.dll
2013-04-11 10:01 . 2013-02-21 10:14 19230208 ----a-w- c:\windows\system32\mshtml.dll
2013-04-08 19:11 . 2013-03-26 02:08 29704 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2013-04-08 19:11 . 2013-03-26 02:08 17928 ----a-w- c:\windows\system32\nitrolocalui2.dll
2013-04-08 19:11 . 2013-04-08 19:11 -------- d-----w- c:\program files\Common Files\Nitro
2013-04-08 19:11 . 2013-04-08 19:11 -------- d-----w- c:\program files (x86)\Nitro
2013-04-08 19:11 . 2013-04-08 19:11 -------- d-----w- c:\program files (x86)\Common Files\Nitro
2013-03-26 02:45 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-03-26 02:45 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-26 02:08 . 2013-03-26 02:08 70152 ----a-w- c:\windows\SysWow64\NLSSRV32.EXE
2013-03-21 04:33 . 2013-03-03 23:26 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{792F7115-C8B7-481F-B61D-A7B77C7904B4}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-11 10:03 . 2011-04-04 19:44 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-04-04 21:50 . 2011-04-05 04:01 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:34 . 2013-03-03 23:02 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-03-21 04:22 . 2012-04-13 13:08 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-21 04:22 . 2011-05-18 22:52 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-03 23:48 . 2013-03-03 23:48 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-03 23:48 . 2013-03-03 23:48 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-03-03 23:48 . 2013-03-03 23:48 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-03-03 23:48 . 2013-03-03 23:48 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-03-03 23:48 . 2013-03-03 23:48 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-03-03 23:48 . 2013-03-03 23:48 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-03-03 23:48 . 2013-03-03 23:48 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-03-03 23:48 . 2013-03-03 23:48 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-03-03 23:48 . 2013-03-03 23:48 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-03-03 23:48 . 2013-03-03 23:48 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-03-03 23:48 . 2013-03-03 23:48 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-03-03 23:48 . 2013-03-03 23:48 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-03-03 23:48 . 2013-03-03 23:48 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-03-03 23:48 . 2013-03-03 23:48 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-03-03 23:48 . 2013-03-03 23:48 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-03-03 23:48 . 2013-03-03 23:48 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-03-03 23:48 . 2013-03-03 23:48 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-03-03 23:48 . 2013-03-03 23:48 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-03-03 23:48 . 2013-03-03 23:48 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-03 23:48 . 2013-03-03 23:48 81408 ----a-w- c:\windows\system32\icardie.dll
2013-03-03 23:48 . 2013-03-03 23:48 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-03-03 23:48 . 2013-03-03 23:48 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-03-03 23:48 . 2013-03-03 23:48 441856 ----a-w- c:\windows\system32\html.iec
2013-03-03 23:48 . 2013-03-03 23:48 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-03-03 23:48 . 2013-03-03 23:48 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-03 23:48 . 2013-03-03 23:48 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-03-03 23:48 . 2013-03-03 23:48 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-03-03 23:48 . 2013-03-03 23:48 235008 ----a-w- c:\windows\system32\url.dll
2013-03-03 23:48 . 2013-03-03 23:48 216064 ----a-w- c:\windows\system32\msls31.dll
2013-03-03 23:48 . 2013-03-03 23:48 197120 ----a-w- c:\windows\system32\msrating.dll
2013-03-03 23:48 . 2013-03-03 23:48 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-03 23:48 . 2013-03-03 23:48 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-03-03 23:48 . 2013-03-03 23:48 102912 ----a-w- c:\windows\system32\inseng.dll
2013-03-03 23:48 . 2013-03-03 23:48 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-03-03 23:48 . 2013-03-03 23:48 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-03 23:48 . 2013-03-03 23:48 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-03-03 23:48 . 2013-03-03 23:48 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-03-03 23:48 . 2013-03-03 23:48 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-03-03 23:48 . 2013-03-03 23:48 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-03-03 23:48 . 2013-03-03 23:48 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-03 23:48 . 2013-03-03 23:48 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-03 23:48 . 2013-03-03 23:48 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-03-03 23:48 . 2013-03-03 23:48 149504 ----a-w- c:\windows\system32\occache.dll
