Author Topic: Pop ups after possible fake adobe update alert  (Read 18592 times)

0 Members and 1 Guest are viewing this topic.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Pop ups after possible fake adobe update alert
« on: July 17, 2013, 04:03:12 PM »
Hello,

My niece got a new laptop running windows 8. Doing her usual teenage girl facebook stuff and what not she got an update for adobe notice, which she clicked ok on. I don't know if that was legit or not but soon after she was getting popups relating to dating Asian women and suggestions to clean windows 8 by running some scan.

I got my hands on it and when I first got on the net I witnessed the popup ads for the Asian women and also the adobe update that didn't look like any I had seen before. I have not used windows 8 much but I would think the updates should be at least similar to other operating systems in appearance.

I fired up in safe mode and ran: ( I also disabled just about everything at startup via the task manager when doing this)

tdsskiller which found nothing.
mbam which found and removed 35 items(still have the log)
mbar which found and removed 5 items(still have the log)
adwcleaner
JRT which among other things had this registry entry found (Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?)

Also, working my way to this making this post an ie window opens up stating the following:
 "ATTENTION! It is recommended that you download FLV MPlayer to continue."

The title at the top of the browser says...... bizcoaching dot info .......

I think that it is all

Here is the security check log:

 Results of screen317's Security Check version 0.99.69 
   x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Windows Defender           
Norton Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Malwarebytes Anti-Malware version 1.75.0.1300 
 TuneUp Utilities 2013   
 TuneUp Utilities Language Pack (en-US)
 TuneUp Utilities 2013   
 Adobe Flash Player    11.8.800.94 
 Google Chrome 28.0.1500.71 
 Google Chrome 28.0.1500.72 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]

Here are the dds logs:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16384
Run by Ashley at 9:38:23 on 2013-07-17
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3974.2791 [GMT -7:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\dwm.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\MyPC Backup\BackupStack.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhostex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ips\ipsbho.dll
BHO: GetSavin 5.0: {B3522C04-B9DB-4C57-AA22-929092423BDD} -
BHO: Define: {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\Ashley\AppData\Local\DefineExt\temp.dat
BHO: SmileysWeLoveToolbar: {e4ef8a64-0a30-48f5-b3fe-5fda978da775} -
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
BHO: LyricsSing: {F2D7DFB7-6D91-4BD7-846E-BEF9BC3BD81A} - C:\Program Files (x86)\LyricSing\122.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coieplg.dll
TB: SmileysWeLove: {cf0f43ab-9c23-4d7b-8040-201b82844854} -
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Google Update] "C:\Users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Pokki] C:\Windows\System32\rundll32.exe "C:\Users\Ashley\AppData\Local\Pokki\Engine\LaunchDeskband.dll",RunLaunchDeskband
mRun: [CLVirtualDrive] "C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" /R
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
StartupFolder: C:\Users\Ashley\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MYPCBA~1.LNK - C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{69B7796B-5749-4307-8762-6E63F23AFC94} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{69B7796B-5749-4307-8762-6E63F23AFC94}\F46666963656534376 : DHCPNameServer = 192.168.2.1 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: SmileysWeLoveToolbar: {e4ef8a64-0a30-48f5-b3fe-5fda978da775} -
x64-TB: SmileysWeLove: {cf0f43ab-9c23-4d7b-8040-201b82844854} -
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-7-31 645952]
R1 CLVirtualDrive;CLVirtualDrive;C:\Windows\System32\Drivers\CLVirtualDrive.sys [2012-9-1 92536]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-9-1 98208]
R2 BackupStack;Computer Backup (MyPC Backup);C:\Program Files (x86)\MyPC Backup\BackupStack.exe [2013-7-1 32808]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-8-10 85504]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-7-9 35232]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2012-9-1 165760]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccsvchst.exe [2013-7-13 144368]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-4-16 39056]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe [2012-11-29 2401632]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-9-1 364416]
R3 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys [2013-7-16 1393240]
R3 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\Drivers\NISx64\1404000.028\ccsetx64.sys [2013-7-13 169048]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-7-12 138912]
R3 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSviA64.sys [2013-7-16 513184]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2012-6-19 342528]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\Drivers\netr28x.sys [2013-4-15 2482960]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-9-1 683664]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\Drivers\Smb_driver_Intel.sys [2012-9-1 43832]
R3 SymDS;Symantec Data Store;C:\Windows\System32\Drivers\NISx64\1404000.028\symds64.sys [2013-7-13 493656]
R3 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\Drivers\NISx64\1404000.028\symefa64.sys [2013-7-13 1139800]
R3 SymIRON;Symantec Iron Driver;C:\Windows\System32\Drivers\NISx64\1404000.028\ironx64.sys [2013-7-13 224416]
R3 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\Drivers\NISx64\1404000.028\symnets.sys [2013-7-13 433752]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys [2012-11-16 11880]
R3 WirelessButtonDriver;HP Wireless Button Driver Service;C:\Windows\System32\Drivers\WirelessButtonDriver64.sys [2012-8-3 20288]
S0 SymELAM;Symantec ELAM Driver;C:\Windows\System32\Drivers\NISx64\1404000.028\symelam.sys [2013-7-13 23448]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe --> C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\System32\Drivers\RtsP2Stor.sys [2012-9-1 266896]
S3 SmbDrv;SmbDrv;C:\Windows\System32\Drivers\Smb_driver_AMDASF.sys [2012-9-1 41272]
.
=============== Created Last 30 ================
.
2013-07-17 16:25:02   252080   ----a-w-   C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10210.bin
2013-07-17 08:07:58   --------   d-----w-   C:\Windows\ERUNT
2013-07-17 06:51:07   173   ----a-w-   C:\Windows\DeleteOnReboot.bat
2013-07-17 05:23:26   --------   d-----w-   C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-17 04:40:40   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\Malwarebytes
2013-07-17 04:40:31   --------   d-----w-   C:\ProgramData\Malwarebytes
2013-07-17 04:40:30   25928   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2013-07-17 04:40:30   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-17 04:40:11   --------   d-----w-   C:\Users\Ashley\AppData\Local\Programs
2013-07-17 04:07:50   80216   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-17 04:07:50   694616   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-17 03:39:44   --------   d-----w-   C:\Windows\pss
2013-07-15 18:31:19   --------   d-----w-   C:\Program Files (x86)\LyricSing
2013-07-15 02:40:36   --------   d-----w-   C:\Users\Ashley\AppData\Local\CyberLink
2013-07-14 18:51:08   34656   ----a-w-   C:\Windows\System32\TURegOpt.exe
2013-07-14 18:51:03   25952   ----a-w-   C:\Windows\System32\authuitu.dll
2013-07-14 18:51:03   21344   ----a-w-   C:\Windows\SysWow64\authuitu.dll
2013-07-14 18:50:33   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\TuneUp Software
2013-07-14 18:50:25   --------   d-----w-   C:\Program Files (x86)\TuneUp Utilities 2013
2013-07-14 18:50:22   --------   d-----w-   C:\ProgramData\TuneUp Software
2013-07-14 18:50:14   --------   d-sh--w-   C:\ProgramData\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-07-14 18:49:28   --------   d-----w-   C:\Program Files (x86)\SqueekyChocolate, LLC
2013-07-14 18:49:01   --------   d-----w-   C:\Program Files (x86)\Tiny Media Player
2013-07-14 18:44:32   --------   d-----w-   C:\Users\Ashley\AppData\Local\Pokki
2013-07-14 18:42:17   --------   d-----w-   C:\Users\Ashley\AppData\Local\Updater21058
2013-07-14 18:41:08   --------   d-----w-   C:\Users\Ashley\AppData\Local\CRE
2013-07-13 19:18:39   --------   d-----w-   C:\Program Files (x86)\Common Files\Symantec Shared
2013-07-13 19:15:05   --------   d-----w-   C:\Program Files\Paint.NET
2013-07-13 19:14:32   --------   d-----w-   C:\Program Files (x86)\MyPC Backup
2013-07-13 19:14:15   --------   d-----w-   C:\Users\Ashley\AppData\Local\AVG SafeGuard toolbar
2013-07-13 19:13:51   45856   ----a-w-   C:\Windows\System32\drivers\avgtpx64.sys
2013-07-13 19:13:41   --------   d-----w-   C:\ProgramData\AVG SafeGuard toolbar
2013-07-13 19:13:35   --------   d-----w-   C:\Program Files (x86)\AVG SafeGuard toolbar
2013-07-13 19:13:34   --------   d-----w-   C:\Users\Ashley\AppData\Local\Paint.NET
2013-07-13 19:12:43   --------   d--h--w-   C:\ProgramData\Common Files
2013-07-13 17:29:32   433752   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\symnets.sys
2013-07-13 17:29:32   23448   ----a-r-   C:\Windows\System32\drivers\NISx64\1404000.028\symelam.sys
2013-07-13 17:29:31   796760   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\srtsp64.sys
2013-07-13 17:29:31   493656   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\symds64.sys
2013-07-13 17:29:31   36952   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\srtspx64.sys
2013-07-13 17:29:31   224416   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\ironx64.sys
2013-07-13 17:29:31   169048   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\ccsetx64.sys
2013-07-13 17:29:31   1139800   ----a-w-   C:\Windows\System32\drivers\NISx64\1404000.028\symefa64.sys
2013-07-13 17:29:05   --------   d-----w-   C:\Windows\System32\drivers\NISx64\1404000.028
2013-07-13 03:16:07   144384   ----a-w-   C:\Windows\System32\tssdisai.dll
2013-07-13 03:16:07   135680   ----a-w-   C:\Windows\System32\appserverai.dll
2013-07-13 03:16:07   126976   ----a-w-   C:\Windows\System32\RDWebAI.dll
2013-07-13 03:16:07   122880   ----a-w-   C:\Windows\System32\VmHostAI.dll
2013-07-13 03:16:06   148480   ----a-w-   C:\Windows\System32\poqexec.exe
2013-07-13 03:16:06   132608   ----a-w-   C:\Windows\SysWow64\poqexec.exe
2013-07-13 03:08:59   2361344   ----a-w-   C:\Windows\System32\msxml6.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\SysWow64\msxml6r.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\SysWow64\msxml3r.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\System32\msxml6r.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\System32\msxml3r.dll
2013-07-13 03:08:58   1836032   ----a-w-   C:\Windows\System32\msxml3.dll
2013-07-13 03:08:58   1802240   ----a-w-   C:\Windows\SysWow64\msxml6.dll
2013-07-13 03:08:58   1438720   ----a-w-   C:\Windows\SysWow64\msxml3.dll
2013-07-12 19:55:19   --------   d-----w-   C:\Users\Ashley\AppData\Local\Adobe
2013-07-12 19:47:04   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\hpqlog
2013-07-12 17:18:32   50784   ----a-w-   C:\ProgramData\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-07-12 17:18:30   17536   ----a-w-   C:\ProgramData\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-07-12 07:02:49   --------   d-----r-   C:\Program Files (x86)\Skype
2013-07-12 07:00:53   --------   d-----w-   C:\Users\Ashley\AppData\Local\DefineExt
2013-07-12 06:58:54   --------   d-----w-   C:\Users\Ashley\AppData\Local\Real
2013-07-12 06:58:47   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\RealNetworks
2013-07-12 06:58:21   --------   d-----w-   C:\Program Files (x86)\RealNetworks
2013-07-12 06:58:19   --------   d-----w-   C:\ProgramData\RealNetworks
2013-07-12 06:58:09   --------   d-----w-   C:\Program Files (x86)\Common Files\xing shared
2013-07-12 06:57:24   --------   d-----w-   C:\Users\Ashley\AppData\Local\Google
2013-07-12 04:02:36   --------   d-----w-   C:\Users\Ashley\AppData\Local\ElevatedDiagnostics
2013-07-12 04:02:14   --------   d-----w-   C:\Users\Ashley\AppData\Local\Hewlett-Packard
2013-07-12 02:54:40   --------   d-----w-   C:\Users\Ashley\AppData\Local\CrashDumps
2013-07-12 02:54:21   --------   d-----w-   C:\Users\Ashley\AppData\Local\Diagnostics
2013-07-12 02:45:04   --------   d-----r-   C:\Users\Ashley\Searches
2013-07-12 02:45:04   --------   d-----r-   C:\Users\Ashley\Contacts
2013-07-12 02:43:14   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\Synaptics
2013-07-12 02:43:07   --------   d-----w-   C:\Users\Ashley\AppData\Local\Power2Go8
2013-07-12 02:42:46   --------   d-----w-   C:\Users\Ashley\AppData\Local\VirtualStore
2013-07-12 02:42:30   --------   d-----w-   C:\Users\Ashley\AppData\Local\Packages
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Videos
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Saved Games
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Pictures
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Music
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Links
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Downloads
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Documents
.
==================== Find3M  ====================
.
2013-07-13 17:31:11   177312   ----a-w-   C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-07-12 06:57:57   499712   ----a-w-   C:\Windows\SysWow64\msvcp71.dll
2013-07-12 06:57:57   348160   ----a-w-   C:\Windows\SysWow64\msvcr71.dll
2013-05-17 02:12:26   819440   ----a-w-   C:\Windows\System32\SynCOM.dll
2013-05-17 02:12:26   351984   ----a-w-   C:\Windows\SysWow64\SynCom.dll
2013-05-17 02:12:22   524016   ----a-w-   C:\Windows\System32\drivers\SynTP.sys
2013-05-17 02:12:22   192240   ----a-w-   C:\Windows\System32\SynTPCo19.dll
2013-05-17 02:12:22   151280   ----a-w-   C:\Windows\SysWow64\SynTPCom.dll
2013-05-17 02:12:20   264432   ----a-w-   C:\Windows\System32\SynTPAPI.dll
.
============= FINISH:  9:39:06.74 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8
Boot Device: \Device\HarddiskVolume2
Install Date: 7/11/2013 7:40:45 PM
System Uptime: 7/17/2013 9:32:13 AM (0 hours ago)
.
Motherboard: Hewlett-Packard |  | 1854
Processor: Intel(R) Core(TM) i3-2328M CPU @ 2.20GHz | U3E1 | 2200/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 442 GiB total, 398.843 GiB free.
D: is FIXED (NTFS) - 23 GiB total, 2.738 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 7/12/2013 12:02:16 AM - Installed Skype™ 6.3
RP5: 7/13/2013 12:13:41 PM - Paint.NET v3.5.10
RP6: 7/14/2013 12:19:06 PM - Removed Smileys We Love Toolbar for IE
.
==== Installed Programs ======================
.
4 Elements II
Adobe Shockwave Player 11.6
AVG SafeGuard toolbar
Bejeweled 3
Bonjour
Build-a-lot 4 - Power Source
Chuzzle Deluxe
Cradle Of Egypt Collector's Edition
Cradle of Rome 2
CyberLink LabelPrint
CyberLink Media Suite 10
CyberLink Power2Go 8
CyberLink PowerDVD
CyberLink YouCam
D3DX10
Define Ext
Energy Star
Farm Frenzy
FATE: The Cursed King
Final Drive Fury
FlatOut 2
GetSavin
Google Chrome
Google Talk Plugin
Google Update Helper
Governor of Poker 2 Premium Edition
Hewlett-Packard ACLM.NET v1.2.0.0
Hoyle Card Games
HP Customer Experience Enhancements
HP Documentation
HP Games
HP MyRoom
HP Postscript Converter
HP Quick Launch
HP Recovery Manager
HP Registration Service
HP Software Framework
HP Support Assistant
HP Utility Center
HP Wireless Button Driver
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) SDK for OpenCL - CPU Only Runtime Package
Intel® Trusted Connect Service Client
Jewel Match 3
John Deere Drive Green
Luxor Evolved
LyricsSing
Mahjongg Dimensions Deluxe: Tiles in Time
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Application Error Reporting
Microsoft Office
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mortimer Beckett and the Crimson Thief Premium Edition
MSVCRT
MyPC Backup
Mystery P.I. - Curious Case of Counterfeit Cove
Norton Internet Security
Paint.NET v3.5.10
Peggle Nights
Penguins!
Pokki
Polar Bowler
Polar Golfer
QuickShare
Ralink RT5390R 802.11bgn Wi-Fi Adapter
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek PCIE Card Reader
RealUpgrade 1.1
RegCure Pro
Roads of Rome 3
Savings Explorer
Skype™ 6.3
Smileys We Love Toolbar for IE
swMSM
Synaptics Pointing Device Driver
Tales of Lagoona
Tiny Media Player v1.0
TuneUp Utilities 2013
TuneUp Utilities Language Pack (en-US)
Update Installer for WildTangent Games App
Vacation Quest™ - Australia
WildTangent Games
WildTangent Games App
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Language Selector
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
7/17/2013 9:32:56 AM, Error: Service Control Manager [7000]  - The vToolbarUpdater15.3.0 service failed to start due to the following error:  The system cannot find the file specified.
.
==== End Of File ===========================


