Author Topic: Mothers new computer is infected! :( (Read 807 times)

DonnaB · « **on:** May 03, 2011, 02:07:51 AM »

My mother allowed for her McAffe trial version to run out on her brand spanking new computer! I used the MCRT and installed MSE for her. I then ran an SASW scan which found Browser Hijacker.Tubby. I am having serious issues here with controlling the touchpad and can't get the senisitivity straightened out. Everything wants to highlight even the cursor is nowhere near where I am posting and the type ends up within words already typed or 3-4 lines down.

Logs requested.

Darn! I can't get right click function to work and I can't get select all to work via clicking on edit to copy and paste the logs!

Any ideas what else I can do to get copies of the logs to post?

I'll keep trying. Thank you

DonnaB · « **Reply #1 on:** May 03, 2011, 02:36:20 AM »

Logfile of random's system information tool 1.08 (written by random/random)
Run by ANNETTA at 2011-05-02 20:50:55
Microsoft Windows 7 Home Premium
System drive C: has 257 GB (89%) free of 290 GB
Total RAM: 3034 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:51:57 PM, on 5/2/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\trend micro\ANNETTA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files (x86)\iWin Games\iWinGamesInstaller.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7968 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
"c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe"
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
"C:\Program Files\Dell\DellDock\DockLogin.exe"
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE"
"C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe"
"C:\Program Files (x86)\iWin Games\iWinGamesInstaller.exe"
"C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe" SERVICE
"C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"
"taskhost.exe"
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
"C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE"
"C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"
"C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE"
"c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe"
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
WLIDSvcM.exe 1808
"C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe"
"C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe" C:\Users\ANNETTA"
"C:\Program Files\Dell\QuickSet\quickset.exe"
"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
"C:\Program Files\DellTPad\Apoint.exe"
"C:\Windows\System32\igfxtray.exe"
"C:\Windows\System32\hkcmd.exe"
"C:\Windows\System32\igfxpers.exe"
"C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
"C:\Program Files\Dell\DellDock\DellDock.exe"
"C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe"
"C:\Program Files\DellTPad\ApMsgFwd.exe" -s{05FA8492-C047-4207-BE65-780D8591C113}
"C:\Program Files\DellTPad\HidFind.exe"
"Apntex.exe"
\??\C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
"C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe"
"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3388 CREDAT:71937
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3388 CREDAT:203009
"C:\Users\ANNETTA\RSITx64.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21 529280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-12-30 49440]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FDDE16B-836F-4806-AB1F-1455CBEFF289}]
Windows Live Messenger Companion Helper - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-11-10 393600]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2011-04-06 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickSet"=C:\Program Files\Dell\QuickSet\QuickSet.exe [2010-06-30 3200672]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2010-06-14 10918504]
"Apoint"=C:\Program Files\DellTPad\Apoint.exe [2010-06-04 392048]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2010-08-25 161304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2010-08-25 386584]
"Persistence"=C:\Windows\system32\igfxpers.exe [2010-08-25 415256]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2010-11-30 1436224]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"=C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [2010-06-08 284696]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce]
""C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe""=C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe [2011-04-04 560128]
"Launcher"=C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [2011-01-13 165184]