2013-03-03 23:48 . 2013-03-03 23:48 144896 ----a-w- c:\windows\system32\wextract.exe
2013-03-03 23:48 . 2013-03-03 23:48 13824 ----a-w- c:\windows\system32\mshta.exe
2013-03-03 23:48 . 2013-03-03 23:48 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-03-03 23:48 . 2013-03-03 23:48 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-03 23:48 . 2013-03-03 23:48 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-03-03 23:48 . 2013-03-03 23:48 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-03-03 23:46 . 2013-03-03 23:46 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-03-03 23:46 . 2013-03-03 23:46 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-03-03 23:46 . 2013-03-03 23:46 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-03-03 23:46 . 2013-03-03 23:46 3928064 ----a-w- c:\windows\system32\d2d1.dll
2013-03-03 23:46 . 2013-03-03 23:46 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-03-03 23:46 . 2013-03-03 23:46 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-03-03 23:46 . 2013-03-03 23:46 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-03-03 23:46 . 2013-03-03 23:46 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-03-03 23:46 . 2013-03-03 23:46 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2013-03-03 23:46 . 2013-03-03 23:46 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-03-03 23:46 . 2013-03-03 23:46 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2013-03-03 23:46 . 2013-03-03 23:46 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 363008 ----a-w- c:\windows\system32\dxgi.dll
2013-03-03 23:46 . 2013-03-03 23:46 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2013-03-03 23:46 . 2013-03-03 23:46 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2013-03-03 23:46 . 2013-03-03 23:46 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-03-03 23:46 . 2013-03-03 23:46 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-03-03 23:46 . 2013-03-03 23:46 296960 ----a-w- c:\windows\system32\d3d10core.dll
2013-03-03 23:46 . 2013-03-03 23:46 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2013-03-03 23:46 . 2013-03-03 23:46 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2013-03-03 23:46 . 2013-03-03 23:46 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-03-03 23:46 . 2013-03-03 23:46 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2013-03-03 23:46 . 2013-03-03 23:46 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2013-03-03 23:46 . 2013-03-03 23:46 1988096 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2013-03-03 23:46 . 2013-03-03 23:46 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2013-03-03 23:46 . 2013-03-03 23:46 1887232 ----a-w- c:\windows\system32\d3d11.dll
2013-03-03 23:46 . 2013-03-03 23:46 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-03-03 23:46 . 2013-03-03 23:46 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2013-03-03 23:46 . 2013-03-03 23:46 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.exe [2012-06-12 193616]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2012-10-02 15712]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-05 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-09-08 140672]
R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [2013-03-26 230408]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2013-03-26 70152]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [2012-06-12 240208]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 04:22]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-01 04:51]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-01 04:51]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3738071279-2821379665-3464394757-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 19:05]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3738071279-2821379665-3464394757-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 19:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-ROC_ROC_NT - c:\program files (x86)\AVG Secure Search\ROC_ROC_NT.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-14 23:26:29
ComboFix-quarantined-files.txt 2013-04-15 06:26
.
Pre-Run: 787,081,846,784 bytes free
Post-Run: 788,109,299,712 bytes free
.
- - End Of File - - FCBEE82D5299941F05E8E5681C59292C