Sorry for the long windedness.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #1 on: July 17, 2013, 04:31:47 PM »
Hi, 4on4off.  It has been a while since your family members have run into problems.  Fortunately, ComboFix has been updated to work with Windows 8.

Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #2 on: July 17, 2013, 05:02:41 PM »
Hi Corrine,

"It has been a while since your family members have run into problems" :hysterical:

Ha! That's a good one! While they have had a good run with severe issues I have had to deal with several things that I am able to handle. It seems no matter how much I try to beat into their heads certain habits to stop this stuff from happening it does no good.

This one looks a bit beyond my abilities as I felt it required tools I am not experienced at yet. That is why I was considering the university. I truly do enjoy working on these things and it is so frustrating when I can't get it done.

Nice to hear from you again and thank you for the help.

Here is the combofix log:

ComboFix 13-07-16.01 - Ashley 07/17/2013  10:42:39.1.4 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3974.2813 [GMT -7:00]
Running from: c:\users\Ashley\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-17 to 2013-07-17  )))))))))))))))))))))))))))))))
.
.
2013-07-17 17:48 . 2013-07-17 17:48   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-07-17 16:25 . 2013-07-17 16:25   252080   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10210.bin
2013-07-17 08:07 . 2013-07-17 08:07   --------   d-----w-   c:\windows\ERUNT
2013-07-17 06:51 . 2013-07-17 06:51   173   ----a-w-   c:\windows\DeleteOnReboot.bat
2013-07-17 05:23 . 2013-07-17 16:30   --------   d-----w-   c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-17 04:40 . 2013-07-17 04:40   --------   d-----w-   c:\programdata\Malwarebytes
2013-07-17 04:40 . 2013-07-17 04:40   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-07-17 04:40 . 2013-04-04 21:50   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-07-17 04:07 . 2012-07-19 02:00   80216   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-17 04:07 . 2012-07-19 02:00   694616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-15 18:31 . 2013-07-15 18:31   --------   d-----w-   c:\program files (x86)\LyricSing
2013-07-14 18:51 . 2013-06-24 07:41   78185248   ----a-w-   c:\windows\system32\MRT.exe
2013-07-14 18:51 . 2012-11-29 23:31   34656   ----a-w-   c:\windows\system32\TURegOpt.exe
2013-07-14 18:51 . 2012-11-29 23:31   25952   ----a-w-   c:\windows\system32\authuitu.dll
2013-07-14 18:51 . 2012-11-29 23:31   21344   ----a-w-   c:\windows\SysWow64\authuitu.dll
2013-07-14 18:50 . 2013-07-14 18:51   --------   d-----w-   c:\program files (x86)\TuneUp Utilities 2013
2013-07-14 18:50 . 2013-07-14 18:50   --------   d-----w-   c:\programdata\TuneUp Software
2013-07-14 18:50 . 2013-07-14 18:50   --------   d-sh--w-   c:\programdata\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-07-14 18:49 . 2013-07-14 19:16   --------   d-----w-   c:\program files (x86)\SqueekyChocolate, LLC
2013-07-14 18:49 . 2013-07-14 18:49   --------   d-----w-   c:\program files (x86)\Tiny Media Player
2013-07-13 19:18 . 2013-07-13 19:18   --------   d-----w-   c:\program files (x86)\Common Files\Symantec Shared
2013-07-13 19:15 . 2013-07-13 19:15   --------   d-----w-   c:\program files\Paint.NET
2013-07-13 19:14 . 2013-07-13 19:21   --------   d-----w-   c:\program files (x86)\MyPC Backup
2013-07-13 19:13 . 2013-07-13 19:13   45856   ----a-w-   c:\windows\system32\drivers\avgtpx64.sys
2013-07-13 19:13 . 2013-07-13 19:13   --------   d-----w-   c:\programdata\AVG SafeGuard toolbar
2013-07-13 19:13 . 2013-07-13 19:13   --------   d-----w-   c:\program files (x86)\AVG SafeGuard toolbar
2013-07-13 19:12 . 2013-07-13 19:12   --------   d--h--w-   c:\programdata\Common Files
2013-07-13 17:29 . 2013-07-13 19:20   --------   d-----w-   c:\windows\system32\drivers\NISx64\1404000.028
2013-07-13 03:16 . 2012-11-10 04:22   122880   ----a-w-   c:\windows\system32\VmHostAI.dll
2013-07-13 03:16 . 2012-11-10 04:22   144384   ----a-w-   c:\windows\system32\tssdisai.dll
2013-07-13 03:16 . 2012-11-10 04:22   126976   ----a-w-   c:\windows\system32\RDWebAI.dll
2013-07-13 03:16 . 2012-11-10 04:20   135680   ----a-w-   c:\windows\system32\appserverai.dll
2013-07-13 03:16 . 2012-11-10 04:23   132608   ----a-w-   c:\windows\SysWow64\poqexec.exe
2013-07-13 03:16 . 2012-11-10 04:23   148480   ----a-w-   c:\windows\system32\poqexec.exe
2013-07-13 03:08 . 2012-11-01 04:40   2361344   ----a-w-   c:\windows\system32\msxml6.dll
2013-07-13 03:08 . 2012-11-01 04:41   1802240   ----a-w-   c:\windows\SysWow64\msxml6.dll
2013-07-13 03:08 . 2012-11-01 04:41   1438720   ----a-w-   c:\windows\SysWow64\msxml3.dll
2013-07-13 03:08 . 2012-11-01 04:40   1836032   ----a-w-   c:\windows\system32\msxml3.dll
2013-07-13 03:08 . 2012-11-01 04:21   2048   ----a-w-   c:\windows\system32\msxml6r.dll
2013-07-13 03:08 . 2012-11-01 04:21   2048   ----a-w-   c:\windows\system32\msxml3r.dll
2013-07-13 03:08 . 2012-11-01 04:20   2048   ----a-w-   c:\windows\SysWow64\msxml6r.dll
2013-07-13 03:08 . 2012-11-01 04:20   2048   ----a-w-   c:\windows\SysWow64\msxml3r.dll
2013-07-12 17:18 . 2013-07-12 17:18   50784   ----a-w-   c:\programdata\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-07-12 17:18 . 2013-07-12 17:18   17536   ----a-w-   c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----w-   c:\program files (x86)\Common Files\Skype
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----r-   c:\program files (x86)\Skype
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----w-   c:\programdata\Skype
2013-07-12 06:58 . 2013-07-12 06:58   --------   d-----w-   c:\program files (x86)\Common Files\xing shared
2013-07-12 06:57 . 2013-07-12 06:58   --------   d-----w-   c:\program files (x86)\Real
2013-07-12 06:57 . 2013-07-12 06:57   --------   d-----w-   c:\program files (x86)\Google
2013-07-12 02:40 . 2013-07-12 02:45   --------   d-----w-   c:\users\Ashley
2013-07-12 02:33 . 2013-07-13 21:27   --------   d--h--r-   c:\users\Public\AccountPictures
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-13 19:21 . 2012-07-26 08:13   22240   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-07-13 17:31 . 2012-09-02 04:43   177312   ----a-w-   c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-07-12 06:57 . 2012-09-02 04:37   499712   ----a-w-   c:\windows\SysWow64\msvcp71.dll
2013-07-12 06:57 . 2012-09-02 04:37   348160   ----a-w-   c:\windows\SysWow64\msvcr71.dll
2013-05-17 02:12 . 2013-05-17 02:12   351984   ----a-w-   c:\windows\SysWow64\SynCom.dll
2013-05-17 02:12 . 2012-09-02 05:12   819440   ----a-w-   c:\windows\system32\SynCOM.dll
2013-05-17 02:12 . 2013-05-17 02:12   524016   ----a-w-   c:\windows\system32\drivers\SynTP.sys
2013-05-17 02:12 . 2013-05-17 02:12   192240   ----a-w-   c:\windows\system32\SynTPCo19.dll
2013-05-17 02:12 . 2013-05-17 02:12   151280   ----a-w-   c:\windows\SysWow64\SynTPCom.dll
2013-05-17 02:12 . 2013-05-17 02:12   264432   ----a-w-   c:\windows\system32\SynTPAPI.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE}]
2013-06-26 23:07   830312   ----a-w-   c:\users\Ashley\AppData\Local\DefineExt\temp.dat
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{F2D7DFB7-6D91-4BD7-846E-BEF9BC3BD81A}]
2013-07-15 00:10   185856   ----a-w-   c:\program files (x86)\LyricSing\122.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-03-01 18642024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLVirtualDrive"="c:\program files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" [2012-07-26 491320]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-07-09 580512]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2013-07-12 295512]
.
c:\users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MyPC Backup.lnk - c:\program files (x86)\MyPC Backup\MyPC Backup.exe [2013-7-1 1945128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe

R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe

R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsP2Stor.sys

R3 SmbDrv;SmbDrv;c:\windows\System32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys

R4 SymELAM;Symantec ELAM Driver;c:\windows\system32\drivers\NISx64\1404000.028\SymELAM.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SymELAM.sys

S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys

S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe

S2 BackupStack;Computer Backup (MyPC Backup);c:\program files (x86)\MyPC Backup\BackupStack.exe;c:\program files (x86)\MyPC Backup\BackupStack.exe

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe

S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe

S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe

S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

S3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys

S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\ccSetx64.sys

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSvia64.sys

S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys

S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys

S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys

S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMDS64.SYS

S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMEFA64.SYS

S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\Ironx64.SYS

S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1404000.028\SYMNETS.SYS

S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys

S3 WirelessButtonDriver;HP Wireless Button Driver Service;c:\windows\System32\drivers\WirelessButtonDriver64.sys;c:\windows\SYSNATIVE\drivers\WirelessButtonDriver64.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost   REG_MULTI_SZ      apphostsvc
iissvcs   REG_MULTI_SZ      w3svc was
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 04:33   1173456   ----a-w-   c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-12 19:56]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-12 06:57]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-12 06:57]
.
2013-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1886273126-1053659535-1430386885-1001Core.job
- c:\users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-14 07:02]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1886273126-1053659535-1430386885-1001UA.job
- c:\users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-14 07:02]
.
2013-07-17 c:\windows\Tasks\LyricsSing Update.job
- c:\program files (x86)\LyricSing\lSing.exe [2013-07-15 00:10]
.
2013-07-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\windows\system32\rundll32.exe [2012-07-26 03:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-08-09 170304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-08-09 398656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-08-09 440640]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{B3522C04-B9DB-4C57-AA22-929092423BDD} - c:\users\Ashley\AppData\Local\getsavin\ie\getsavin_1373612341.dll
BHO-{e4ef8a64-0a30-48f5-b3fe-5fda978da775} - c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader.dll
Toolbar-{cf0f43ab-9c23-4d7b-8040-201b82844854} - c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader.dll
Wow6432Node-HKCU-Run-Pokki - %LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll
BHO-{e4ef8a64-0a30-48f5-b3fe-5fda978da775} - c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader64.dll
Toolbar-{cf0f43ab-9c23-4d7b-8040-201b82844854} - c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader64.dll
AddRemove-GetSavin - c:\users\Ashley\AppData\Local\getsavin\uninst.exe
AddRemove-Savings Explorer - c:\program files (x86)\Savings Explorer\Uninstall.exe
AddRemove-{B8019B54-F9BE-490A-9619-6D06F18F129F} - c:\program files (x86)\InstallShield Installation Information\{B8019B54-F9BE-490A-9619-6D06F18F129F}\setup.exe
AddRemove-{C547F361-5750-4CD1-9FB6-BC93827CB6C1} - c:\program files (x86)\ParetoLogic\RegCure Pro\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2013-07-17  10:51:11
ComboFix-quarantined-files.txt  2013-07-17 17:51
.
Pre-Run: 427,843,706,880 bytes free
Post-Run: 427,884,322,816 bytes free
.
- - End Of File - - 6C4FBADAE5D2319CB6FD80B6B5C84B69
D41D8CD98F00B204E9800998ECF8427E


4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #3 on: July 17, 2013, 06:56:32 PM »
Hi, 4on4off.

Personally, I do not trust "PC optimizing" programs.  This includes TuneUp Utilities 2013 that your niece has installed.  To start, a new computer does not need "optimizing".  However, more seriously, Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows 7 and Windows 8 and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.

Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.

Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.

Regarding MyPCBackup, as indicated at WOT (mypcbackup.com, the site does not have a very good reputation.  It was added to hpHOSTS 16APR2013 by MysteryFCM (who is Steven Burn, a fellow Microsoft Consumer Security MVP who also is a Research Engineer on the Malwarebytes Staff).

I would encourage you to consider uninstalling both MyPCBackup and TuneUp Utilities 2013.

There is a file that was in the DDS log that I'm not seeing in ComboFix nor is it in the orphans removed.  Let's see if it shows up this way.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
FileLook::
C:\Windows\system32\dwm.exe
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #4 on: July 17, 2013, 07:23:37 PM »
Thanks Corrine,

Here is the new combofix log:

ComboFix 13-07-16.01 - Ashley 07/17/2013  13:01:37.2.4 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3974.2169 [GMT -7:00]
Running from: c:\users\Ashley\Desktop\ComboFix.exe
Command switches used :: c:\users\Ashley\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-17 to 2013-07-17  )))))))))))))))))))))))))))))))
.
.
2013-07-17 20:06 . 2013-07-17 20:06   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-07-17 16:25 . 2013-07-17 16:25   252080   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10210.bin
2013-07-17 08:07 . 2013-07-17 08:07   --------   d-----w-   c:\windows\ERUNT
2013-07-17 06:51 . 2013-07-17 06:51   173   ----a-w-   c:\windows\DeleteOnReboot.bat
2013-07-17 05:23 . 2013-07-17 16:30   --------   d-----w-   c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-17 04:40 . 2013-07-17 04:40   --------   d-----w-   c:\programdata\Malwarebytes
2013-07-17 04:40 . 2013-07-17 04:40   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-07-17 04:40 . 2013-04-04 21:50   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-07-17 04:07 . 2012-07-19 02:00   80216   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-17 04:07 . 2012-07-19 02:00   694616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-15 18:31 . 2013-07-15 18:31   --------   d-----w-   c:\program files (x86)\LyricSing
2013-07-14 18:51 . 2013-06-24 07:41   78185248   ----a-w-   c:\windows\system32\MRT.exe
2013-07-14 18:51 . 2012-11-29 23:31   34656   ----a-w-   c:\windows\system32\TURegOpt.exe
2013-07-14 18:51 . 2012-11-29 23:31   25952   ----a-w-   c:\windows\system32\authuitu.dll
2013-07-14 18:51 . 2012-11-29 23:31   21344   ----a-w-   c:\windows\SysWow64\authuitu.dll
2013-07-14 18:50 . 2013-07-14 18:51   --------   d-----w-   c:\program files (x86)\TuneUp Utilities 2013
2013-07-14 18:50 . 2013-07-14 18:50   --------   d-----w-   c:\programdata\TuneUp Software
2013-07-14 18:50 . 2013-07-14 18:50   --------   d-sh--w-   c:\programdata\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-07-14 18:49 . 2013-07-14 19:16   --------   d-----w-   c:\program files (x86)\SqueekyChocolate, LLC
2013-07-14 18:49 . 2013-07-14 18:49   --------   d-----w-   c:\program files (x86)\Tiny Media Player
2013-07-13 19:18 . 2013-07-13 19:18   --------   d-----w-   c:\program files (x86)\Common Files\Symantec Shared
2013-07-13 19:15 . 2013-07-13 19:15   --------   d-----w-   c:\program files\Paint.NET
2013-07-13 19:14 . 2013-07-13 19:21   --------   d-----w-   c:\program files (x86)\MyPC Backup
2013-07-13 19:13 . 2013-07-13 19:13   45856   ----a-w-   c:\windows\system32\drivers\avgtpx64.sys
2013-07-13 19:13 . 2013-07-13 19:13   --------   d-----w-   c:\programdata\AVG SafeGuard toolbar
2013-07-13 19:13 . 2013-07-13 19:13   --------   d-----w-   c:\program files (x86)\AVG SafeGuard toolbar
2013-07-13 19:12 . 2013-07-13 19:12   --------   d--h--w-   c:\programdata\Common Files
2013-07-13 17:29 . 2013-07-13 19:20   --------   d-----w-   c:\windows\system32\drivers\NISx64\1404000.028
2013-07-13 03:16 . 2012-11-10 04:22   122880   ----a-w-   c:\windows\system32\VmHostAI.dll
2013-07-13 03:16 . 2012-11-10 04:22   144384   ----a-w-   c:\windows\system32\tssdisai.dll
2013-07-13 03:16 . 2012-11-10 04:22   126976   ----a-w-   c:\windows\system32\RDWebAI.dll
2013-07-13 03:16 . 2012-11-10 04:20   135680   ----a-w-   c:\windows\system32\appserverai.dll
2013-07-13 03:16 . 2012-11-10 04:23   132608   ----a-w-   c:\windows\SysWow64\poqexec.exe
2013-07-13 03:16 . 2012-11-10 04:23   148480   ----a-w-   c:\windows\system32\poqexec.exe
2013-07-13 03:08 . 2012-11-01 04:40   2361344   ----a-w-   c:\windows\system32\msxml6.dll
2013-07-13 03:08 . 2012-11-01 04:41   1802240   ----a-w-   c:\windows\SysWow64\msxml6.dll
2013-07-13 03:08 . 2012-11-01 04:41   1438720   ----a-w-   c:\windows\SysWow64\msxml3.dll
2013-07-13 03:08 . 2012-11-01 04:40   1836032   ----a-w-   c:\windows\system32\msxml3.dll
2013-07-13 03:08 . 2012-11-01 04:21   2048   ----a-w-   c:\windows\system32\msxml6r.dll
2013-07-13 03:08 . 2012-11-01 04:21   2048   ----a-w-   c:\windows\system32\msxml3r.dll
2013-07-13 03:08 . 2012-11-01 04:20   2048   ----a-w-   c:\windows\SysWow64\msxml6r.dll
2013-07-13 03:08 . 2012-11-01 04:20   2048   ----a-w-   c:\windows\SysWow64\msxml3r.dll
2013-07-12 17:18 . 2013-07-12 17:18   50784   ----a-w-   c:\programdata\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-07-12 17:18 . 2013-07-12 17:18   17536   ----a-w-   c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----w-   c:\program files (x86)\Common Files\Skype
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----r-   c:\program files (x86)\Skype
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----w-   c:\programdata\Skype
2013-07-12 06:58 . 2013-07-12 06:58   --------   d-----w-   c:\program files (x86)\Common Files\xing shared
2013-07-12 06:57 . 2013-07-12 06:58   --------   d-----w-   c:\program files (x86)\Real
2013-07-12 06:57 . 2013-07-12 06:57   --------   d-----w-   c:\program files (x86)\Google
2013-07-12 02:40 . 2013-07-12 02:45   --------   d-----w-   c:\users\Ashley
2013-07-12 02:33 . 2013-07-13 21:27   --------   d--h--r-   c:\users\Public\AccountPictures
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-13 19:21 . 2012-07-26 08:13   22240   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-07-13 17:31 . 2012-09-02 04:43   177312   ----a-w-   c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-07-12 06:57 . 2012-09-02 04:37   499712   ----a-w-   c:\windows\SysWow64\msvcp71.dll
2013-07-12 06:57 . 2012-09-02 04:37   348160   ----a-w-   c:\windows\SysWow64\msvcr71.dll
2013-05-17 02:12 . 2013-05-17 02:12   351984   ----a-w-   c:\windows\SysWow64\SynCom.dll
2013-05-17 02:12 . 2012-09-02 05:12   819440   ----a-w-   c:\windows\system32\SynCOM.dll
2013-05-17 02:12 . 2013-05-17 02:12   524016   ----a-w-   c:\windows\system32\drivers\SynTP.sys
2013-05-17 02:12 . 2013-05-17 02:12   192240   ----a-w-   c:\windows\system32\SynTPCo19.dll
2013-05-17 02:12 . 2013-05-17 02:12   151280   ----a-w-   c:\windows\SysWow64\SynTPCom.dll
2013-05-17 02:12 . 2013-05-17 02:12   264432   ----a-w-   c:\windows\system32\SynTPAPI.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\dwm.exe ---
Company: Microsoft Corporation
File Description: Desktop Window Manager
File Version: 6.2.9200.16384 (win8_rtm.120725-1247)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: dwm.exe.mui
File size: 117760
Created time: 2012-07-25 23:43
Modified time: 2012-07-26 03:08
MD5: EC29CA52113EF803339B1680593390F0
SHA1: 8C8A73E2F976AA7ED7A7F4E8218FE5DB91AC63F2
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B3522C04-B9DB-4C57-AA22-929092423BDD}]
c:\users\Ashley\AppData\Local\getsavin\ie\getsavin_1373612341.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE}]
2013-06-26 23:07   830312   ----a-w-   c:\users\Ashley\AppData\Local\DefineExt\temp.dat
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{e4ef8a64-0a30-48f5-b3fe-5fda978da775}]
c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{F2D7DFB7-6D91-4BD7-846E-BEF9BC3BD81A}]
2013-07-15 00:10   185856   ----a-w-   c:\program files (x86)\LyricSing\122.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{cf0f43ab-9c23-4d7b-8040-201b82844854}"= "c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{cf0f43ab-9c23-4d7b-8040-201b82844854}]
[HKEY_CLASSES_ROOT\SmileysWeLoveToolbar.SWLIEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-03-01 18642024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLVirtualDrive"="c:\program files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" [2012-07-26 491320]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-07-09 580512]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2013-07-12 295512]
.
c:\users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MyPC Backup.lnk - c:\program files (x86)\MyPC Backup\MyPC Backup.exe [2013-7-1 1945128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe

R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe

R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsP2Stor.sys

R3 SmbDrv;SmbDrv;c:\windows\System32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys

R4 SymELAM;Symantec ELAM Driver;c:\windows\system32\drivers\NISx64\1404000.028\SymELAM.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SymELAM.sys

S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys

S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe

S2 BackupStack;Computer Backup (MyPC Backup);c:\program files (x86)\MyPC Backup\BackupStack.exe;c:\program files (x86)\MyPC Backup\BackupStack.exe

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe

S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe

S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe

S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

S3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys

S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\ccSetx64.sys

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSvia64.sys

S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys

S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys

S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys

S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMDS64.SYS

S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMEFA64.SYS

S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\Ironx64.SYS

S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1404000.028\SYMNETS.SYS

S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys;c:\program files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys

S3 WirelessButtonDriver;HP Wireless Button Driver Service;c:\windows\System32\drivers\WirelessButtonDriver64.sys;c:\windows\SYSNATIVE\drivers\WirelessButtonDriver64.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost   REG_MULTI_SZ      apphostsvc
iissvcs   REG_MULTI_SZ      w3svc was
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 04:33   1173456   ----a-w-   c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-12 19:56]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-12 06:57]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-12 06:57]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1886273126-1053659535-1430386885-1001Core.job
- c:\users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-14 07:02]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1886273126-1053659535-1430386885-1001UA.job
- c:\users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-14 07:02]
.
2013-07-17 c:\windows\Tasks\LyricsSing Update.job
- c:\program files (x86)\LyricSing\lSing.exe [2013-07-15 00:10]
.
2013-07-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\windows\system32\rundll32.exe [2012-07-26 03:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-08-09 170304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-08-09 398656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-08-09 440640]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-GetSavin - c:\users\Ashley\AppData\Local\getsavin\uninst.exe
AddRemove-Savings Explorer - c:\program files (x86)\Savings Explorer\Uninstall.exe
AddRemove-{B8019B54-F9BE-490A-9619-6D06F18F129F} - c:\program files (x86)\InstallShield Installation Information\{B8019B54-F9BE-490A-9619-6D06F18F129F}\setup.exe
AddRemove-{C547F361-5750-4CD1-9FB6-BC93827CB6C1} - c:\program files (x86)\ParetoLogic\RegCure Pro\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2013-07-17  13:08:34
ComboFix-quarantined-files.txt  2013-07-17 20:08
ComboFix2.txt  2013-07-17 17:51
.
Pre-Run: 425,058,357,248 bytes free
Post-Run: 424,736,288,768 bytes free
.
- - End Of File - - 11834BE5BAC5D7274B0ABFA834E1D731
D41D8CD98F00B204E9800998ECF8427E

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #5 on: July 17, 2013, 08:45:58 PM »
Thank you.  The file checked out.  :)

Did your niece intentionally install the Smileys We Love Toolbar for IE?  If it came bundled with other software, please uninstall it and let me know so I can include.

Also, if you are planning on uninstalling TuneUp Utilities 2013 and/or MyPCBackup, please do that now and let me know.

If none of the above files are being uninstalled, I'll just have a small script for you to run.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #6 on: July 17, 2013, 10:55:51 PM »
HI Corrine,

Sorry for the delay, I had to take a short nap before heading to work tonight. I uninstalled the smiley toolbar, mypcbackup and tuneup utilities.....

Also, when I clicked reply to make this post another ie window popped up again with the bizcoach dot info address at the top...there is always nothing but a small rectangular box saying the following:

"ATTENTION! It is recommended that you download FLV MPlayer to continue."

I am not certain if this is something she has clicked on prior to her issues as well.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #7 on: July 18, 2013, 12:20:45 AM »
That's fine, 4on4off.  I'm here & gone throughout the day -- preparing meals, running errands, taking the dogs out, at other forums...

I don't know if the box for the FLV Player is from Lyric Sing or not but I did not find any other indications of the specific .dll in Bing or Google and the CLSID has been removed as a BHO, let's see if removing that will solve the problem.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
Folder::
c:\users\Ashley\AppData\Local\getsavin
c:\program files (x86)\LyricSing\122.dll

File::
c:\users\Ashley\AppData\Local\DefineExt\temp.dat

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{F2D7DFB7-6D91-4BD7-846E-BEF9BC3BD81A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B3522C04-B9DB-4C57-AA22-929092423BDD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{e4ef8a64-0a30-48f5-b3fe-5fda978da775}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{cf0f43ab-9c23-4d7b-8040-201b82844854}"=-
[-HKEY_CLASSES_ROOT\clsid\{cf0f43ab-9c23-4d7b-8040-201b82844854}]
[-HKEY_CLASSES_ROOT\SmileysWeLoveToolbar.SWLIEToolbar]

  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

Have a good night at work.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #8 on: July 18, 2013, 01:55:35 PM »
Hi Corrine,

Just got home from work. After running combofix I tried using IE but cold not navigate anywhere so I am using chrome to do this. I noticed she has google for her home page and there is always a notice at the bottom for downloading either an update for a player or a missing plugin.... I reset ie to default settings and will restart the computer for it to take affect after posting this.