C:\Users\ANNETTA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]
C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2010-08-25 271360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2011-05-02 20:50:55 ----D---- C:\rsit
2011-05-02 20:50:55 ----D---- C:\Program Files\trend micro
2011-04-30 21:09:33 ----A---- C:\Windows\SYSWOW64\PerfStringBackup.INI
2011-04-30 21:09:31 ----D---- C:\Program Files (x86)\Microsoft Security Client
2011-04-30 21:09:13 ----D---- C:\Program Files\Microsoft Security Client
2011-04-30 21:09:01 ----A---- C:\Windows\system32\drivers\netio.sys
2011-04-30 20:54:12 ----SD---- C:\Windows\SYSWOW64\Microsoft
2011-04-30 20:38:12 ----D---- C:\Users\ANNETTA\AppData\Roaming\Malwarebytes
2011-04-30 20:38:02 ----D---- C:\ProgramData\Malwarebytes
2011-04-30 20:38:02 ----A---- C:\Windows\SYSWOW64\drivers\mbamswissarmy.sys
2011-04-30 20:37:59 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-04-30 20:37:59 ----A---- C:\Windows\system32\drivers\mbam.sys
2011-04-30 20:35:07 ----D---- C:\Users\ANNETTA\AppData\Roaming\SUPERAntiSpyware.com
2011-04-30 20:35:07 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2011-04-30 20:35:04 ----D---- C:\ProgramData\!SASCORE
2011-04-30 20:35:02 ----D---- C:\Program Files\SUPERAntiSpyware
2011-04-30 20:34:26 ----D---- C:\Program Files\CCleaner
2011-04-30 20:30:07 ----D---- C:\Program Files (x86)\Trend Micro
2011-04-27 19:28:02 ----A---- C:\Windows\SYSWOW64\explorer.exe
2011-04-27 19:28:02 ----A---- C:\Windows\explorer.exe
2011-04-27 19:27:59 ----A---- C:\Windows\SYSWOW64\XpsPrint.dll
2011-04-27 19:27:59 ----A---- C:\Windows\system32\XpsPrint.dll
2011-04-27 19:27:29 ----A---- C:\Windows\system32\drivers\ntfs.sys
2011-04-27 19:27:28 ----A---- C:\Windows\SYSWOW64\esent.dll
2011-04-27 19:27:28 ----A---- C:\Windows\system32\esent.dll
2011-04-27 19:27:28 ----A---- C:\Windows\system32\drivers\nvstor.sys
2011-04-27 19:27:28 ----A---- C:\Windows\system32\drivers\nvraid.sys
2011-04-27 19:27:28 ----A---- C:\Windows\system32\drivers\amdsata.sys
2011-04-27 19:27:27 ----A---- C:\Windows\SYSWOW64\fsutil.exe
2011-04-27 19:27:27 ----A---- C:\Windows\system32\fsutil.exe
2011-04-27 19:27:27 ----A---- C:\Windows\system32\drivers\USBSTOR.SYS
2011-04-27 19:27:27 ----A---- C:\Windows\system32\drivers\storport.sys
2011-04-27 19:27:27 ----A---- C:\Windows\system32\drivers\iaStorV.sys
2011-04-27 19:27:27 ----A---- C:\Windows\system32\drivers\amdxata.sys
2011-04-27 19:27:05 ----A---- C:\Windows\SYSWOW64\prevhost.exe
2011-04-27 19:27:05 ----A---- C:\Windows\system32\prevhost.exe
2011-04-16 15:34:48 ----D---- C:\Program Files (x86)\Search Toolbar
2011-04-15 20:21:55 ----D---- C:\Users\ANNETTA\AppData\Roaming\iWinArcade
2011-04-15 10:05:34 ----A---- C:\Windows\SYSWOW64\XpsGdiConverter.dll
2011-04-15 10:05:34 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2011-04-15 10:05:30 ----A---- C:\Windows\SYSWOW64\jscript.dll
2011-04-15 10:05:30 ----A---- C:\Windows\system32\vbscript.dll
2011-04-15 10:05:30 ----A---- C:\Windows\system32\jscript.dll
2011-04-15 10:05:29 ----A---- C:\Windows\SYSWOW64\vbscript.dll
2011-04-15 10:05:26 ----A---- C:\Windows\system32\win32k.sys
2011-04-15 10:05:21 ----A---- C:\Windows\SYSWOW64\mfc42u.dll
2011-04-15 10:05:21 ----A---- C:\Windows\SYSWOW64\mfc42.dll
2011-04-15 10:05:21 ----A---- C:\Windows\system32\mfc42u.dll
2011-04-15 10:05:21 ----A---- C:\Windows\system32\mfc42.dll
2011-04-15 10:05:18 ----A---- C:\Windows\system32\drivers\srvnet.sys
2011-04-15 10:05:18 ----A---- C:\Windows\system32\drivers\srv2.sys
2011-04-15 10:05:18 ----A---- C:\Windows\system32\drivers\srv.sys
2011-04-15 10:05:15 ----A---- C:\Windows\SYSWOW64\atmlib.dll