[gringo_pr]

Hello Randu555

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
  
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?

Gringo

[Randu555]

Run CFScript: Done

Still getting "You are about to leave a secure internet connection" message when I start IE Browser

Otherwise, still seems to be running well


CFScript Log:

ComboFix 13-04-14.01 - User 04/14/2013 23:45:43.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4086.2346 [GMT -7:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-03-15 to 2013-04-15 )))))))))))))))))))))))))))))))
.
.
2013-04-15 06:53 . 2013-04-15 06:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-15 05:38 . 2013-04-15 05:38 -------- d-----w- C:\FRST
2013-04-15 03:42 . 2013-04-15 03:42 -------- d-----w- c:\users\User\AppData\Local\Programs
2013-04-14 19:48 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1C924725-77E2-484F-868E-8000DB21E018}\mpengine.dll
2013-04-12 13:38 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-11 10:01 . 2013-02-21 10:30 817664 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-04-11 10:01 . 2013-02-21 10:15 1084928 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-04-11 10:01 . 2013-02-21 10:14 53248 ----a-w- c:\windows\system32\jsproxy.dll
2013-04-11 10:01 . 2013-02-21 10:30 1766912 ----a-w- c:\windows\SysWow64\wininet.dll
2013-04-11 10:01 . 2013-02-21 10:15 2240512 ----a-w- c:\windows\system32\wininet.dll
2013-04-11 10:01 . 2013-02-21 10:14 15404544 ----a-w- c:\windows\system32\ieframe.dll
2013-04-11 10:01 . 2013-02-21 10:14 19230208 ----a-w- c:\windows\system32\mshtml.dll
2013-04-08 19:11 . 2013-03-26 02:08 29704 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2013-04-08 19:11 . 2013-03-26 02:08 17928 ----a-w- c:\windows\system32\nitrolocalui2.dll
2013-04-08 19:11 . 2013-04-08 19:11 -------- d-----w- c:\program files\Common Files\Nitro
2013-04-08 19:11 . 2013-04-08 19:11 -------- d-----w- c:\program files (x86)\Nitro
2013-04-08 19:11 . 2013-04-08 19:11 -------- d-----w- c:\program files (x86)\Common Files\Nitro
2013-03-26 02:45 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-03-26 02:45 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-26 02:08 . 2013-03-26 02:08 70152 ----a-w- c:\windows\SysWow64\NLSSRV32.EXE
2013-03-21 04:33 . 2013-03-03 23:26 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{792F7115-C8B7-481F-B61D-A7B77C7904B4}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-11 10:03 . 2011-04-04 19:44 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-04-04 21:50 . 2011-04-05 04:01 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:34 . 2013-03-03 23:02 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-03-21 04:22 . 2012-04-13 13:08 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-21 04:22 . 2011-05-18 22:52 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-03 23:48 . 2013-03-03 23:48 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-03 23:48 . 2013-03-03 23:48 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-03-03 23:48 . 2013-03-03 23:48 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-03-03 23:48 . 2013-03-03 23:48 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-03-03 23:48 . 2013-03-03 23:48 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-03-03 23:48 . 2013-03-03 23:48 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-03-03 23:48 . 2013-03-03 23:48 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-03-03 23:48 . 2013-03-03 23:48 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-03-03 23:48 . 2013-03-03 23:48 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-03-03 23:48 . 2013-03-03 23:48 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-03-03 23:48 . 2013-03-03 23:48 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-03-03 23:48 . 2013-03-03 23:48 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-03-03 23:48 . 2013-03-03 23:48 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-03-03 23:48 . 2013-03-03 23:48 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-03-03 23:48 . 2013-03-03 23:48 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-03-03 23:48 . 2013-03-03 23:48 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-03-03 23:48 . 2013-03-03 23:48 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-03-03 23:48 . 2013-03-03 23:48 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-03-03 23:48 . 2013-03-03 23:48 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-03 23:48 . 2013-03-03 23:48 81408 ----a-w- c:\windows\system32\icardie.dll
2013-03-03 23:48 . 2013-03-03 23:48 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-03-03 23:48 . 2013-03-03 23:48 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-03-03 23:48 . 2013-03-03 23:48 441856 ----a-w- c:\windows\system32\html.iec
2013-03-03 23:48 . 2013-03-03 23:48 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-03-03 23:48 . 2013-03-03 23:48 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-03 23:48 . 2013-03-03 23:48 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-03-03 23:48 . 2013-03-03 23:48 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-03-03 23:48 . 2013-03-03 23:48 235008 ----a-w- c:\windows\system32\url.dll
2013-03-03 23:48 . 2013-03-03 23:48 216064 ----a-w- c:\windows\system32\msls31.dll
2013-03-03 23:48 . 2013-03-03 23:48 197120 ----a-w- c:\windows\system32\msrating.dll