Here is the combofix log:

ComboFix 13-07-18.02 - Ashley 07/18/2013   7:31.3.4 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3974.2697 [GMT -7:00]
Running from: c:\users\Ashley\Desktop\ComboFix.exe
Command switches used :: c:\users\Ashley\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Ashley\AppData\Local\DefineExt\temp.dat"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ashley\AppData\Local\DefineExt\temp.dat
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-18 to 2013-07-18  )))))))))))))))))))))))))))))))
.
.
2013-07-18 14:37 . 2013-07-18 14:37   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-07-17 23:38 . 2013-07-17 23:38   --------   d-----w-   c:\program files (x86)\VS Revo Group
2013-07-17 16:25 . 2013-07-17 16:25   252080   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10210.bin
2013-07-17 08:07 . 2013-07-17 08:07   --------   d-----w-   c:\windows\ERUNT
2013-07-17 06:51 . 2013-07-17 06:51   173   ----a-w-   c:\windows\DeleteOnReboot.bat
2013-07-17 05:23 . 2013-07-17 16:30   --------   d-----w-   c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-17 04:40 . 2013-07-17 04:40   --------   d-----w-   c:\programdata\Malwarebytes
2013-07-17 04:40 . 2013-07-17 04:40   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-07-17 04:40 . 2013-04-04 21:50   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-07-17 04:07 . 2012-07-19 02:00   80216   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-17 04:07 . 2012-07-19 02:00   694616   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-15 18:31 . 2013-07-15 18:31   --------   d-----w-   c:\program files (x86)\LyricSing
2013-07-14 18:51 . 2013-06-24 07:41   78185248   ----a-w-   c:\windows\system32\MRT.exe
2013-07-14 18:50 . 2013-07-14 18:50   --------   d-----w-   c:\programdata\TuneUp Software
2013-07-14 18:50 . 2013-07-14 18:50   --------   d-sh--w-   c:\programdata\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-07-14 18:49 . 2013-07-14 19:16   --------   d-----w-   c:\program files (x86)\SqueekyChocolate, LLC
2013-07-14 18:49 . 2013-07-14 18:49   --------   d-----w-   c:\program files (x86)\Tiny Media Player
2013-07-13 19:18 . 2013-07-13 19:18   --------   d-----w-   c:\program files (x86)\Common Files\Symantec Shared
2013-07-13 19:15 . 2013-07-13 19:15   --------   d-----w-   c:\program files\Paint.NET
2013-07-13 19:14 . 2013-07-17 23:48   --------   d-----w-   c:\program files (x86)\MyPC Backup
2013-07-13 19:13 . 2013-07-13 19:13   45856   ----a-w-   c:\windows\system32\drivers\avgtpx64.sys
2013-07-13 19:13 . 2013-07-13 19:13   --------   d-----w-   c:\programdata\AVG SafeGuard toolbar
2013-07-13 19:13 . 2013-07-13 19:13   --------   d-----w-   c:\program files (x86)\AVG SafeGuard toolbar
2013-07-13 19:12 . 2013-07-13 19:12   --------   d--h--w-   c:\programdata\Common Files
2013-07-13 17:29 . 2013-07-13 19:20   --------   d-----w-   c:\windows\system32\drivers\NISx64\1404000.028
2013-07-13 03:16 . 2012-11-10 04:22   122880   ----a-w-   c:\windows\system32\VmHostAI.dll
2013-07-13 03:16 . 2012-11-10 04:22   144384   ----a-w-   c:\windows\system32\tssdisai.dll
2013-07-13 03:16 . 2012-11-10 04:22   126976   ----a-w-   c:\windows\system32\RDWebAI.dll
2013-07-13 03:16 . 2012-11-10 04:20   135680   ----a-w-   c:\windows\system32\appserverai.dll
2013-07-13 03:16 . 2012-11-10 04:23   132608   ----a-w-   c:\windows\SysWow64\poqexec.exe
2013-07-13 03:16 . 2012-11-10 04:23   148480   ----a-w-   c:\windows\system32\poqexec.exe
2013-07-13 03:08 . 2012-11-01 04:40   2361344   ----a-w-   c:\windows\system32\msxml6.dll
2013-07-13 03:08 . 2012-11-01 04:41   1802240   ----a-w-   c:\windows\SysWow64\msxml6.dll
2013-07-13 03:08 . 2012-11-01 04:41   1438720   ----a-w-   c:\windows\SysWow64\msxml3.dll
2013-07-13 03:08 . 2012-11-01 04:40   1836032   ----a-w-   c:\windows\system32\msxml3.dll
2013-07-13 03:08 . 2012-11-01 04:21   2048   ----a-w-   c:\windows\system32\msxml6r.dll
2013-07-13 03:08 . 2012-11-01 04:21   2048   ----a-w-   c:\windows\system32\msxml3r.dll
2013-07-13 03:08 . 2012-11-01 04:20   2048   ----a-w-   c:\windows\SysWow64\msxml6r.dll
2013-07-13 03:08 . 2012-11-01 04:20   2048   ----a-w-   c:\windows\SysWow64\msxml3r.dll
2013-07-12 17:18 . 2013-07-12 17:18   50784   ----a-w-   c:\programdata\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-07-12 17:18 . 2013-07-12 17:18   17536   ----a-w-   c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----w-   c:\program files (x86)\Common Files\Skype
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----r-   c:\program files (x86)\Skype
2013-07-12 07:02 . 2013-07-12 07:02   --------   d-----w-   c:\programdata\Skype
2013-07-12 06:58 . 2013-07-12 06:58   --------   d-----w-   c:\program files (x86)\Common Files\xing shared
2013-07-12 06:57 . 2013-07-12 06:58   --------   d-----w-   c:\program files (x86)\Real
2013-07-12 06:57 . 2013-07-12 06:57   --------   d-----w-   c:\program files (x86)\Google
2013-07-12 02:40 . 2013-07-12 02:45   --------   d-----w-   c:\users\Ashley
2013-07-12 02:33 . 2013-07-13 21:27   --------   d--h--r-   c:\users\Public\AccountPictures
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-13 19:21 . 2012-07-26 08:13   22240   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-07-13 17:31 . 2012-09-02 04:43   177312   ----a-w-   c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-07-12 06:57 . 2012-09-02 04:37   499712   ----a-w-   c:\windows\SysWow64\msvcp71.dll
2013-07-12 06:57 . 2012-09-02 04:37   348160   ----a-w-   c:\windows\SysWow64\msvcr71.dll
2013-05-17 02:12 . 2013-05-17 02:12   351984   ----a-w-   c:\windows\SysWow64\SynCom.dll
2013-05-17 02:12 . 2012-09-02 05:12   819440   ----a-w-   c:\windows\system32\SynCOM.dll
2013-05-17 02:12 . 2013-05-17 02:12   524016   ----a-w-   c:\windows\system32\drivers\SynTP.sys
2013-05-17 02:12 . 2013-05-17 02:12   192240   ----a-w-   c:\windows\system32\SynTPCo19.dll
2013-05-17 02:12 . 2013-05-17 02:12   151280   ----a-w-   c:\windows\SysWow64\SynTPCom.dll
2013-05-17 02:12 . 2013-05-17 02:12   264432   ----a-w-   c:\windows\system32\SynTPAPI.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{B3522C04-B9DB-4C57-AA22-929092423BDD}]
c:\users\Ashley\AppData\Local\getsavin\ie\getsavin_1373612341.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{e4ef8a64-0a30-48f5-b3fe-5fda978da775}]
c:\program files (x86)\SqueekyChocolate, LLC\Smileys We Love Toolbar for IE\adxloader.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{F2D7DFB7-6D91-4BD7-846E-BEF9BC3BD81A}]
2013-07-15 00:10   185856   ----a-w-   c:\program files (x86)\LyricSing\122.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-03-01 18642024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CLVirtualDrive"="c:\program files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" [2012-07-26 491320]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-07-09 580512]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2013-07-12 295512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe

R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe

R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsP2Stor.sys

R3 SmbDrv;SmbDrv;c:\windows\System32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys

R4 SymELAM;Symantec ELAM Driver;c:\windows\system32\drivers\NISx64\1404000.028\SymELAM.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SymELAM.sys

S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys

S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe

S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe

S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

S3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130715.001\BHDrvx64.sys

S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\ccSetx64.sys

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130716.001\IDSvia64.sys

S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys

S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys

S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys

S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMDS64.SYS

S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMEFA64.SYS

S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\Ironx64.SYS

S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1404000.028\SYMNETS.SYS

S3 WirelessButtonDriver;HP Wireless Button Driver Service;c:\windows\System32\drivers\WirelessButtonDriver64.sys;c:\windows\SYSNATIVE\drivers\WirelessButtonDriver64.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
apphost   REG_MULTI_SZ      apphostsvc
iissvcs   REG_MULTI_SZ      w3svc was
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 04:33   1173456   ----a-w-   c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-12 19:56]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-12 06:57]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-07-12 06:57]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1886273126-1053659535-1430386885-1001Core.job
- c:\users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-14 07:02]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1886273126-1053659535-1430386885-1001UA.job
- c:\users\Ashley\AppData\Local\Google\Update\GoogleUpdate.exe [2013-07-14 07:02]
.
2013-07-18 c:\windows\Tasks\LyricsSing Update.job
- c:\program files (x86)\LyricSing\lSing.exe [2013-07-15 00:10]
.
2013-07-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\windows\system32\rundll32.exe [2012-07-26 03:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-08-09 170304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-08-09 398656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-08-09 440640]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - c:\users\Ashley\AppData\Local\DefineExt\temp.dat
AddRemove-GetSavin - c:\users\Ashley\AppData\Local\getsavin\uninst.exe
AddRemove-Savings Explorer - c:\program files (x86)\Savings Explorer\Uninstall.exe
AddRemove-{B8019B54-F9BE-490A-9619-6D06F18F129F} - c:\program files (x86)\InstallShield Installation Information\{B8019B54-F9BE-490A-9619-6D06F18F129F}\setup.exe
AddRemove-{C547F361-5750-4CD1-9FB6-BC93827CB6C1} - c:\program files (x86)\ParetoLogic\RegCure Pro\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2013-07-18  07:39:46
ComboFix-quarantined-files.txt  2013-07-18 14:39
ComboFix2.txt  2013-07-17 20:08
ComboFix3.txt  2013-07-17 17:51
.
Pre-Run: 422,632,075,264 bytes free
Post-Run: 422,262,693,888 bytes free
.
- - End Of File - - 93B01E661E7AE75C8A9874179FCAC86F
D41D8CD98F00B204E9800998ECF8427E


Thank you.

4

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #9 on: July 18, 2013, 02:52:16 PM »
After resetting ie to defaults and restarting the laptop I am able to navigate with ie now. Upon the restart the screen was blank and I got a message saying that lyric sing was not responding, I restarted and it came up okay.

I still get the ie window that pops up with the biz coaching . info redirect wanting me to install the player. I didn't want to paste the address but I found a link to the same issue over at bleeping when doing a search.

http://www.bleepingcomputer.com/forums/t/499939/infected-with-bizcoachinginfo-redirects-and-popups-in-all-browsers/

The biz coaching .info link in the above thread looks to be the same that I am experiencing.

