Author Topic: Security Protection hijack (Read 1051 times)

linda93 · « **on:** July 26, 2011, 02:36:41 AM »

Hello all, thank you for being here.

I've been hijacked by a program that calls itself only "Security Protection" with a fake windows emblem. It makes dire threats of w32/worm blaster and it actually screamed at me before lying to me about windows firewall being breached.

The steps I took were to call my dad

and he directed me here. I did restart the computer a couple of times.

Here are the logs I've read to download.

Logfile of random's system information tool 1.09 (written by random/random)
Run by Linda at 2011-07-25 19:07:32
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 341 GB (57%) free of 596 GB
Total RAM: 6133 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:07:41 PM, on 7/25/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\trend micro\Linda.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PlayOn] C:\Program Files (x86)\MediaMall\PlayOn.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\Linda\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Security Protection] C:\Users\Linda\AppData\Roaming\defender.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex (User 'Default user')
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: Sentinel HASP License Manager (hasplms) - Unknown owner - C:\Windows\system32\hasplms.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files (x86)\MediaMall\MediaMallServer.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: TabletServicePen - Unknown owner - C:\Windows\system32\Pen_Tablet.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Program Files\WTouch\WTouchService.exe

--
End of file - 10974 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
wininit.exe
C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
winlogon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
"c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe"
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
"C:\Program Files\WTouch\WTouchService.exe"
/QuitInfo:0000000000000208;0000000000000214; /AddRef;
/QuitInfo:00000000000002D0;0000000000000210;
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
taskeng.exe {0F929176-E517-49FC-B3F3-46B591B35DFA}
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
taskeng.exe {8A4D2962-C628-47A9-BB5A-A41F45A2E567}
"C:\Program Files\LSI SoftModem\agr64svc.exe"
C:\Windows\SysWOW64\svchost.exe -k Akamai
"C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
"C:\Program Files (x86)\Bonjour\mDNSResponder.exe"
crypserv.exe
C:\Windows\system32\hasplms.exe -run
"c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe"
"C:\Program Files (x86)\MediaMall\MediaMallServer.exe"
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe"
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe"
Pen_Tablet.exe au
"c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe"
"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-b7aabf9b-8404-4b17-9d64-eec0b4b8657e -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d31ac043-30be-4f70-a6d2-107397f457a2 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d0751110-e26d-4c7e-997f-a7d374bc37f9 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:1ebe6749-cd40-4e4c-bfe5-a7ea59b86164
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
"c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe"
"C:\Windows\system32\wuauclt.exe"
/QuitInfo:00000000000001D4;000000000000053C; /AddRef;
/QuitInfo:0000000000000538;0000000000000548;
/loadhooks /Parent:000000000000186C
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3044 CREDAT:71937
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe -Embedding
"C:\Windows\system32\SearchFilterHost.exe" 0 640 644 652 65536 648
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 18A3A2EE-4963-9B96-530A-EAB790057003 -Reinvoke
"C:\Users\Linda\Desktop\RSITx64.exe"
C:\Windows\system32\wbem\wmiprvse.exe

======Scheduled tasks folder======

C:\Windows\tasks\PCDRScheduledMaintenance.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-07-15 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{9D425283-D487-4337-BAB6-AB8354A81457}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1584184]
"HP Remote Software"=C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe [2009-02-06 172032]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2009-03-05 154648]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2009-03-05 227352]
"Persistence"=C:\Windows\system32\igfxpers.exe [2009-03-05 202264]
"SmartMenu"=C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [2009-03-05 915512]
"IAAnotif"=C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [2008-12-04 186904]
"CanonSolutionMenu"=C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [2008-03-10 689488]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2008-03-03 2114376]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2010-11-30 1436224]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1555968]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 138240]
"PlayOn"=C:\Program Files (x86)\MediaMall\PlayOn.exe [2011-05-27 53248]
"googletalk"=C:\Users\Linda\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe []
"Security Protection"=C:\Users\Linda\AppData\Roaming\defender.exe [2011-07-25 842240]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [2008-11-20 62768]
"UpdateLBPShortCut"=c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [2008-12-03 218408]
"UpdatePDIRShortCut"=c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [2008-12-03 218408]
"UpdatePSTShortCut"=c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe [2009-02-02 210216]
"TSMAgent"=c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe [2009-04-09 1328424]
"DVDAgent"=c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [2009-03-19 1148200]
"HP Software Update"=c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [2008-12-08 54576]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=C:\Program Files (x86)\QuickTime\QTTask.exe [2010-03-18 421888]
"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
"AppleSyncNotifier"=C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [2010-07-13 47904]
"UpdateP2GoShortCut"=c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [2008-12-03 218408]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Audible Download Manager.lnk - C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~2\WI371A~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\WI371A~1\Datamngr\x64\IEBHO.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2009-02-26 230400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvyu"=msyuv.dll
"vidc.iyuv"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"vidc.yvu9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave1"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2011-07-25 19:07:32 ----D---- C:\rsit
2011-07-25 19:07:32 ----D---- C:\Program Files\trend micro
2011-07-25 16:19:20 ----A---- C:\Users\Linda\AppData\Roaming\defender.exe
2011-07-13 03:30:47 ----A---- C:\Windows\system32\win32k.sys
2011-07-13 03:30:46 ----A---- C:\Windows\system32\kernel32.dll
2011-07-13 03:30:45 ----A---- C:\Windows\SYSWOW64\kernel32.dll
2011-07-13 03:30:44 ----A---- C:\Windows\system32\winsrv.dll
2011-07-13 03:30:44 ----A---- C:\Windows\system32\csrsrv.dll
2011-07-05 09:41:44 ----D---- C:\dk7
2011-06-28 13:59:22 ----A---- C:\Windows\system32\schannel.dll
2011-06-28 13:59:21 ----A---- C:\Windows\SYSWOW64\schannel.dll