2013-03-03 23:48 . 2013-03-03 23:48 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-03 23:48 . 2013-03-03 23:48 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-03-03 23:48 . 2013-03-03 23:48 102912 ----a-w- c:\windows\system32\inseng.dll
2013-03-03 23:48 . 2013-03-03 23:48 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-03-03 23:48 . 2013-03-03 23:48 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-03 23:48 . 2013-03-03 23:48 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-03-03 23:48 . 2013-03-03 23:48 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-03-03 23:48 . 2013-03-03 23:48 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-03-03 23:48 . 2013-03-03 23:48 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-03-03 23:48 . 2013-03-03 23:48 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-03 23:48 . 2013-03-03 23:48 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-03 23:48 . 2013-03-03 23:48 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-03-03 23:48 . 2013-03-03 23:48 149504 ----a-w- c:\windows\system32\occache.dll
2013-03-03 23:48 . 2013-03-03 23:48 144896 ----a-w- c:\windows\system32\wextract.exe
2013-03-03 23:48 . 2013-03-03 23:48 13824 ----a-w- c:\windows\system32\mshta.exe
2013-03-03 23:48 . 2013-03-03 23:48 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-03-03 23:48 . 2013-03-03 23:48 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-03 23:48 . 2013-03-03 23:48 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-03-03 23:48 . 2013-03-03 23:48 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-03-03 23:46 . 2013-03-03 23:46 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-03-03 23:46 . 2013-03-03 23:46 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-03-03 23:46 . 2013-03-03 23:46 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-03-03 23:46 . 2013-03-03 23:46 3928064 ----a-w- c:\windows\system32\d2d1.dll
2013-03-03 23:46 . 2013-03-03 23:46 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-03-03 23:46 . 2013-03-03 23:46 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-03-03 23:46 . 2013-03-03 23:46 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-03-03 23:46 . 2013-03-03 23:46 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-03-03 23:46 . 2013-03-03 23:46 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2013-03-03 23:46 . 2013-03-03 23:46 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-03-03 23:46 . 2013-03-03 23:46 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2013-03-03 23:46 . 2013-03-03 23:46 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-03-03 23:46 . 2013-03-03 23:46 363008 ----a-w- c:\windows\system32\dxgi.dll
2013-03-03 23:46 . 2013-03-03 23:46 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2013-03-03 23:46 . 2013-03-03 23:46 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2013-03-03 23:46 . 2013-03-03 23:46 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-03-03 23:46 . 2013-03-03 23:46 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-03-03 23:46 . 2013-03-03 23:46 296960 ----a-w- c:\windows\system32\d3d10core.dll
2013-03-03 23:46 . 2013-03-03 23:46 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2013-03-03 23:46 . 2013-03-03 23:46 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2013-03-03 23:46 . 2013-03-03 23:46 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-03-03 23:46 . 2013-03-03 23:46 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2013-03-03 23:46 . 2013-03-03 23:46 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2013-03-03 23:46 . 2013-03-03 23:46 1988096 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2013-03-03 23:46 . 2013-03-03 23:46 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2013-03-03 23:46 . 2013-03-03 23:46 1887232 ----a-w- c:\windows\system32\d3d11.dll
2013-03-03 23:46 . 2013-03-03 23:46 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-03-03 23:46 . 2013-03-03 23:46 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2013-03-03 23:46 . 2013-03-03 23:46 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
c:\program files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.exe [2012-06-12 193616]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2012-10-02 15712]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-05 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-09-08 140672]
R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-30 38608]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [2013-03-26 230408]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2013-03-26 70152]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [2012-06-12 240208]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 04:22]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-01 04:51]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-01 04:51]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3738071279-2821379665-3464394757-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 19:05]
.
2013-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3738071279-2821379665-3464394757-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 19:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1464944]
"IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 2076272]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-14 23:55:38
ComboFix-quarantined-files.txt 2013-04-15 06:55
ComboFix2.txt 2013-04-15 06:26
.
Pre-Run: 788,158,656,512 bytes free
Post-Run: 787,864,023,040 bytes free
.
- - End Of File - - 3933D379FC4584617769772684235FEC