This appears only to be happening in ie10 as I have tried browsing in chrome a little bit and it has not come up.

I might pass out soon since I just got home from work but I will be up in a few hours if that happens.

4


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #10 on: July 18, 2013, 04:03:39 PM »
I'll be out for a while as I have errands and an appointment.  Sleep well! 

Please do the following to remove Bizcoaching from IE:

-- Launch Internet Explorer and click on Tools (upper right).
-- Select the option Manage add-ons from the drop-down list.
-- Click on the option Toolbars and Extensions on left side of the window.
-- Click Bizcoaching.info to highlight and then click Remove.  (Do the same for any other items you wish to remove.

What I don't like is the continued re-appearance of BHO's that show as having been removed.  Let's see an if updated MBAM scan finds something else.

  • Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  • Once the update has been installed and the program has loaded, select Quick scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please post contents of that file in your next reply.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #11 on: July 18, 2013, 06:58:59 PM »
Hi Corrine,

I woke up for a few minutes. I could not find the biz coaching add on via the manage add on route in ie. I did see other things like the smiley tool bar and lyric sing and what not but anything I highlighted did not have an option to remove.

I went ahead and uninstalled lyric sing via the control panel along with avg, Norton, getsavin and another item I can't remember the name of associated with ads regarding searching for savings. During this time I have not seen the biz coach pop up as of yet.

Here is the mbam quick scan log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.18.05

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16635
Ashley :: SKAIA [administrator]

7/18/2013 12:51:11 PM
mbam-log-2013-07-18 (12-51-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213892
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Going for another nap.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #12 on: July 18, 2013, 07:07:53 PM »
When you get a chance, please post fresh DDS logs.  (I had my eyes dilated so will want to wait until later or tomorrow to look at the logs.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline 4on4off

  • Full Member
  • ***
  • Posts: 54
    • View Profile
Re: Pop ups after possible fake adobe update alert
« Reply #13 on: July 18, 2013, 07:18:30 PM »
Ha. I took a peek just before laying back down and see you responded.

Here are the DDS logs:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537
Run by Ashley at 13:12:31 on 2013-07-18
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3974.3069 [GMT -7:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostex.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: GetSavin 5.0: {B3522C04-B9DB-4C57-AA22-929092423BDD} -
BHO: Define: {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} -
BHO: SmileysWeLoveToolbar: {e4ef8a64-0a30-48f5-b3fe-5fda978da775} -
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [CLVirtualDrive] "C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" /R
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{69B7796B-5749-4307-8762-6E63F23AFC94} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{69B7796B-5749-4307-8762-6E63F23AFC94}\F46666963656534376 : DHCPNameServer = 192.168.2.1 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-mPolicies-Explorer: NoDrives = dword:0
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-7-31 645952]
R1 CLVirtualDrive;CLVirtualDrive;C:\Windows\System32\Drivers\CLVirtualDrive.sys [2012-9-1 92536]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-9-1 98208]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-8-10 85504]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-7-9 35232]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe [2012-9-1 165760]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-4-16 39056]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-9-1 364416]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2012-6-19 342528]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\Drivers\netr28x.sys [2013-4-15 2482960]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-9-1 683664]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\Drivers\Smb_driver_Intel.sys [2012-9-1 43832]
R3 WirelessButtonDriver;HP Wireless Button Driver Service;C:\Windows\System32\Drivers\WirelessButtonDriver64.sys [2012-8-3 20288]
RUnknown EraserUtilRebootDrv;EraserUtilRebootDrv;

RUnknown SymIRON;SymIRON;

RUnknown SymNetS;SymNetS;