======List of files/folders modified in the last 1 month======

2011-07-25 19:07:42 ----D---- C:\Windows\Prefetch
2011-07-25 19:07:32 ----RD---- C:\Program Files
2011-07-25 19:07:26 ----D---- C:\Windows\Temp
2011-07-25 19:00:35 ----SHD---- C:\System Volume Information
2011-07-25 18:45:50 ----D---- C:\Windows\System32
2011-07-25 18:45:50 ----D---- C:\Windows\inf
2011-07-25 18:45:50 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-07-25 18:40:05 ----D---- C:\ProgramData\MediaMall
2011-07-25 18:39:50 ----D---- C:\Users\Linda\AppData\Roaming\WTablet
2011-07-25 18:39:15 ----RD---- C:\Program Files (x86)
2011-07-25 16:19:12 ----D---- C:\Users\Linda\AppData\Roaming\Adobe
2011-07-22 13:17:29 ----D---- C:\Users\Linda\AppData\Roaming\BitZipper
2011-07-14 18:38:50 ----SD---- C:\Users\Linda\AppData\Roaming\Microsoft
2011-07-14 03:33:19 ----D---- C:\Windows\winsxs
2011-07-14 03:23:09 ----D---- C:\Windows\system32\catroot
2011-07-14 03:20:36 ----D---- C:\Windows
2011-07-14 03:20:35 ----D---- C:\Windows\SysWOW64
2011-07-14 03:01:46 ----A---- C:\Windows\system32\mrt.exe
2011-07-14 03:01:17 ----SHD---- C:\Windows\Installer
2011-07-14 03:01:09 ----D---- C:\ProgramData\Microsoft Help
2011-07-13 13:27:16 ----D---- C:\Users\Linda\AppData\Roaming\Azureus
2011-07-13 03:30:37 ----D---- C:\Windows\system32\catroot2
2011-07-08 16:51:35 ----D---- C:\Users\Linda\AppData\Roaming\PCStitch Pro
2011-06-29 03:16:04 ----RSD---- C:\Windows\Fonts
2011-06-28 10:02:43 ----HD---- C:\ProgramData
2011-06-26 13:33:38 ----D---- C:\Users\Linda\AppData\Roaming\gtk-2.0