[gringo_pr]

Hello


"You are about to leave a secure internet connection" - there is a check mark that says "do not show mw this again"


I would like to see a report that combofix makes.

extra combofix report

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

• click ok

copy and paste the report into this topic for me to review

Gringo

[Randu555]

Update for Microsoft Office 2007 (KB2508958)
6500_E709_eDocs
6500_E709_Help
6500_E709n
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6)
Apple Application Support
Apple Software Update
Bing Bar
Bing Rewards Client Installer
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
D3DX10
Destinations
DeviceDiscovery
DIRECTV Player
DocMgr
DocProc
Fax
Google Chrome
Google Update Helper
GoToMeeting 5.4.0.1082
GPBaseService2
Hewlett-Packard ACLM.NET v1.1.0.0
HP Product Detection
HP Smart Print 2.0
HP Update
HPDiagnosticAlert
HPProductAssistant
Java Auto Updater
Java™ 6 Update 37
Junk Mail filter update
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
Mesh Runtime
Microsoft Easy Assist v2
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2005 Tools for Office Runtime
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
oneworld Timetables
ProductContext
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
RealUpgrade 1.1
Samsung PC Studio 3 USB Driver Installer
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
SmartWebPrinting
SolutionCenter
Spotify
Spybot - Search & Destroy
Status
Toolbox
TrayApp
TWC Customer Controls
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2768021) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio 2008 x64 Redistributables
WebReg
Windows 7 Codec Pack 3.8.0
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources

[gringo_pr]

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove


Adobe Reader X (10.1.6)
Java™ 6 Update 37

[/list]

• Please download and install Revo Uninstaller Free
• Double click Revo Uninstaller to run it.
• From the list of programs double click on The Program to remove
• When prompted if you want to uninstall click Yes.
• Be sure the Moderate option is selected then click Next.
• The program will run, If prompted again click Yes
• when the built-in uninstaller is finished click on Next.
• Once the program has searched for leftovers click Next.
• Check/tick the bolded items only on the list then click Delete
• when prompted click on Yes and then on next.
• put a check on any folders that are found and select delete
• when prompted select yes then on next
• Once done click Finish.

.



Update Adobe reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com.../readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]


Clean Out Temp Files

• This small application you may want to keep and use once a week to keep the computer clean.
  
  Download CCleaner from here http://www.ccleaner.com/
  
  
• Run the installer to install the application.
• When it gives you the option to install Yahoo toolbar uncheck the box next to it.
• Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
• Click Run Cleaner.
• Close CCleaner.

: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now

• Double-click mbam icon
• go to the update tab at the top
• click on check for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
• If you accidentally close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

• Go Here to download HijackThis program
• Save HijackThis to your desktop.
• Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
• Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
• copy and paste hijackthis report into the topic

"information and logs"

• In your next post I need the following
  
  
• Log From MBAM
• report from Hijackthis
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[Randu555]

re: "You are about to leave a secure internet connection" - there is a check mark that says "do not show mw this again"
Yes, I did see that, but it was a new thing so I wanted you to know


BTW - I don't see where to do this:

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

Thanks