2011-04-15 10:05:15 ----A---- C:\Windows\SYSWOW64\atmfd.dll
2011-04-15 10:05:15 ----A---- C:\Windows\system32\atmlib.dll
2011-04-15 10:05:15 ----A---- C:\Windows\system32\atmfd.dll
2011-04-15 10:05:06 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2011-04-15 10:05:06 ----A---- C:\Windows\system32\mshtml.dll
2011-04-15 10:05:05 ----A---- C:\Windows\system32\ieframe.dll
2011-04-15 10:05:01 ----A---- C:\Windows\SYSWOW64\ieframe.dll
2011-04-15 10:04:59 ----A---- C:\Windows\system32\urlmon.dll
2011-04-15 10:04:58 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2011-04-15 10:04:58 ----A---- C:\Windows\system32\wininet.dll
2011-04-15 10:04:57 ----A---- C:\Windows\SYSWOW64\wininet.dll
2011-04-15 10:04:56 ----A---- C:\Windows\SYSWOW64\mstime.dll
2011-04-15 10:04:56 ----A---- C:\Windows\SYSWOW64\msfeeds.dll
2011-04-15 10:04:56 ----A---- C:\Windows\SYSWOW64\iedkcs32.dll
2011-04-15 10:04:56 ----A---- C:\Windows\system32\mstime.dll
2011-04-15 10:04:56 ----A---- C:\Windows\system32\msfeeds.dll
2011-04-15 10:04:56 ----A---- C:\Windows\system32\iedkcs32.dll
2011-04-15 10:04:55 ----A---- C:\Windows\SYSWOW64\mshtmled.dll
2011-04-15 10:04:55 ----A---- C:\Windows\SYSWOW64\ieui.dll
2011-04-15 10:04:55 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2011-04-15 10:04:55 ----A---- C:\Windows\SYSWOW64\iepeers.dll
2011-04-15 10:04:55 ----A---- C:\Windows\system32\mshtmled.dll
2011-04-15 10:04:55 ----A---- C:\Windows\system32\ieui.dll
2011-04-15 10:04:55 ----A---- C:\Windows\system32\iertutil.dll
2011-04-15 10:04:55 ----A---- C:\Windows\system32\iepeers.dll
2011-04-15 10:04:54 ----A---- C:\Windows\SYSWOW64\msfeedssync.exe
2011-04-15 10:04:54 ----A---- C:\Windows\SYSWOW64\msfeedsbs.dll
2011-04-15 10:04:54 ----A---- C:\Windows\SYSWOW64\licmgr10.dll
2011-04-15 10:04:54 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2011-04-15 10:04:54 ----A---- C:\Windows\system32\msfeedssync.exe
2011-04-15 10:04:54 ----A---- C:\Windows\system32\msfeedsbs.dll
2011-04-15 10:04:54 ----A---- C:\Windows\system32\licmgr10.dll
2011-04-15 10:04:54 ----A---- C:\Windows\system32\jsproxy.dll
2011-04-15 10:04:19 ----A---- C:\Windows\system32\winresume.exe
2011-04-15 10:04:19 ----A---- C:\Windows\system32\winload.exe
2011-04-15 10:04:19 ----A---- C:\Windows\system32\kdusb.dll
2011-04-15 10:04:19 ----A---- C:\Windows\system32\kdcom.dll
2011-04-15 10:04:19 ----A---- C:\Windows\system32\kd1394.dll
2011-04-15 10:04:16 ----A---- C:\Windows\system32\inetcomm.dll
2011-04-15 10:04:15 ----A---- C:\Windows\SYSWOW64\inetcomm.dll
2011-04-15 10:04:13 ----A---- C:\Windows\SYSWOW64\dnsapi.dll
2011-04-15 10:04:13 ----A---- C:\Windows\system32\dnsrslvr.dll
2011-04-15 10:04:13 ----A---- C:\Windows\system32\dnscacheugc.exe
2011-04-15 10:04:13 ----A---- C:\Windows\system32\dnsapi.dll
2011-04-15 10:04:12 ----A---- C:\Windows\SYSWOW64\dnscacheugc.exe
2011-04-15 10:04:11 ----A---- C:\Windows\system32\FXSCOVER.exe
2011-04-15 10:04:09 ----A---- C:\Windows\system32\drivers\mrxsmb10.sys
2011-04-15 10:04:08 ----A---- C:\Windows\system32\drivers\mrxsmb20.sys
2011-04-15 10:04:08 ----A---- C:\Windows\system32\drivers\mrxsmb.sys
2011-04-15 10:04:08 ----A---- C:\Windows\system32\drivers\bowser.sys
2011-04-06 11:00:53 ----D---- C:\ProgramData\Sun
2011-04-06 10:43:45 ----A---- C:\Windows\SYSWOW64\javaws.exe
2011-04-06 10:43:45 ----A---- C:\Windows\SYSWOW64\javaw.exe
2011-04-06 10:43:45 ----A---- C:\Windows\SYSWOW64\java.exe
2011-04-06 10:43:45 ----A---- C:\Windows\SYSWOW64\deployJava1.dll
2011-04-06 10:43:37 ----D---- C:\Program Files (x86)\Java
2011-04-03 03:01:42 ----D---- C:\Program Files (x86)\Microsoft.NET