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel RAID Controller; C:\Windows\system32\drivers\iastor.sys [2008-12-04 407064]
R0 SCMNdisP;General NDIS Protocol Driver; C:\Windows\system32\DRIVERS\scmndisp.sys [2007-01-19 25312]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2010-10-24 188928]
R1 NetworkX;NetworkX; C:\Windows\syswow64\ckldrv.sys []
R2 aksdf;aksdf; \??\C:\Windows\system32\drivers\aksdf.sys [2009-09-21 71040]
R2 aksfridge;Sentinel HASP Fridge; C:\Windows\system32\DRIVERS\aksfridge.sys [2009-08-20 130816]
R2 hardlock;hardlock; \??\C:\Windows\system32\drivers\hardlock.sys [2009-03-13 318464]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\agrsm64.sys [2009-01-20 1254400]
R3 akshasp;SafeNet Inc. HASP Key; C:\Windows\system32\DRIVERS\akshasp.sys [2009-03-13 53760]
R3 akshhl;SafeNet Inc. Sentinel HASP Key; C:\Windows\system32\DRIVERS\akshhl.sys [2007-07-23 56960]
R3 aksusb;SafeNet Inc. USB Key; C:\Windows\system32\DRIVERS\aksusb.sys [2009-03-13 25344]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 34152]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [2009-02-26 10276352]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2009-02-11 1708192]
R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 40832]
R3 msvad_simple;PlayOn Virtual Audio Device; C:\Windows\system32\drivers\povrtdev.sys [2010-12-11 28528]
R3 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 72064]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh64.sys [2009-01-20 195584]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 41984]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\Windows\system32\DRIVERS\wacommousefilter.sys [2007-02-16 12848]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\Windows\system32\DRIVERS\wacomvhid.sys [2009-05-20 15656]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 108544]
S1 SRTSP;SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS []
S1 SRTSPX;SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS []
S2 wntpport;wntpport; C:\Windows\system32\drivers\wntpport.sys []
S3 busbcrw;USB Card Reader Writer driver; C:\Windows\System32\Drivers\bucrw64.sys [2006-10-27 25600]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 6144]
S3 fdrawcmd;Low-level Floppy Driver; \??\C:\Windows\system32\drivers\fdrawcmd.sys [2008-09-27 32408]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 11008]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 7040]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 6656]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 7936]
S3 NAVENG;NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\ENG64.SYS []
S3 NAVEX15;NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\EX64.SYS []
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver; C:\Windows\system32\DRIVERS\wg111v2.sys [2007-12-26 340992]
S3 SydexFDD;Sydex Diskette Driver; \??\C:\Windows\SysWOW64\Drivers\sydexfdd.sys [2009-08-06 13359]
S3 UMPass;Microsoft UMPass Driver; C:\Windows\system32\DRIVERS\umpass.sys [2008-01-20 9728]
S3 USBAAPL64;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl64.sys [2010-04-19 50688]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 8704]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 438328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Program Files\LSI SoftModem\agr64svc.exe [2008-08-26 16896]
R2 Akamai;Akamai NetSession Interface; C:\Windows\System32\svchost.exe [2008-01-20 27648]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
R2 Bonjour Service;Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2010-05-18 345376]
R2 Crypkey License;Crypkey License; C:\Windows\system32\crypserv.exe [2008-05-07 122880]
R2 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 27648]
R2 hasplms;Sentinel HASP License Manager; C:\Windows\system32\hasplms.exe [2009-12-16 3750400]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-12-04 94208]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2008-12-04 354840]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [2009-03-17 73728]
R2 MediaMall Server;MediaMall Server; C:\Program Files (x86)\MediaMall\MediaMallServer.exe [2011-05-27 4208496]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [2010-11-11 12784]
R2 PSI_SVC_2;Protexis Licensing V2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R2 TabletServicePen;TabletServicePen; C:\Windows\system32\Pen_Tablet.exe [2009-11-23 5556520]
R2 WTouchService;WTouch Service; C:\Program Files\WTouch\WTouchService.exe [2009-11-23 127784]
R3 NisSrv;@c:\Program Files\Microsoft Security Client\Antimalware\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 Norton Internet Security;Norton Internet Security; C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll /prefetch:1 []
S3 GameConsoleService;GameConsoleService; C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe [2008-12-08 242424]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-07-21 654112]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-20 19968]
S3 WPFFontCache_v0400;@c:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