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe --> C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\System32\Drivers\RtsP2Stor.sys [2012-9-1 266896]
S3 SmbDrv;SmbDrv;C:\Windows\System32\Drivers\Smb_driver_AMDASF.sys [2012-9-1 41272]
.
=============== Created Last 30 ================
.
2013-07-18 15:22:02   78200   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-18 15:22:02   693112   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-18 14:45:26   --------   d-sh--w-   C:\$RECYCLE.BIN
2013-07-18 14:39:48   --------   d-----w-   C:\Users\Ashley\AppData\Local\temp
2013-07-17 23:45:29   2367528   ----a-w-   C:\Windows\System32\WSService.dll
2013-07-17 23:45:20   3265256   ----a-w-   C:\Windows\System32\drivers\evbda.sys
2013-07-17 23:45:09   2397184   ----a-w-   C:\Windows\System32\WpcMon.exe
2013-07-17 23:45:04   3847168   ----a-w-   C:\Windows\System32\d2d1.dll
2013-07-17 23:45:02   3964416   ----a-w-   C:\Windows\System32\WinSAT.exe
2013-07-17 23:43:45   301568   ----a-w-   C:\Windows\System32\newdev.dll
2013-07-17 23:43:44   76288   ----a-w-   C:\Windows\System32\newdev.exe
2013-07-17 23:43:44   75264   ----a-w-   C:\Windows\System32\ndadmin.exe
2013-07-17 23:43:44   74240   ----a-w-   C:\Windows\SysWow64\newdev.exe
2013-07-17 23:43:44   73728   ----a-w-   C:\Windows\SysWow64\ndadmin.exe
2013-07-17 23:43:44   275968   ----a-w-   C:\Windows\SysWow64\newdev.dll
2013-07-17 23:43:43   68608   ----a-w-   C:\Windows\System32\wwanprotdim.dll
2013-07-17 23:38:05   --------   d-----w-   C:\Program Files (x86)\VS Revo Group
2013-07-17 19:59:02   929792   ----a-w-   C:\Windows\SysWow64\mfnetsrc.dll
2013-07-17 19:59:02   677888   ----a-w-   C:\Windows\System32\mfnetcore.dll
2013-07-17 19:59:02   673280   ----a-w-   C:\Windows\System32\mfmpeg2srcsnk.dll
2013-07-17 19:59:02   568832   ----a-w-   C:\Windows\SysWow64\mfnetcore.dll
2013-07-17 19:59:02   513024   ----a-w-   C:\Windows\SysWow64\mfmpeg2srcsnk.dll
2013-07-17 19:59:02   1172992   ----a-w-   C:\Windows\System32\mfnetsrc.dll
2013-07-17 19:58:43   82944   ----a-w-   C:\Windows\SysWow64\dskquota.dll
2013-07-17 19:58:43   109568   ----a-w-   C:\Windows\System32\dskquota.dll
2013-07-17 19:50:25   368640   ----a-w-   C:\Windows\System32\sppwinob.dll
2013-07-17 19:48:49   7168   ----a-w-   C:\Windows\System32\KBDKURD.DLL
2013-07-17 19:47:59   93696   ----a-w-   C:\Windows\SysWow64\WcnApi.dll
2013-07-17 19:46:29   144384   ----a-w-   C:\Windows\System32\tssdisai.dll
2013-07-17 17:40:21   98816   ----a-w-   C:\Windows\sed.exe
2013-07-17 17:40:21   256000   ----a-w-   C:\Windows\PEV.exe
2013-07-17 17:40:21   208896   ----a-w-   C:\Windows\MBR.exe
2013-07-17 16:25:02   252080   ----a-w-   C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10210.bin
2013-07-17 08:07:58   --------   d-----w-   C:\Windows\ERUNT
2013-07-17 06:51:07   173   ----a-w-   C:\Windows\DeleteOnReboot.bat
2013-07-17 05:23:26   --------   d-----w-   C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-17 04:40:40   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\Malwarebytes
2013-07-17 04:40:31   --------   d-----w-   C:\ProgramData\Malwarebytes
2013-07-17 04:40:30   25928   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2013-07-17 04:40:30   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-17 04:40:11   --------   d-----w-   C:\Users\Ashley\AppData\Local\Programs
2013-07-17 03:39:44   --------   d-----w-   C:\Windows\pss
2013-07-15 02:40:36   --------   d-----w-   C:\Users\Ashley\AppData\Local\CyberLink
2013-07-14 18:56:24   16114176   ----a-w-   C:\Program Files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2013-07-14 18:56:23   15541248   ----a-w-   C:\Program Files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2013-07-14 18:50:33   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\TuneUp Software
2013-07-14 18:50:22   --------   d-----w-   C:\ProgramData\TuneUp Software
2013-07-14 18:50:14   --------   d-sh--w-   C:\ProgramData\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-07-14 18:49:28   --------   d-----w-   C:\Program Files (x86)\SqueekyChocolate, LLC
2013-07-14 18:49:01   --------   d-----w-   C:\Program Files (x86)\Tiny Media Player
2013-07-14 18:44:32   --------   d-----w-   C:\Users\Ashley\AppData\Local\Pokki
2013-07-14 18:42:17   --------   d-----w-   C:\Users\Ashley\AppData\Local\Updater21058
2013-07-14 18:41:08   --------   d-----w-   C:\Users\Ashley\AppData\Local\CRE
2013-07-14 02:37:13   17888   ----a-w-   C:\Windows\System32\msvcr100_clr0400.dll
2013-07-14 02:37:11   17888   ----a-w-   C:\Windows\SysWow64\msvcr100_clr0400.dll
2013-07-14 02:33:43   888320   ----a-w-   C:\Windows\System32\autochk.exe
2013-07-14 02:32:52   1300992   ----a-w-   C:\Windows\System32\gdi32.dll
2013-07-14 02:32:52   1022464   ----a-w-   C:\Windows\SysWow64\gdi32.dll
2013-07-14 02:26:58   94208   ----a-w-   C:\Windows\SysWow64\mssitlb.dll
2013-07-13 19:18:39   --------   d-----w-   C:\Program Files (x86)\Common Files\Symantec Shared
2013-07-13 19:15:05   --------   d-----w-   C:\Program Files\Paint.NET
2013-07-13 19:14:32   --------   d-----w-   C:\Program Files (x86)\MyPC Backup
2013-07-13 19:14:15   --------   d-----w-   C:\Users\Ashley\AppData\Local\AVG SafeGuard toolbar
2013-07-13 19:13:51   45856   ----a-w-   C:\Windows\System32\drivers\avgtpx64.sys
2013-07-13 19:13:41   --------   d-----w-   C:\ProgramData\AVG SafeGuard toolbar
2013-07-13 19:13:34   --------   d-----w-   C:\Users\Ashley\AppData\Local\Paint.NET
2013-07-13 19:12:43   --------   d--h--w-   C:\ProgramData\Common Files
2013-07-13 03:31:19   405504   ----a-w-   C:\Windows\System32\pcasvc.dll
2013-07-13 03:31:19   31232   ----a-w-   C:\Windows\System32\pcadm.dll
2013-07-13 03:31:19   13312   ----a-w-   C:\Windows\System32\pcalua.exe
2013-07-13 03:31:19   11776   ----a-w-   C:\Windows\System32\pcaevts.dll
2013-07-13 03:25:27   945152   ----a-w-   C:\Windows\System32\resetengmig.dll
2013-07-13 03:25:27   443392   ----a-w-   C:\Windows\System32\ReAgent.dll
2013-07-13 03:25:27   375808   ----a-w-   C:\Windows\SysWow64\ReAgent.dll
2013-07-13 03:25:27   2382336   ----a-w-   C:\Windows\SysWow64\esent.dll
2013-07-13 03:25:27   132096   ----a-w-   C:\Windows\System32\sysreset.exe
2013-07-13 03:25:27   1011200   ----a-w-   C:\Windows\System32\reseteng.dll
2013-07-13 03:25:26   2851840   ----a-w-   C:\Windows\System32\esent.dll
2013-07-13 03:16:20   2035200   ----a-w-   C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll
2013-07-13 03:16:19   1617920   ----a-w-   C:\Program Files\Windows Journal\NBDoc.DLL
2013-07-13 03:16:19   1306112   ----a-w-   C:\Program Files\Windows Journal\JNTFiltr.dll
2013-07-13 03:16:19   1272320   ----a-w-   C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-13 03:16:18   1413632   ----a-w-   C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll
2013-07-13 03:16:18   1318912   ----a-w-   C:\Program Files\Windows Journal\JNWDRV.dll
2013-07-13 03:16:18   1029632   ----a-w-   C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\journal.dll
2013-07-13 03:16:17   1455368   ----a-w-   C:\Windows\System32\drivers\dxgkrnl.sys
2013-07-13 03:16:07   135680   ----a-w-   C:\Windows\System32\appserverai.dll
2013-07-13 03:16:07   126976   ----a-w-   C:\Windows\System32\RDWebAI.dll
2013-07-13 03:16:07   122880   ----a-w-   C:\Windows\System32\VmHostAI.dll
2013-07-13 03:16:06   148480   ----a-w-   C:\Windows\System32\poqexec.exe
2013-07-13 03:16:06   132608   ----a-w-   C:\Windows\SysWow64\poqexec.exe
2013-07-13 03:14:57   595968   ----a-w-   C:\Windows\System32\qedit.dll
2013-07-13 03:13:32   733184   ----a-w-   C:\Windows\System32\win32spl.dll
2013-07-13 03:12:42   1558912   ----a-w-   C:\Program Files\Windows Defender\DbgHelp.dll
2013-07-13 03:08:59   2361344   ----a-w-   C:\Windows\System32\msxml6.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\SysWow64\msxml6r.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\SysWow64\msxml3r.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\System32\msxml6r.dll
2013-07-13 03:08:58   2048   ----a-w-   C:\Windows\System32\msxml3r.dll
2013-07-13 03:08:58   1836032   ----a-w-   C:\Windows\System32\msxml3.dll
2013-07-13 03:08:58   1802240   ----a-w-   C:\Windows\SysWow64\msxml6.dll
2013-07-13 03:08:58   1438720   ----a-w-   C:\Windows\SysWow64\msxml3.dll
2013-07-12 19:55:19   --------   d-----w-   C:\Users\Ashley\AppData\Local\Adobe
2013-07-12 19:47:04   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\hpqlog
2013-07-12 17:18:32   50784   ----a-w-   C:\ProgramData\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-07-12 17:18:30   17536   ----a-w-   C:\ProgramData\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-07-12 07:02:49   --------   d-----r-   C:\Program Files (x86)\Skype
2013-07-12 07:00:53   --------   d-----w-   C:\Users\Ashley\AppData\Local\DefineExt
2013-07-12 06:58:54   --------   d-----w-   C:\Users\Ashley\AppData\Local\Real
2013-07-12 06:58:47   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\RealNetworks
2013-07-12 06:58:21   --------   d-----w-   C:\Program Files (x86)\RealNetworks
2013-07-12 06:58:19   --------   d-----w-   C:\ProgramData\RealNetworks
2013-07-12 06:58:09   --------   d-----w-   C:\Program Files (x86)\Common Files\xing shared
2013-07-12 06:57:24   --------   d-----w-   C:\Users\Ashley\AppData\Local\Google
2013-07-12 04:02:36   --------   d-----w-   C:\Users\Ashley\AppData\Local\ElevatedDiagnostics
2013-07-12 04:02:14   --------   d-----w-   C:\Users\Ashley\AppData\Local\Hewlett-Packard
2013-07-12 02:54:40   --------   d-----w-   C:\Users\Ashley\AppData\Local\CrashDumps
2013-07-12 02:54:21   --------   d-----w-   C:\Users\Ashley\AppData\Local\Diagnostics
2013-07-12 02:45:04   --------   d-----r-   C:\Users\Ashley\Searches
2013-07-12 02:45:04   --------   d-----r-   C:\Users\Ashley\Contacts
2013-07-12 02:43:14   --------   d-----w-   C:\Users\Ashley\AppData\Roaming\Synaptics
2013-07-12 02:43:07   --------   d-----w-   C:\Users\Ashley\AppData\Local\Power2Go8
2013-07-12 02:42:46   --------   d-----w-   C:\Users\Ashley\AppData\Local\VirtualStore
2013-07-12 02:42:30   --------   d-----w-   C:\Users\Ashley\AppData\Local\Packages
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Videos
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Saved Games
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Pictures
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Music
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Links
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Downloads
2013-07-12 02:40:54   --------   d-----r-   C:\Users\Ashley\Documents
.
==================== Find3M  ====================
.
2013-07-12 06:57:57   499712   ----a-w-   C:\Windows\SysWow64\msvcp71.dll
2013-07-12 06:57:57   348160   ----a-w-   C:\Windows\SysWow64\msvcr71.dll
2013-06-16 22:41:31   997632   ----a-w-   C:\Windows\System32\drivers\ndis.sys
2013-06-11 23:43:37   1767936   ----a-w-   C:\Windows\SysWow64\wininet.dll
2013-06-11 23:43:00   2877440   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2013-06-11 23:26:20   2241024   ----a-w-   C:\Windows\System32\wininet.dll
2013-06-11 23:25:16   3958784   ----a-w-   C:\Windows\System32\jscript9.dll
2013-06-01 11:54:16   194816   ----a-w-   C:\Windows\System32\drivers\sdbus.sys
2013-06-01 11:54:10   125184   ----a-w-   C:\Windows\System32\drivers\dumpsd.sys
2013-06-01 11:34:21   2391280   ----a-w-   C:\Windows\explorer.exe
2013-06-01 11:33:13   2233600   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2013-06-01 11:29:35   337152   ----a-w-   C:\Windows\System32\drivers\USBXHCI.SYS
2013-06-01 11:29:35   213248   ----a-w-   C:\Windows\System32\drivers\UCX01000.SYS
2013-06-01 11:26:33   327936   ----a-w-   C:\Windows\System32\drivers\volsnap.sys
2013-06-01 11:26:31   6987008   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2013-06-01 10:24:46   2106176   ----a-w-   C:\Windows\SysWow64\explorer.exe
2013-06-01 09:25:52   364544   ----a-w-   C:\Windows\SysWow64\XpsGdiConverter.dll
2013-06-01 09:25:05   67584   ----a-w-   C:\Windows\SysWow64\samlib.dll
2013-06-01 09:25:03   496640   ----a-w-   C:\Windows\SysWow64\qedit.dll
2013-06-01 09:24:19   493056   ----a-w-   C:\Windows\SysWow64\mscms.dll
2013-06-01 09:24:09   850944   ----a-w-   C:\Windows\SysWow64\mfasfsrcsnk.dll
2013-06-01 09:24:09   1453568   ----a-w-   C:\Windows\SysWow64\mfcore.dll
2013-06-01 09:23:46   1842176   ----a-w-   C:\Windows\SysWow64\dwmcore.dll
2013-06-01 09:23:06   680960   ----a-w-   C:\Windows\System32\vds.exe
2013-06-01 09:22:47   80896   ----a-w-   C:\Windows\System32\MbaeParserTask.exe
2013-06-01 09:22:33   523264   ----a-w-   C:\Windows\System32\XpsGdiConverter.dll
2013-06-01 09:22:33   446976   ----a-w-   C:\Windows\System32\wwansvc.dll
2013-06-01 09:22:09   190976   ----a-w-   C:\Windows\System32\vdsutil.dll
2013-06-01 09:21:39   729600   ----a-w-   C:\Windows\System32\samsrv.dll
2013-06-01 09:21:39   106496   ----a-w-   C:\Windows\System32\samlib.dll
2013-06-01 09:20:45   583168   ----a-w-   C:\Windows\System32\mscms.dll
2013-06-01 09:20:34   1527808   ----a-w-   C:\Windows\System32\mfcore.dll
2013-06-01 09:20:34   1048576   ----a-w-   C:\Windows\System32\mfasfsrcsnk.dll
2013-06-01 09:20:04   2219520   ----a-w-   C:\Windows\System32\dwmcore.dll
2013-06-01 09:19:58   207872   ----a-w-   C:\Windows\System32\DeviceSetupManager.dll
2013-06-01 09:19:42   785408   ----a-w-   C:\Windows\System32\audiosrv.dll
2013-06-01 03:08:57   37632   ----a-w-   C:\Windows\System32\drivers\BthAvrcpTg.sys
2013-05-30 23:14:23   4036096   ----a-w-   C:\Windows\System32\win32k.sys
2013-05-24 22:09:20   1403296   ----a-w-   C:\Windows\System32\winload.efi
2013-05-24 22:09:20   1271584   ----a-w-   C:\Windows\System32\winload.exe
2013-05-24 22:09:20   1217352   ----a-w-   C:\Windows\System32\winresume.efi
2013-05-24 22:09:20   1093904   ----a-w-   C:\Windows\System32\winresume.exe
2013-05-17 02:12:26   819440   ----a-w-   C:\Windows\System32\SynCOM.dll
2013-05-17 02:12:26   351984   ----a-w-   C:\Windows\SysWow64\SynCom.dll
2013-05-17 02:12:22   524016   ----a-w-   C:\Windows\System32\drivers\SynTP.sys
2013-05-17 02:12:22   192240   ----a-w-   C:\Windows\System32\SynTPCo19.dll
2013-05-17 02:12:22   151280   ----a-w-   C:\Windows\SysWow64\SynTPCom.dll
2013-05-17 02:12:20   264432   ----a-w-   C:\Windows\System32\SynTPAPI.dll
2013-05-15 22:37:03   44032   ----a-w-   C:\Windows\SysWow64\UXInit.dll
2013-05-15 22:35:49   53760   ----a-w-   C:\Windows\System32\UXInit.dll
2013-05-15 02:25:44   542208   ----a-w-   C:\Windows\System32\untfs.dll
2013-05-15 02:24:10   793088   ----a-w-   C:\Windows\SysWow64\autochk.exe
2013-05-15 02:24:01   482816   ----a-w-   C:\Windows\SysWow64\untfs.dll
2013-05-14 13:14:01   2706432   ----a-w-   C:\Windows\System32\mshtml.tlb
2013-05-14 09:23:31   2706432   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2013-05-04 07:58:17   120736   ----a-w-   C:\Windows\System32\AuthHost.exe
2013-05-04 07:34:17   446720   ----a-w-   C:\Windows\System32\drivers\USBHUB3.SYS
2013-05-04 07:34:15   284416   ----a-w-   C:\Windows\System32\drivers\spaceport.sys
2013-05-04 06:59:56   39424   ----a-w-   C:\Windows\System32\wuapp.exe
2013-05-04 06:59:51   1483776   ----a-w-   C:\Windows\System32\VSSVC.exe
2013-05-04 06:59:36   812544   ----a-w-   C:\Windows\System32\Magnify.exe
2013-05-04 06:59:25   98304   ----a-w-   C:\Windows\System32\wudriver.dll
2013-05-04 06:59:25   251904   ----a-w-   C:\Windows\System32\WUSettingsProvider.dll
2013-05-04 06:59:25   141824   ----a-w-   C:\Windows\System32\wuwebv.dll
2013-05-04 06:59:24   1619968   ----a-w-   C:\Windows\System32\wucltux.dll
2013-05-04 06:59:21   2842112   ----a-w-   C:\Windows\System32\WMVDECOD.DLL
2013-05-04 06:59:08   13644288   ----a-w-   C:\Windows\System32\Windows.UI.Xaml.dll
2013-05-04 06:58:54   328192   ----a-w-   C:\Windows\System32\ubpm.dll
2013-05-04 06:58:54   10116096   ----a-w-   C:\Windows\System32\twinui.dll
2013-05-04 06:58:49   173568   ----a-w-   C:\Windows\System32\storewuauth.dll
2013-05-04 06:58:49   1332736   ----a-w-   C:\Windows\System32\sysmain.dll
2013-05-04 06:58:48   330240   ----a-w-   C:\Windows\System32\stobject.dll
2013-05-04 06:58:28   93696   ----a-w-   C:\Windows\System32\psmsrv.dll
2013-05-04 06:58:02   470528   ----a-w-   C:\Windows\System32\netprofmsvc.dll
2013-05-04 06:58:02   151552   ----a-w-   C:\Windows\System32\netprofm.dll
2013-05-04 06:58:01   169984   ----a-w-   C:\Windows\System32\netplwiz.dll
2013-05-04 06:57:59   17408   ----a-w-   C:\Windows\System32\muifontsetup.dll
2013-05-04 06:57:46   560640   ----a-w-   C:\Windows\System32\mfmp4srcsnk.dll
2013-05-04 06:57:15   501760   ----a-w-   C:\Windows\System32\DevicePairing.dll
2013-05-04 06:57:05   179712   ----a-w-   C:\Windows\System32\bisrv.dll
2013-05-04 06:57:05   122368   ----a-w-   C:\Windows\System32\biwinrt.dll
2013-05-04 06:57:04   389120   ----a-w-   C:\Windows\System32\BCP47Langs.dll
2013-05-04 06:57:04   2305024   ----a-w-   C:\Windows\System32\authui.dll
2013-05-04 06:57:00   708096   ----a-w-   C:\Windows\System32\AppXDeploymentExtensions.dll
2013-05-04 06:57:00   1131520   ----a-w-   C:\Windows\System32\AppXDeploymentServer.dll
2013-05-04 06:56:53   419840   ----a-w-   C:\Windows\System32\intl.cpl
2013-05-04 04:58:34   34304   ----a-w-   C:\Windows\SysWow64\wuapp.exe
2013-05-04 04:58:14   758784   ----a-w-   C:\Windows\SysWow64\Magnify.exe
2013-05-04 04:58:02   83968   ----a-w-   C:\Windows\SysWow64\wudriver.dll
2013-05-04 04:58:02   125952   ----a-w-   C:\Windows\SysWow64\wuwebv.dll
2013-05-04 04:57:58   2620928   ----a-w-   C:\Windows\SysWow64\WMVDECOD.DLL
2013-05-04 04:57:49   10788864   ----a-w-   C:\Windows\SysWow64\Windows.UI.Xaml.dll
2013-05-04 04:57:39   8857088   ----a-w-   C:\Windows\SysWow64\twinui.dll
2013-05-04 04:57:39   247296   ----a-w-   C:\Windows\SysWow64\ubpm.dll
2013-05-04 04:57:35   303616   ----a-w-   C:\Windows\SysWow64\stobject.dll
2013-05-04 04:57:16   18432   ----a-w-   C:\Windows\SysWow64\npmproxy.dll
2013-05-04 04:57:04   151040   ----a-w-   C:\Windows\SysWow64\netplwiz.dll
2013-05-04 04:57:04   115712   ----a-w-   C:\Windows\SysWow64\netprofm.dll
2013-05-04 04:57:02   14336   ----a-w-   C:\Windows\SysWow64\muifontsetup.dll
2013-05-04 04:56:48   411136   ----a-w-   C:\Windows\SysWow64\mfmp4srcsnk.dll
.
============= FINISH: 13:13:52.18 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8
Boot Device: \Device\HarddiskVolume2
Install Date: 7/11/2013 7:40:45 PM
System Uptime: 7/18/2013 8:31:05 AM (5 hours ago)
.
Motherboard: Hewlett-Packard |  | 1854
Processor: Intel(R) Core(TM) i3-2328M CPU @ 2.20GHz | U3E1 | 800/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 442 GiB total, 394.74 GiB free.
D: is FIXED (NTFS) - 23 GiB total, 2.738 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 7/12/2013 12:02:16 AM - Installed Skype™ 6.3
RP5: 7/13/2013 12:13:41 PM - Paint.NET v3.5.10
RP6: 7/14/2013 12:19:06 PM - Removed Smileys We Love Toolbar for IE
RP7: 7/17/2013 10:40:25 AM - ComboFix created restore point
RP8: 7/18/2013 12:42:41 PM - Revo Uninstaller's restore point - GetSavin
.
==== Installed Programs ======================
.
4 Elements II
Adobe Shockwave Player 11.6
Bejeweled 3
Bonjour
Build-a-lot 4 - Power Source
Chuzzle Deluxe
Cradle Of Egypt Collector's Edition
Cradle of Rome 2
CyberLink LabelPrint
CyberLink Media Suite 10
CyberLink Power2Go 8
CyberLink PowerDVD
CyberLink YouCam
D3DX10
Define Ext
Energy Star
Farm Frenzy
FATE: The Cursed King
Final Drive Fury
FlatOut 2
Google Chrome
Google Talk Plugin
Google Update Helper
Governor of Poker 2 Premium Edition
Hewlett-Packard ACLM.NET v1.2.0.0
Hoyle Card Games
HP Customer Experience Enhancements
HP Documentation
HP Games
HP MyRoom
HP Postscript Converter
HP Quick Launch
HP Recovery Manager
HP Registration Service
HP Software Framework
HP Support Assistant
HP Utility Center
HP Wireless Button Driver
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) SDK for OpenCL - CPU Only Runtime Package
Intel® Trusted Connect Service Client
Jewel Match 3
John Deere Drive Green
Luxor Evolved
Mahjongg Dimensions Deluxe: Tiles in Time
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Application Error Reporting
Microsoft Office
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mortimer Beckett and the Crimson Thief Premium Edition
MSVCRT
Mystery P.I. - Curious Case of Counterfeit Cove
Paint.NET v3.5.10
Peggle Nights
Penguins!
Pokki
Polar Bowler
Polar Golfer
QuickShare
Ralink RT5390R 802.11bgn Wi-Fi Adapter
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Realtek PCIE Card Reader
RealUpgrade 1.1
RegCure Pro
Revo Uninstaller 1.95
Roads of Rome 3
Skype™ 6.3
swMSM
Synaptics Pointing Device Driver
Tales of Lagoona
Tiny Media Player v1.0
Update Installer for WildTangent Games App
Vacation Quest™ - Australia
WildTangent Games
WildTangent Games App
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Language Selector
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
7/18/2013 8:31:40 AM, Error: Service Control Manager [7000]  - The vToolbarUpdater15.3.0 service failed to start due to the following error:  The system cannot find the file specified.
7/18/2013 7:37:25 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
7/18/2013 7:36:49 AM, Error: Application Popup [1060]  -
7/17/2013 4:48:04 PM, Error: Service Control Manager [7034]  - The Computer Backup (MyPC Backup) service terminated unexpectedly.  It has done this 1 time(s).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2836988).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2820330).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2808679).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2805966).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2829361).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2781197).
7/17/2013 10:41:29 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2833959).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2845533).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2822241).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2811660).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2800033).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2798162).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2795944).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2777294).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2769165).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2769034).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Windows 8 for x64-based Systems (KB2768703).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Microsoft Camera Codec Pack for Windows 8 for x64-based Systems (KB2859541).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Microsoft Camera Codec Pack for Windows 8 for x64-based Systems (KB2779444).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2805227).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2805222).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2750149).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64 based Systems (KB2769166).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2850851).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2845690).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2845187).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2839894).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2835364).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2835361).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2830290).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2829254).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2813430).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2807986).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2803821).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2785220).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2770660).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2753842).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Windows 8 for x64-based Systems (KB2727528).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64 (KB2742614).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2840632).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2833958).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2804583).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2789649).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 4.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2737084).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2844289).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2840633).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2832418).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2804584).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2789650).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2742616).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2736693).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Security Update for Internet Explorer Flash Player for Windows 8 for X64-based Systems (KB2857645).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0923: Cumulative Security Update for Internet Explorer 10 for Windows 8 for x64-based Systems (KB2846071).
7/17/2013 10:41:28 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x800F0841: Update for Windows 8 for x64-based Systems (KB2771431).
.
==== End Of File ===========================