======List of files/folders modified in the last 1 months======

2011-05-02 20:51:57 ----D---- C:\Windows\Prefetch
2011-05-02 20:50:55 ----RD---- C:\Program Files
2011-05-02 20:50:03 ----D---- C:\Windows\Temp
2011-05-02 20:08:39 ----D---- C:\Windows\system32\NDF
2011-05-02 19:52:15 ----D---- C:\Windows\system32\config
2011-05-02 19:39:32 ----D---- C:\Windows\inf
2011-05-02 19:39:32 ----AD---- C:\Windows\System32
2011-05-02 19:39:32 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-05-02 19:30:43 ----SHD---- C:\Windows\Installer
2011-05-02 19:30:18 ----D---- C:\Program Files (x86)\Microsoft Silverlight
2011-05-02 19:30:00 ----SHD---- C:\System Volume Information
2011-05-02 19:26:44 ----D---- C:\Program Files (x86)\Dell DataSafe Local Backup
2011-05-01 11:05:49 ----RSD---- C:\Windows\assembly
2011-05-01 11:05:49 ----D---- C:\Windows\Microsoft.NET
2011-05-01 01:29:06 ----D---- C:\Program Files (x86)\Windows Live
2011-05-01 01:29:01 ----AD---- C:\Windows
2011-05-01 01:28:48 ----D---- C:\Windows\SysWOW64
2011-05-01 01:28:27 ----D---- C:\Windows\winsxs
2011-05-01 01:26:13 ----D---- C:\ProgramData\Skype
2011-05-01 01:26:13 ----D---- C:\Program Files (x86)\Common Files
2011-04-30 22:48:57 ----D---- C:\Windows\debug
2011-04-30 21:29:53 ----SD---- C:\Users\ANNETTA\AppData\Roaming\Microsoft
2011-04-30 21:18:08 ----RD---- C:\Program Files (x86)
2011-04-30 21:09:44 ----D---- C:\Windows\system32\drivers
2011-04-30 21:09:32 ----D---- C:\Windows\system32\catroot
2011-04-30 21:09:31 ----SD---- C:\ProgramData\Microsoft
2011-04-30 20:54:57 ----HD---- C:\ProgramData
2011-04-30 20:49:15 ----D---- C:\Program Files\Common Files
2011-04-30 20:47:03 ----D---- C:\Windows\system32\DriverStore
2011-04-30 20:45:45 ----D---- C:\Windows\system32\Tasks
2011-04-30 20:45:44 ----D---- C:\Windows\Tasks
2011-04-30 20:38:02 ----D---- C:\Windows\SYSWOW64\drivers
2011-04-30 19:18:25 ----D---- C:\Windows\rescache
2011-04-30 18:17:00 ----D---- C:\Windows\system32\catroot2
2011-04-28 17:45:12 ----D---- C:\Windows\SYSWOW64\en-US
2011-04-28 17:45:12 ----D---- C:\Windows\system32\en-US
2011-04-28 17:45:12 ----D---- C:\Windows\AppPatch
2011-04-24 10:59:26 ----D---- C:\Windows\Logs
2011-04-16 08:42:57 ----D---- C:\Windows\SYSWOW64\migration
2011-04-16 08:42:57 ----D---- C:\Program Files\Internet Explorer
2011-04-16 08:42:57 ----D---- C:\Program Files (x86)\Internet Explorer
2011-04-16 08:42:56 ----D---- C:\Windows\system32\migration
2011-04-16 08:42:54 ----D---- C:\Windows\system32\Boot
2011-04-15 20:21:41 ----D---- C:\ProgramData\iWin Games
2011-04-03 14:49:02 ----D---- C:\ProgramData\WildTangent
2011-04-03 11:56:55 ----D---- C:\Program Files (x86)\PopCap Games