-----------------EOF-----------------

Results of screen317's Security Check version 0.99.17
Windows Vista (UAC is enabled)
Out of date service pack!![/b]
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player
Mozilla Firefox (3.6.13) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
system32 MediaMallServer.exe -?-
``````````End of Log````````````

I know my Jave is out of date, last time I tried to update it I got the scary blue screen and had to restore to a restore point. So I've been to nervous to update it by myself.
I don't know how windows vista got out of date, but I won't do anything untill I'm told to.

Again, thank you for your time.
Linda

Corrine · « **Reply #1 on:** July 26, 2011, 01:51:27 PM »

Hi, Linda. Welcome to LandzDown Forum. Please note: I have family visiting from out of town so may be slow in responding.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista - W7 users: Right-click and select "Run As Administrator".
If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
If you don't see file extensions, please see: How to change the file extension.
Click the Start Scan button. Do not use the computer during the scan!
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the "Scan results - Select action for found objects[/b]" and offer 3 options.
- Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

2. Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware
Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
Click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Note: In the event the infection prevents MBAM from running, download rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

Double-click rkill to run.
A command window will open then disappear upon completion, this is normal.
Please leave rkill on the Desktop until otherwise advised.
Do NOT restart your computer after running rkill as the malware program(s) will start again.

Note: If you you receive security warnings about rkill, please ignore and allow the download to continue.

linda93 · « **Reply #2 on:** July 26, 2011, 05:58:31 PM »

Thanks, I have printed out your instructions and will give it a try.
No worries. Enjoy your family.

linda93 · « **Reply #3 on:** July 27, 2011, 02:39:56 PM »

I downloaded and ran TDSSKiller but it did not find anything.

I upgraded Malewarebytes and ran.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7296

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

7/27/2011 7:35:10 AM
mbam-log-2011-07-27 (07-35-10).txt

Scan type: Quick scan
Objects scanned: 187748
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=%04x&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Thank-you,
Linda

linda93 · « **Reply #4 on:** July 27, 2011, 03:02:43 PM »

I restarted my computer as soon as I posted. It appeared to boot without hijacker program. Microsoft Security Essentuals popped up and wanted to remove some files, so I let it. I hope that was okay.
The report is not cut and paste friendly.

Rouge:Win32/FakeRean was removed at 7:44 AM
Rouge:Win32/FakeRean was allowed at 7:41 AM
TrojanDownloader:Win32/Karagany.A was allowed at 7:41 AM

Linda

linda93 · « **Reply #5 on:** July 27, 2011, 03:21:23 PM »

For informational sake, in case it's important.
When I logged onto my Yahoo email account Yahoo wanted a new password because they believed my account had been compromised. Didn't say why they believed that though.

Linda

Corrine · « **Reply #6 on:** July 27, 2011, 05:03:25 PM »

Hi, Linda.

E-mail providers use special programs that will show a high level of activity from an account. When that happens, flags are raised and the account owner is directed to their account recovery process. Use a tool such as the Microsoft Password Checker to ensure that you have a strong password. It would also be advisable to change the passwords for other online accounts.

Based on the additional detections by MSE, please do the following.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click "Yes" to continue scanning for malware.
When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

linda93 · « **Reply #7 on:** July 27, 2011, 06:51:06 PM »

Okay, here is the ComboFix Log

ComboFix 11-07-27.02 - Linda 07/27/2011 11:06:30.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6133.4066 [GMT -7:00]
Running from: c:\users\Linda\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
c:\users\Linda\AppData\Roaming\Adobe\plugs
c:\users\Linda\AppData\Roaming\Adobe\shed
c:\users\Linda\AppData\Roaming\Mozilla\Firefox\Profiles\xj9v8w6t.default\searchplugins\SearchquWebSearch.xml
c:\users\Linda\Desktop\Malware Protection.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))
.
.
2011-07-27 18:21 . 2011-07-27 18:23   --------   d-----w-   c:\users\Linda\AppData\Local\temp
2011-07-27 18:21 . 2011-07-27 18:21   --------   d-----w-   c:\users\Mcx1\AppData\Local\temp
2011-07-27 18:21 . 2011-07-27 18:21   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-07-27 18:03 . 2011-07-27 18:04   --------   d-----w-   C:\32788R22FWJFW