Thank you and this time and am going back to bed for sure for a few hours before work tonight.

4

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20701
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Pop ups after possible fake adobe update alert
« Reply #14 on: July 18, 2013, 10:36:55 PM »
Hi, 4on4off.

I don't like that files that have been shown as removed keep showing up and, from what I'm seeing, shouldn't be!  Regarding AdwCleaner that you ran previously:  Was it a "fresh" copy you downloaded so you were using the latest version?  The same question applies to the Junkware Removal Tool (JRT).  AdwCleaner is generally updated twice a month however, JRT is updated more frequently. 

To be sure you have the latest versions, let's use a fresh copy of both. 

1.  Uninstall the version of AdwCleaner currently on the computer.   
  •   Double-click AdwCleaner.exe to run the tool.
  •   Click Uninstall
  •   Confirm with yes
2.  Download a fresh copy of AdwCleaner from AdwCleaner to your Desktop.
  • Double-click AdwCleaner.exe to run the tool.
  • Click Delete.
  • Everything that was found will be deleted.
  • Save any open files and approve the reboot.  A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., S1

3.  Please download Junkware Removal Tool to your desktop.
  • Disable your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it.  If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

4.  If the computer wasn't restarted after scanning with JRT, please do so first and then run ComboFix.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
Folder::
C:\Users\Ashley\AppData\Roaming\TuneUp Software
C:\ProgramData\TuneUp Software
C:\ProgramData\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
C:\Program Files (x86)\SqueekyChocolate, LLC
C:\Users\Ashley\AppData\Local\Updater21058
C:\Program Files (x86)\MyPC Backup
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.