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel AHCI Controller; C:\Windows\system32\DRIVERS\iaStor.sys [2010-06-08 540696]
R0 PxHlpa64;PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 214096]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2010-10-24 188928]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
R1 vwififlt;Virtual WiFi Filter Driver; C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-13 59904]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows x64; C:\Windows\system32\DRIVERS\Apfiltr.sys [2010-06-22 304760]
R3 athr;Dell Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athrx.sys [2010-03-02 1594368]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver; C:\Windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [2010-08-25 10611552]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2010-06-14 2395880]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller; C:\Windows\system32\DRIVERS\L1C62x64.sys [2010-06-25 76912]
R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 40832]
R3 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 72064]
S3 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12352]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader; C:\Windows\System32\Drivers\RtsUStor.sys [2010-03-17 232480]
S3 WimFltr;WimFltr; C:\Windows\system32\DRIVERS\wimfltr.sys [2006-11-01 151656]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 !SASCORE;SAS Core Service; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
R2 AERTFilters;Andrea RT Filters Service; C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-17 98208]
R2 DockLoginService;Dock Login Service; C:\Program Files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology; C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336]
R2 iWinGamesInstaller;iWinGamesInstaller; C:\Program Files (x86)\iWin Games\iWinGamesInstaller.exe [2008-07-16 78104]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [2010-11-11 12784]
R2 NOBU;Dell DataSafe Online; C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-08-25 2823000]
R2 SeaPort;SeaPort; C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2010-07-27 249136]
R2 SftService;SoftThinks Agent Service; C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-09-21 2286976]
R3 NisSrv;@c:\Program Files\Microsoft Security Client\Antimalware\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S3 GameConsoleService;GameConsoleService; C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe [2010-09-30 246520]
S3 GoToAssist;GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe [2010-12-30 16680]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2011-04-01 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service; C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

-----------------EOF-----------------

DonnaB · « **Reply #2 on:** May 03, 2011, 02:41:38 AM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2011 at 11:04 PM

Application Version : 4.51.1000

Core Rules Database Version : 6963
Trace Rules Database Version: 4775

Scan type : Quick Scan
Total Scan Time : 00:14:29

Memory items scanned : 544
Memory threats detected : 0
Registry items scanned : 2571
Registry threats detected : 12
File items scanned : 11087
File threats detected : 1

Adware.IWinGames
   (x86) HKU\S-1-5-21-4536941-3974990657-1333900552-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}
   (x86) HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}
   C:\PROGRAM FILES (X86)\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20110430-210522-777.DLL

Browser Hijacker.Tubby
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#NoModify
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#NoRepair
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#DisplayName
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#UninstallString
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#DisplayIcon
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#DisplayVersion
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#URLInfoAbout
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#Publisher
   (x86) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Toolbar#EstimatedSize

DonnaB · « **Reply #3 on:** May 03, 2011, 02:50:37 AM »

Boy! That took some talent!

Had to switch over to my computer to type this and make sure that the SASW log had posted. As soon as I clicked on the post button the log highlighted and I was afraid that I had lost the post.

Additional issues:

No right click function;
can't click on drop down arrows in power options, device manager;
can't scroll when placing the mouse over any scroll bar.

Wasn't like that when I installed MSE for her just got worse over the last day or 2 since I found that browser hijacker!

Sorry for the added posts!

Thank you so very much for your time.

Donna

Corrine · « **Reply #4 on:** May 03, 2011, 03:35:14 PM »

Hi, Donna.

I'll just bet your mother has received quite a lecture from you by now.

Another thing to emphasize to your mother is to create a System Restore point prior to installing any new programs. The reason is that Windows 7 has a much more robust System Restore than Windows XP and Windows Vista.

If you have an old wired mouse around, you may want to give that a try and see if that gives you better control.

Based on what I have seen and since the A/V was expired, it seems our best bet is to see what ComboFix picks up.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: .

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click "Yes" to continue scanning for malware.
When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

DonnaB · « **Reply #5 on:** May 03, 2011, 10:30:28 PM »

Hi Corrine,

Quote

I'll just bet your mother has received quite a lecture from you by now.

Boy did she!

I couldn't get the touchpad to comply with my wishes to disable MSE AV and I didn't have a USB mouse at the time so I uninstalled it for the time being. I did borrow a mouse from my daughters computer because after running ComboFix the mouse went erratic on me and I lost all control that was left.

My Mother does have to return home on Thursday and I'll have to give the computer back tomorrow evening.