2011-07-27 01:45 . 2011-07-13 04:53   8578896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D145E55-5AD6-44BC-9CB3-940430442138}\mpengine.dll
2011-07-26 02:07 . 2011-07-26 02:07   --------   d-----w-   C:\rsit
2011-07-26 02:07 . 2011-07-26 02:07   --------   d-----w-   c:\program files\trend micro
2011-07-13 10:30 . 2011-06-02 13:50   2764288   ----a-w-   c:\windows\system32\win32k.sys
2011-07-13 10:30 . 2011-04-20 16:03   451072   ----a-w-   c:\windows\system32\winsrv.dll
2011-07-13 10:30 . 2011-04-20 15:58   85504   ----a-w-   c:\windows\system32\csrsrv.dll
2011-07-11 00:16 . 2011-07-21 04:19   --------   d-----w-   c:\users\Public\DAP XV7 Demo
2011-07-05 16:41 . 2011-07-05 16:41   --------   d-----w-   C:\dk7
2011-06-28 20:59 . 2011-04-29 16:15   344576   ----a-w-   c:\windows\system32\schannel.dll
2011-06-28 20:59 . 2011-04-29 15:59   276992   ----a-w-   c:\windows\SysWow64\schannel.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 04:53 . 2010-12-31 16:38   8578896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-07 02:52 . 2010-08-17 05:22   41272   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2010-08-17 05:22   25912   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-16 10:09 . 2010-10-14 02:47   416   ----a-w-   c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-05-28 06:28 . 2011-06-15 23:16   1147904   ----a-w-   c:\windows\system32\wininet.dll
2011-05-28 06:24 . 2011-06-15 23:16   56832   ----a-w-   c:\windows\system32\licmgr10.dll
2011-05-28 06:23 . 2011-06-15 23:16   1538560   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-05-28 06:23 . 2011-06-15 23:16   132096   ----a-w-   c:\windows\system32\iesysprep.dll
2011-05-28 06:23 . 2011-06-15 23:16   77312   ----a-w-   c:\windows\system32\iesetup.dll
2011-05-28 06:08 . 2011-06-15 23:17   916480   ----a-w-   c:\windows\SysWow64\wininet.dll
2011-05-28 06:04 . 2011-06-15 23:16   43520   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2011-05-28 06:04 . 2011-06-15 23:16   1469440   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2011-05-28 06:04 . 2011-06-15 23:16   71680   ----a-w-   c:\windows\SysWow64\iesetup.dll
2011-05-28 06:04 . 2011-06-15 23:16   109056   ----a-w-   c:\windows\SysWow64\iesysprep.dll
2011-05-28 05:33 . 2011-06-15 23:16   479232   ----a-w-   c:\windows\system32\html.iec
2011-05-28 05:10 . 2011-06-15 23:16   385024   ----a-w-   c:\windows\SysWow64\html.iec
2011-05-28 04:53 . 2011-06-15 23:16   162816   ----a-w-   c:\windows\system32\ieUnatt.exe
2011-05-28 04:52 . 2011-06-15 23:16   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2011-05-28 04:33 . 2011-06-15 23:16   133632   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2011-05-28 04:31 . 2011-06-15 23:16   1638912   ----a-w-   c:\windows\SysWow64\mshtml.tlb
2011-05-02 17:16 . 2011-06-15 23:16   739328   ----a-w-   c:\windows\SysWow64\inetcomm.dll
2011-05-02 17:13 . 2011-06-15 23:16   975360   ----a-w-   c:\windows\system32\inetcomm.dll
2011-04-29 13:41 . 2011-06-15 23:17   176128   ----a-w-   c:\windows\system32\drivers\srv2.sys
2011-04-29 13:40 . 2011-06-15 23:17   145920   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2011-04-29 13:39 . 2011-06-15 23:17   275456   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 13:39 . 2011-06-15 23:17   135680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 13:39 . 2011-06-15 23:17   107008   ----a-w-   c:\windows\system32\drivers\mrxsmb20.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PlayOn"="c:\program files (x86)\MediaMall\PlayOn.exe" [2011-05-28 53248]
"googletalk"="c:\users\Linda\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-19 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2011-05-17 233936]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files (x86)\Audible\Bin\AudibleDownloadHelper.exe [2009-12-17 1795488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

R2 wntpport;wntpport;

R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\Drivers\bucrw64.sys

R3 fdrawcmd;Low-level Floppy Driver;c:\windows\system32\drivers\fdrawcmd.sys

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-02-02 23536]
R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys

R3 SydexFDD;Sydex Diskette Driver;c:\windows\SysWOW64\Drivers\sydexfdd.sys [2009-08-06 13359]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 aksdf;aksdf;c:\windows\system32\drivers\aksdf.sys

S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run

S2 MediaMall Server;MediaMall Server;c:\program files (x86)\MediaMall\MediaMallServer.exe [2011-05-28 4208496]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe

S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-11-24 127784]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.1.254
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Linda\AppData\Roaming\Mozilla\Firefox\Profiles\xj9v8w6t.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Toolbar-10 - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\hasplms.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2011-07-27 11:45:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-27 18:45
.
Pre-Run: 389,111,771,136 bytes free
Post-Run: 388,802,797,568 bytes free
.
- - End Of File - - 82B08F7D06D86CB9071C1C0B2A51123C

Linda

winchester73 · « **Reply #8 on:** July 27, 2011, 08:27:54 PM »

Linda, your computer should be running much better now. Until Corrine returns with the ComboFix instructions (she's better with that than I), you might wish to run an online scan by ESET to see if it uncovers anything that has been missed.

Please go here to run an on-line scan from ESET.

Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.

Corrine · « **Reply #9 on:** July 27, 2011, 09:59:28 PM »

Winchester73 is a mind reader.

Before seeing his instructions to scan with ESET, that was precisely what I was going to have you do next, Linda.

In addition to providing the ESET log, unless you know what C:\dk7 is and intentionally placed it at the route of the C: drive, please go to Jotti: http://virusscan.jotti.org/

Upload the filepath shown below into the "File to upload & scan" box at the upper left:

C:\dk7

Please upload the same file at VirusTotal: http://www.virustotal.com/
In the "Upload a file", browse to the file path above and upload the file.

Please provide the results from both Jotti and VirusTotal in your reply along with the ESET log.

winchester73 · « **Reply #10 on:** July 28, 2011, 12:06:28 AM »

C:\dk7 was created on July 5th. When did your problems start?

Quote from: Corrine on July 27, 2011, 09:59:28 PM

Winchester73 is a mind reader.

You must be the mind reader, as that's just what I was thinking myself!

linda93 · « **Reply #11 on:** July 28, 2011, 03:14:44 AM »

Yikes.
I could not find C:\Program Files\Eset\Eset Online Scanner\log.txt but this what I could paste to the clipboard

C:\Program Files (x86)\HP Games\Farm Mania\Farm-WT.exe   a variant of Win32/Kryptik.SH trojan
C:\ProgramData\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe   a variant of Win32/Kryptik.SH trojan
C:\Users\All Users\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe   a variant of Win32/Kryptik.SH trojan
C:\Users\Linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\7101fbd5-1d189cfe   multiple threats
C:\Users\Linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\5470c8db-26929114   a variant of Win32/Kryptik.QTV trojan
C:\Users\Linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\421c0973-780ead6e   multiple threats
C:\Users\Linda\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\5749493b-4a8f9a28   multiple threats
C:\Users\Linda\Desktop\links\xvid-1.2.2.exe   Win32/Toolbar.Zugo application
C:\Users\Linda\Desktop\meditations\album.zip   Win32/Olmarik.ACK trojan

My problem started what I thought was two days ago when I followed a link to a free pdf of a knitting pattern.

DK7 is a demo installation of DesignAKnit program that I downloaded without realizing it was not compatable with Vista. I downloaded the demo installation file straight to my desktop, tried to install it, and windows told me it was not compatable. It is still there on my desktop. I don't know how it would have got to where you found it.

Sorry that eset scan took forever.

Linda

linda93 · « **Reply #12 on:** July 28, 2011, 04:04:12 AM »

I finally found the eset program file and one log file, it doesn't say much so I might be off.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Linda

Corrine · « **Reply #13 on:** July 28, 2011, 10:14:56 PM »

Hi, Linda.

Let's start with clearing the Java cache identified in the ESET scan. Please follow the instructions at How do I clear the Java cache?.

Since DK7 is not compatible with Windows Vista, right-click the installation file on your desktop and select "delete".

Let's see if you can update Java. First, go to add/remove programs and uninstall each Java listed, not just Java(TM) 6 Update 21 if there are others listed.

Please download JavaRa and unzip it to your desktop.

Double-click on JavaRa.exe to start the program. (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
Click on Remove Older Versions to remove older versions of Java.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment 6u26.

Note: UNCHECK any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code: [Select]

Folder::
C:\dk7

File::
C:\Program Files (x86)\HP Games\Farm Mania\Farm-WT.exe
C:\ProgramData\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe
C:\Users\All Users\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe
C:\Users\Linda\Desktop\links\xvid-1.2.2.exe
C:\Users\Linda\Desktop\meditations\album.zip

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

linda93 · « **Reply #14 on:** July 29, 2011, 01:31:03 AM »

Here is the Java Log

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jul 28 16:13:24 2011

Found and removed: JavaScript