This laptop does not have a D: partition that contains a Recovery Console. It is a Dell Inspiron and she said that she was given disks when purchased at Wal Mart though the disks are 400 miles to the south of me. There is a folder on the C: Drive for System Recovery but it is empty. I was under the impression that all manufacturers included the Recovery Console to save money.

I told her that if we can't get this little baby up and running in time that she'll have to take it to a Tech. Shop near her house and have them reformat it for her. This thing is a mess!

I can't thank you enough for helping me here.

Here's the log for you to look at.

ComboFix 11-05-03.02 - ANNETTA 05/03/2011 16:52:01.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3034.2128 [GMT -5:00]
Running from: c:\users\ANNETTA\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\users\ANNETTA\RSITx64.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_iWinGamesInstaller
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-03 21:55 . 2011-05-03 21:55   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-05-03 01:50 . 2011-05-03 01:51   --------   d-----w-   C:\rsit
2011-05-03 01:50 . 2011-05-03 01:51   --------   d-----w-   c:\program files\trend micro
2011-05-01 02:09 . 2010-04-09 11:06   374664   ----a-w-   c:\windows\system32\drivers\netio.sys
2011-05-01 01:54 . 2011-05-01 01:54   --------   d-s---w-   c:\windows\SysWow64\Microsoft
2011-05-01 01:38 . 2011-05-01 01:38   --------   d-----w-   c:\users\ANNETTA\AppData\Roaming\Malwarebytes
2011-05-01 01:38 . 2011-05-01 01:38   --------   d-----w-   c:\programdata\Malwarebytes
2011-05-01 01:38 . 2010-12-20 23:09   38224   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-01 01:37 . 2011-05-01 01:38   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-01 01:37 . 2010-12-20 23:08   24152   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-05-01 01:35 . 2011-05-01 01:35   --------   d-----w-   c:\users\ANNETTA\AppData\Roaming\SUPERAntiSpyware.com
2011-05-01 01:35 . 2011-05-01 01:35   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2011-05-01 01:35 . 2011-05-01 01:35   --------   d-----w-   c:\programdata\!SASCORE
2011-05-01 01:35 . 2011-05-01 01:35   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-05-01 01:34 . 2011-05-01 01:34   --------   d-----w-   c:\program files\CCleaner
2011-05-01 01:30 . 2011-05-01 01:30   --------   d-----w-   c:\program files (x86)\Trend Micro
2011-04-28 00:28 . 2011-02-26 06:23   2870272   ----a-w-   c:\windows\explorer.exe
2011-04-28 00:28 . 2011-02-26 05:33   2614784   ----a-w-   c:\windows\SysWow64\explorer.exe
2011-04-16 01:21 . 2011-04-16 01:21   --------   d-----w-   c:\users\ANNETTA\AppData\Roaming\iWinArcade
2011-04-06 16:00 . 2011-04-06 16:00   --------   d-----w-   c:\program files (x86)\Common Files\Java
2011-04-06 15:43 . 2011-04-06 15:43   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2011-04-06 15:43 . 2011-04-06 15:43   --------   d-----w-   c:\program files (x86)\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 00:23 . 2010-06-24 17:33   18328   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-04 06:17 . 2011-04-28 00:27   135168   ----a-w-   c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2011-03-04 06:17 . 2011-04-28 00:27   347648   ----a-w-   c:\windows\apppatch\AppPatch64\AcLayers.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-04-05 560128]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\ANNETTA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys

.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF8562.cfxxe" [X]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2010-06-30 3200672]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-15 10918504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 392048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
mLocal Page = c:\windows\SYSTEM32\blank.htm
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\Toaster.exe
.
**************************************************************************
.
Completion time: 2011-05-03 16:59:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-03 21:59
.
Pre-Run: 270,000,664,576 bytes free
Post-Run: 269,351,825,408 bytes free
.
- - End Of File - - 10492D5ADB824091785031D81EC1F721

Aaron Hulett [MSFT] · « **Reply #6 on:** May 03, 2011, 10:58:32 PM »

Quote from: DonnaB on May 03, 2011, 02:07:51 AM

Everything wants to highlight even the cursor is nowhere near where I am posting and the type ends up within words already typed or 3-4 lines down.

Is this referring to trying to type a post or paste a log into the reply box here at this forum? If so, and you're using Internet Explorer, click the Compatability View icon along the address bar and make sure it's enabled - that should resovle things over here at least.

Corrine · « **Reply #7 on:** May 03, 2011, 11:25:36 PM »

Hi, Donna.

That should have taken care of Tubby. Try an updated SAS scan and see if it finds anything this time.

I normally use the quick reply box. As a quick test, I just tried copy/pasting the RSIT log in the reply box and it did act a bit strange.

DonnaB · « **Reply #8 on:** May 04, 2011, 01:46:47 AM »

Hi Aaron,

Quote

Is this referring to trying to type a post or paste a log into the reply box here at this forum?

This happened online or offline, didn't matter where I was. I had no control over the touchpad what so ever! It's much better now. I am now able to access the settings for the touchpad and I reset them all back to their default settings.

Hi Corrine,

I ran the scan and here is the results: (just some Adware Tracking Cookies)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/03/2011 at 07:47 PM

Application Version : 4.51.1000

Core Rules Database Version : 6982
Trace Rules Database Version: 4775

Scan type : Complete Scan
Total Scan Time : 00:29:11

Memory items scanned : 491
Memory threats detected : 0
Registry items scanned : 12924
Registry threats detected : 0
File items scanned : 26503
File threats detected : 5

Adware.Tracking Cookie
   C:\Users\ANNETTA\AppData\Roaming\Microsoft\Windows\Cookies\annetta@atdmt[1].txt
   C:\Users\ANNETTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\annetta@yadro[2].txt
   C:\Users\ANNETTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\annetta@clickaider[1].txt
   C:\Users\ANNETTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\annetta@doubleclick[2].txt
   C:\Users\ANNETTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\annetta@atdmt[1].txt

Now I can finish what I started which was to delete all the "crapware" that was installed by the manufacturer. I did reinstall MSE.

I probably could have ran ComboFix myself but I like to practice what I preach, and that is if you're not trained to run those programs have someone who is to guide you.

I can't thank you enough for your guidance here. My mother said to thank you also for your help. I'll send this laptop home with her along with the link to LandzDown on the desktop.

Donna

DonnaB · « **Reply #9 on:** May 04, 2011, 02:03:59 AM »

Ooops! Forgot to tell you. I did uninstall ComboFix via the Run box with this--> combofix /uninstall

Corrine · « **Reply #10 on:** May 04, 2011, 02:14:58 AM »

Quote from: DonnaB on May 04, 2011, 02:03:59 AM

Ooops! Forgot to tell you. I did uninstall ComboFix via the Run box with this--> combofix /uninstall

Thanks! I'll let you handle all the security "warnings" and advice about software installations, clicking links in e-mails, etc. However, please tell your Mom she is most welcome. I was happy to help.

With your busy work schedule, maybe your Mom should register here anyway. It will provide an extra way of staying in contact.

DonnaB · « **Reply #11 on:** May 04, 2011, 02:37:17 AM »

Quote from: Corrine on May 04, 2011, 02:14:58 AM

Quote from: DonnaB on May 04, 2011, 02:03:59 AM
Ooops! Forgot to tell you. I did uninstall ComboFix via the Run box with this--> combofix /uninstall

Thanks! I'll let you handle all the security "warnings" and advice about software installations, clicking links in e-mails, etc. However, please tell your Mom she is most welcome. I was happy to help.

With your busy work schedule, maybe your Mom should register here anyway. It will provide an extra way of staying in contact.

I left her a very long list of do's and don't's in a txt file on her desktop that includes not letting my "know-it-all" brother-in-law touch this machine! Sheesh! Some people...you show them where any key is and they think they know it all!

I will let her know that you were more then happy to help and get her to register here when I go to drop the laptop off to her after work tomorrow. My sister who lives near her will be able to guide her as to how to run programs if she ever needs your help. My sisters pretty good at following directions. My mother...well that's another story.

I'm so glad that zep516 introduced me to this site! You guys are great!

Till next time,

Donna

zep516 · « **Reply #12 on:** May 04, 2011, 11:16:50 AM »

Goog job! Glad you got it going.

LandzDown Forum

News:

Author Topic: Mothers new computer is infected! :( (Read 807 times)

DonnaB

Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

Corrine

Re: Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

Aaron Hulett [MSFT]

Re: Mothers new computer is infected! :(

Corrine

Re: Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

Corrine

Re: Mothers new computer is infected! :(

DonnaB

Re: Mothers new computer is infected! :(

zep516

Re: Mothers new computer is infected! :(