Found and removed: JavaScript Author

Found and removed: JavaScript1.1

Found and removed: JavaScript1.1 Author

Found and removed: JavaScript1.2

Found and removed: JavaScript1.2 Author

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jul 28 16:13:40 2011

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jul 28 16:13:46 2011

Here is the ComboFix Log

ComboFix 11-07-27.02 - Linda 07/28/2011 16:40:24.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6133.3955 [GMT -7:00]
Running from: c:\users\Linda\Desktop\ComboFix.exe
Command switches used :: c:\users\Linda\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\HP Games\Farm Mania\Farm-WT.exe"
"c:\programdata\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe"
"c:\users\All Users\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe"
"c:\users\Linda\Desktop\links\xvid-1.2.2.exe"
"c:\users\Linda\Desktop\meditations\album.zip"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\dk7
c:\dk7\0.WAV
c:\dk7\1.WAV
c:\dk7\2.WAV
c:\dk7\3.WAV
c:\dk7\4.WAV
c:\dk7\5.WAV
c:\dk7\6.WAV
c:\dk7\7.WAV
c:\dk7\8.WAV
c:\dk7\9.WAV
c:\dk7\A.WAV
c:\dk7\ADMIRAL.JPG
c:\dk7\ADMIRAL.QPA
c:\dk7\ADMIRAL.STP
c:\dk7\ANNOUNCE.WAV
c:\dk7\ARGYLL.STP
c:\dk7\B.WAV
c:\dk7\C.WAV
c:\dk7\CARPET3.STP
c:\dk7\CARRIAGE.WAV
c:\dk7\CASTOFF.WAV
c:\dk7\CASTON.WAV
c:\dk7\CASUAL.EAS
c:\dk7\CENTRE.WAV
c:\dk7\CHANGE.WAV
c:\dk7\CLASP.STP
c:\dk7\CLASSIC.EAS
c:\dk7\CUSTOM.SIZ
c:\dk7\D.WAV
c:\dk7\DEC.WAV
c:\dk7\DEFAULT.STP
c:\dk7\DEMBABY.SHP
c:\dk7\DEMBOYP.SHP
c:\dk7\DEMCH1.SHP
c:\dk7\DEMCOAT.SHP
c:\dk7\DEMMANV.SHP
c:\dk7\DEMPAT1.QPA
c:\dk7\DEMPAT1.STP
c:\dk7\DEMSKT.SHP
c:\dk7\DEMWW.SHP
c:\dk7\DK-BWCC.DLL
c:\dk7\DK7.CFG
c:\dk7\DK7.DLB
c:\dk7\DK7.EXE
c:\dk7\DK7.HLP
c:\dk7\DK7.KM
c:\dk7\DK7.KSI
c:\dk7\DK7.NLT
c:\dk7\DK7.PCF
c:\dk7\DK7.SBM
c:\dk7\DK7A.DLL
c:\dk7\DK7KNEV.EXE
c:\dk7\DOWNLOAD.WAV
c:\dk7\E.WAV
c:\dk7\E6000.TEC
c:\dk7\E8000.TEC
c:\dk7\ELEPHNTS.STP
c:\dk7\F.WAV
c:\dk7\FTD2XX.DLL
c:\dk7\GARTER.STP
c:\dk7\GO-OFF.WAV
c:\dk7\HANDLACE.STP
c:\dk7\HOLD.WAV
c:\dk7\INC.WAV
c:\dk7\LEFT.WAV
c:\dk7\LOGO
c:\dk7\MARKER.WAV
c:\dk7\MATTERHN.JPG
c:\dk7\MATTERHN.QPA
c:\dk7\MATTERHN.STP
c:\dk7\NEW-METH.WAV
c:\dk7\OVERSIZE.EAS
c:\dk7\PERSIAN.STP
c:\dk7\PICK.WAV
c:\dk7\RIGHT.WAV
c:\dk7\ROOSMLN1.TTF
c:\dk7\SELECT.WAV
c:\dk7\SETCARR.WAV
c:\dk7\SHAPE.VM
c:\dk7\SHEEP.QPA
c:\dk7\SHEEP.STP
c:\dk7\SKY16V3C.DLL
c:\dk7\SL32.EXE
c:\dk7\SL4-REPR.EXE
c:\dk7\SL4.HEX
c:\dk7\SQUIRREL.QPA
c:\dk7\SQUIRREL.STP
c:\dk7\SSAVER.EXE
c:\dk7\STANDARD.SIZ
c:\dk7\START.WAV
c:\dk7\STOP.WAV
c:\dk7\TUCK.STP
c:\dk7\XMAS2.STP
c:\dk7\ZERO.EAS
c:\program files (x86)\HP Games\Farm Mania\Farm-WT.exe
c:\programdata\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe
c:\users\All Users\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe
c:\users\Linda\Desktop\links\xvid-1.2.2.exe
c:\users\Linda\Desktop\meditations\album.zip
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))
.
.
2011-07-29 00:23 . 2011-07-29 00:26   --------   d-----w-   c:\users\Linda\AppData\Local\temp
2011-07-29 00:23 . 2011-07-29 00:23   --------   d-----w-   c:\users\Mcx1\AppData\Local\temp
2011-07-29 00:23 . 2011-07-29 00:23   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-07-28 23:20 . 2011-07-28 23:20   --------   d-----w-   c:\program files (x86)\Common Files\Java
2011-07-28 23:20 . 2011-07-28 23:20   476904   ----a-w-   c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-28 18:29 . 2011-07-13 04:53   8578896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9512969A-2529-4412-8236-9EDA0071892E}\mpengine.dll
2011-07-27 23:54 . 2011-07-27 23:54   --------   d-----w-   c:\program files (x86)\ESET
2011-07-26 02:07 . 2011-07-26 02:07   --------   d-----w-   C:\rsit
2011-07-26 02:07 . 2011-07-26 02:07   --------   d-----w-   c:\program files\trend micro
2011-07-13 10:30 . 2011-06-02 13:50   2764288   ----a-w-   c:\windows\system32\win32k.sys
2011-07-13 10:30 . 2011-04-20 16:03   451072   ----a-w-   c:\windows\system32\winsrv.dll
2011-07-13 10:30 . 2011-04-20 15:58   85504   ----a-w-   c:\windows\system32\csrsrv.dll
2011-07-11 00:16 . 2011-07-21 04:19   --------   d-----w-   c:\users\Public\DAP XV7 Demo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-28 23:20 . 2010-07-15 16:32   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2011-07-13 04:53 . 2010-12-31 16:38   8578896   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-07 02:52 . 2010-08-17 05:22   41272   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2010-08-17 05:22   25912   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-16 10:09 . 2010-10-14 02:47   416   ----a-w-   c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-05-28 06:28 . 2011-06-15 23:16   1147904   ----a-w-   c:\windows\system32\wininet.dll
2011-05-28 06:24 . 2011-06-15 23:16   56832   ----a-w-   c:\windows\system32\licmgr10.dll
2011-05-28 06:23 . 2011-06-15 23:16   1538560   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-05-28 06:23 . 2011-06-15 23:16   132096   ----a-w-   c:\windows\system32\iesysprep.dll
2011-05-28 06:23 . 2011-06-15 23:16   77312   ----a-w-   c:\windows\system32\iesetup.dll
2011-05-28 06:08 . 2011-06-15 23:17   916480   ----a-w-   c:\windows\SysWow64\wininet.dll
2011-05-28 06:04 . 2011-06-15 23:16   43520   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2011-05-28 06:04 . 2011-06-15 23:16   1469440   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2011-05-28 06:04 . 2011-06-15 23:16   71680   ----a-w-   c:\windows\SysWow64\iesetup.dll
2011-05-28 06:04 . 2011-06-15 23:16   109056   ----a-w-   c:\windows\SysWow64\iesysprep.dll
2011-05-28 05:33 . 2011-06-15 23:16   479232   ----a-w-   c:\windows\system32\html.iec
2011-05-28 05:10 . 2011-06-15 23:16   385024   ----a-w-   c:\windows\SysWow64\html.iec
2011-05-28 04:53 . 2011-06-15 23:16   162816   ----a-w-   c:\windows\system32\ieUnatt.exe
2011-05-28 04:52 . 2011-06-15 23:16   1638912   ----a-w-   c:\windows\system32\mshtml.tlb
2011-05-28 04:33 . 2011-06-15 23:16   133632   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2011-05-28 04:31 . 2011-06-15 23:16   1638912   ----a-w-   c:\windows\SysWow64\mshtml.tlb
2011-05-02 17:16 . 2011-06-15 23:16   739328   ----a-w-   c:\windows\SysWow64\inetcomm.dll
2011-05-02 17:13 . 2011-06-15 23:16   975360   ----a-w-   c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-27_18.24.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2011-07-29 00:25   49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-07-27 18:23   49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-07-27 18:23   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-29 00:25   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-29 00:27   63304 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-07-29 00:27   87858 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-13 19:31 . 2011-07-29 00:27   13848 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2720931165-3588759295-1012784737-1000_UserData.bin
+ 2009-08-13 19:31 . 2011-07-28 22:34   16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-13 19:31 . 2011-07-27 01:46   16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-13 19:31 . 2011-07-28 22:34   32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-13 19:31 . 2011-07-27 01:46   32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-13 19:31 . 2011-07-28 22:34   16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-08-13 19:31 . 2011-07-27 01:46   16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-17 18:53 . 2011-07-29 00:25   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-17 18:53 . 2011-07-27 18:23   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-17 18:53 . 2011-07-27 18:23   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-17 18:53 . 2011-07-29 00:25   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-29 00:25 . 2011-07-29 00:25   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-27 18:22 . 2011-07-27 18:22   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-29 00:25 . 2011-07-29 00:25   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-27 18:22 . 2011-07-27 18:22   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-28 23:20 . 2011-07-28 23:20   157472 c:\windows\SysWOW64\javaws.exe
+ 2011-07-28 23:20 . 2011-07-28 23:20   145184 c:\windows\SysWOW64\javaw.exe
- 2010-07-15 16:32 . 2010-07-15 16:32   145184 c:\windows\SysWOW64\javaw.exe
- 2010-07-15 16:32 . 2010-07-15 16:32   145184 c:\windows\SysWOW64\java.exe
+ 2011-07-28 23:20 . 2011-07-28 23:20   145184 c:\windows\SysWOW64\java.exe
+ 2006-11-02 12:46 . 2011-07-27 18:29   606364 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2011-07-27 14:47   606364 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-07-27 18:29   104964 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2011-07-27 14:47   104964 c:\windows\system32\perfc009.dat
- 2009-08-17 22:39 . 2011-07-22 00:34   262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-17 22:39 . 2011-07-28 22:28   262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-02-15 21:37 . 2011-07-29 00:24   364500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-15 21:37 . 2011-07-27 18:22   364500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-28 23:20 . 2011-07-28 23:20   203776 c:\windows\Installer\6360fd3.msi
+ 2011-07-28 23:20 . 2011-07-28 23:20   677376 c:\windows\Installer\6360fcd.msi
- 2008-01-21 03:20 . 2011-07-27 18:23   1425408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-29 00:25   1425408 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PlayOn"="c:\program files (x86)\MediaMall\PlayOn.exe" [2011-05-28 53248]
"googletalk"="c:\users\Linda\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-19 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2011-05-17 233936]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files (x86)\Audible\Bin\AudibleDownloadHelper.exe [2009-12-17 1795488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe