Author Topic: add & remove items  (Read 16237 times)

0 Members and 1 Guest are viewing this topic.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: add & remove items
« Reply #15 on: March 19, 2012, 04:43:45 PM »
Hi, johnson55.

What do you mean, "the email didn't work"?  If you were attempting to copy/paste the ComboFix.txt log via e-mail, that won't work as you need to logon to the forum in order to post -- which you did.

Before proceeding with further cleanup, please do the following:

Let's see an MBAM scan:
  • Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  • Once the update has been installed and the program has loaded, select Quick scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please post contents of that file in your next reply.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

In addition, please post a fresh DDS.scr log.  Double-Click dds.scr, wait for it to finish and copy/paste the files from Notepad as a reply.

Is everything working correctly?  Is your computer running faster now?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 220
    • View Profile
Re: add & remove items
« Reply #16 on: March 20, 2012, 03:40:18 PM »
Corrine,
 I think everything is working ok now since maybe a couple of reboots.
For awhile nothing was working,I'm not sure what caused that.
I thought I had major problems.
Most of the problems were because I didn't know what I was doing.I don't stop
and think things over,Go at it to fast.
Thanks for all the tutoring.I do appreciate it.Now I'm going to try and send
the log of malware and a repeat of dds.
---------------------------------------------------
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.20.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
jacobi678 :: NEWBUILD2 [administrator]

3/20/2012 11:18:02 AM
mbam-log-2012-03-20 (11-18-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191905
Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\jacobi678\Downloads\DownloadManager_Setup(1).exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Users\jacobi678\Downloads\DownloadManager_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Users\jacobi678\Downloads\WinPatrol.exe (PUP.Adbunbler) -> Quarantined and deleted successfully.

(end)
--------------------------------------------------------

Offline johnson55

  • Full Member
  • ***
  • Posts: 220
    • View Profile
Re: add & remove items
« Reply #17 on: March 20, 2012, 03:48:59 PM »
I think the attachment is ok to go

Offline johnson55

  • Full Member
  • ***
  • Posts: 220
    • View Profile
Re: add & remove items
« Reply #18 on: March 20, 2012, 04:52:51 PM »
Corrine,
 I sent the old ddsvc.I guess you need a new one made and also the attachment log or 2nd log?
johnson55

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: add & remove items
« Reply #19 on: March 20, 2012, 05:07:05 PM »
Hi, johnson55.

Ah, good to know things seem to be working better now.  I know what you mean -- when on a new computer/operating system, it takes time to get used to where things are and how to accomplish tasks that used to come automatically.

Yes, I want to see a new DDS scan.  I do not need the second attach.txt this time, just the DDS.txt.  Don't zip & attach, just copy/paste it as a reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 220
    • View Profile
Re: add & remove items
« Reply #20 on: March 20, 2012, 05:12:49 PM »
The new 2 logs should be attached johnson55

Edit Note:  Log extracted for posting by Corrine:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by jacobi678 at 12:59:51 on 2012-03-20
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4003.2865 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\ccSvcHst.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\IPS\IPSBHO.DLL
BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Zoom Downloader: {e5c66dd8-308b-4a4f-af0a-3d04f25b5343} - mscoree.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [WinPatrol Explorer] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AACA648C-CA36-4BFF-9259-744A8F274ACC} : DhcpNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\coIEPlg.dll
BHO-X64:     Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\IPS\IPSBHO.DLL
BHO-X64:     Norton Vulnerability Protection - No File
BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO-X64:     TSBHO Class - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Zoom Downloader: {E5C66DD8-308B-4a4f-AF0A-3D04F25B5343} - mscoree.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\coIEPlg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://blekko.com/?source=c6125cca&tbp=url&toolbarid=blekkotb_001&u=___userid___&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 0a0226710000000000003860779ec705
FF - user.js: extensions.BabylonToolbar_i.hardId - 0a0226710000000000003860779ec705
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15411
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1715:07:12
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: extentions.y2layers.installId - f345d036-dd66-4a32-b9e3-08c109616990
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,dropdowndeals,buzzdock,toprelatedtopics,twittube,ezlooker
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1306010.008\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1306010.008\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1306010.008\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1306010.008\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [2012-3-20 1157240]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1306010.008\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1306010.008\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120317.002\IDSviA64.sys [2012-3-20 488568]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1306010.008\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1306010.008\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1306010.008\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1306010.008\SYMNETS.SYS [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-6-9 264008]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-24 212944]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.6.1.8\ccsvchst.exe [2012-3-8 138232]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-9-10 1128952]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-2-15 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-9-10 2656280]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-2-13 138360]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\drivers\HECIx64.sys --> C:\Windows\system32\drivers\HECIx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-2-15 136176]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-2-15 136176]
S3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 pmxdrv;pmxdrv;\??\C:\Windows\system32\drivers\pmxdrv.sys --> C:\Windows\system32\drivers\pmxdrv.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-03-19 20:24:06   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{4619DDD1-3160-42DF-9A90-C7A351C6A51D}
2012-03-19 20:23:39   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{45E0DEEE-46CA-40BD-BB07-D99E9869D669}
2012-03-19 15:18:39   --------   d-sh--w-   C:\$RECYCLE.BIN
2012-03-19 15:05:28   98816   ----a-w-   C:\Windows\sed.exe
2012-03-19 15:05:28   518144   ----a-w-   C:\Windows\SWREG.exe
2012-03-19 15:05:28   256000   ----a-w-   C:\Windows\PEV.exe
2012-03-19 15:05:28   208896   ----a-w-   C:\Windows\MBR.exe
2012-03-18 22:47:39   --------   d-----w-   C:\Windows\en
2012-03-18 22:46:27   18328   ----a-w-   C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-03-18 22:45:17   15712   ----a-w-   C:\Program Files (x86)\Common Files\Windows Live\.cache\ca474e921cd055802\MeshBetaRemover.exe
2012-03-18 22:44:21   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{638607CD-B0A3-455D-A1B1-178876E5423E}
2012-03-18 22:43:55   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{680DA61D-497A-4444-AC01-3763F5A9B106}
2012-03-18 18:00:00   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{CD6B1936-B3A7-4263-AFEA-A4714DBBB67D}
2012-03-18 17:59:32   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{35130895-050A-4198-BDDD-8B4532B1DFF2}
2012-03-18 04:19:21   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{E7DA2D8E-674C-4941-B77A-0A36685C79CB}
2012-03-18 04:18:54   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{3DE2FF43-D27D-4FED-9CF1-44972FCB874D}
2012-03-18 04:15:13   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{B0DA3C4F-94DE-4206-A1CA-5223C26E83FD}
2012-03-18 04:12:14   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{3685FC27-5F59-4417-A4E2-3CF34E5D6DDC}
2012-03-18 04:12:00   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{A8F5FAB0-FE61-4087-BFE7-164EC465F03F}
2012-03-18 04:03:44   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{9F34F000-D64F-4452-A343-C7C85D857019}
2012-03-18 04:03:15   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{CE17D42E-3E30-4F4E-A33F-990173846DC8}
2012-03-15 04:17:10   5559152   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2012-03-15 04:17:09   3968368   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-15 04:17:09   3913584   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 14:43:11   3145728   ----a-w-   C:\Windows\System32\win32k.sys
2012-03-14 14:43:07   1544192   ----a-w-   C:\Windows\System32\DWrite.dll
2012-03-14 14:43:07   1077248   ----a-w-   C:\Windows\SysWow64\DWrite.dll
2012-03-14 14:41:47   826880   ----a-w-   C:\Windows\SysWow64\rdpcore.dll
2012-03-14 14:41:47   23552   ----a-w-   C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 14:41:47   210944   ----a-w-   C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 14:41:47   1031680   ----a-w-   C:\Windows\System32\rdpcore.dll
2012-03-14 14:41:44   9216   ----a-w-   C:\Windows\System32\rdrmemptylst.exe
2012-03-14 14:41:44   77312   ----a-w-   C:\Windows\System32\rdpwsx.dll
2012-03-14 14:41:44   149504   ----a-w-   C:\Windows\System32\rdpcorekmts.dll
2012-03-13 18:07:08   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{10466BD9-5035-4F65-8A21-73E182B7FE20}
2012-03-13 18:06:41   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{515FDBF1-0C4F-4ABF-86F8-77AF4EBE8119}
2012-03-13 15:02:31   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{DE8D2FEF-9F55-4418-AEBC-300B5FDE7DBD}
2012-03-13 15:01:54   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{C5595999-9687-4EDB-AC3F-7AC9A0F89BDD}
2012-03-13 03:49:00   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{B1CE2D00-6190-46AC-A3B4-43B03E909E2E}
2012-03-13 03:48:32   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{8048C8AA-28B0-408A-9081-2E8EDFE9B632}
2012-03-12 23:24:28   --------   d-----w-   C:\Users\jacobi678\AppData\Local\blekkotb_001
2012-03-12 23:24:22   --------   d-----w-   C:\ProgramData\Anti-phishing Domain Advisor
2012-03-12 23:24:20   --------   d-----w-   C:\Program Files (x86)\blekkotb
2012-03-12 23:24:14   --------   d-----w-   C:\Users\jacobi678\AppData\Local\jetmp3
2012-03-12 20:22:31   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{00061BA3-CA99-4120-BC7A-0BD3CD1751DB}
2012-03-12 20:22:30   --------   d-----w-   C:\ProgramData\InstallMate
2012-03-12 20:22:30   --------   d-----w-   C:\Program Files (x86)\BillP Studios
2012-03-12 20:22:14   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{CEA6C039-9A1B-4B8D-BF13-41796C61DE75}
2012-03-12 20:22:01   --------   d-----w-   C:\Users\jacobi678\Tracing
2012-03-12 20:17:16   --------   d-----w-   C:\Program Files (x86)\Yontoo
2012-03-12 20:06:48   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\Babylon
2012-03-12 20:06:48   --------   d-----w-   C:\Users\jacobi678\AppData\Local\Babylon
2012-03-12 20:06:48   --------   d-----w-   C:\ProgramData\Babylon
2012-03-12 20:06:35   --------   d-----w-   C:\Users\jacobi678\AppData\Local\Zoom_Downloader
2012-03-12 20:06:33   --------   d-----w-   C:\Program Files (x86)\Zoom Downloader
2012-03-10 05:55:50   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{0113F843-E1D2-4F8E-9430-B2D69BEE33F7}
2012-03-10 05:55:23   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{A8E85387-735E-49A9-AE4F-5D9F147399B8}
2012-03-09 04:30:10   738936   ----a-w-   C:\Windows\System32\drivers\NISx64\1306010.008\srtsp64.sys
2012-03-09 04:30:10   451192   ----a-r-   C:\Windows\System32\drivers\NISx64\1306010.008\symds64.sys
2012-03-09 04:30:10   405624   ----a-w-   C:\Windows\System32\drivers\NISx64\1306010.008\symnets.sys
2012-03-09 04:30:10   37496   ----a-w-   C:\Windows\System32\drivers\NISx64\1306010.008\srtspx64.sys
2012-03-09 04:30:10   190072   ----a-w-   C:\Windows\System32\drivers\NISx64\1306010.008\ironx64.sys
2012-03-09 04:30:10   167048   ----a-w-   C:\Windows\System32\drivers\NISx64\1306010.008\ccsetx64.sys
2012-03-09 04:30:10   1092728   ----a-w-   C:\Windows\System32\drivers\NISx64\1306010.008\symefa64.sys
2012-03-09 04:30:04   --------   d-----w-   C:\Windows\System32\drivers\NISx64\1306010.008
2012-03-07 05:28:23   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{F05C811E-CB85-46DC-99CE-D3CBFC18FE3C}
2012-03-07 05:28:06   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{F4B3365C-7526-4144-B1EA-82FFF57F917B}
2012-03-07 05:06:23   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{E36D14A5-B36D-4C3A-BB78-8C73F2557399}
2012-03-07 05:05:59   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{C2CECCE5-0423-4EA1-B62E-FFB3884349AF}
2012-03-07 04:25:10   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{B5DD9E2A-FB7A-4BC4-BF6E-FBC7D2AF50E3}
2012-03-07 04:25:10   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{8E3BD410-367F-4A06-818D-445FF94FE853}
2012-03-04 23:39:58   162664   ----a-w-   C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-02 19:12:05   --------   d-----w-   C:\Users\jacobi678\AppData\Local\Windows Live
2012-03-02 19:11:19   --------   d-----w-   C:\Users\jacobi678\AppData\Local\{E62B5E51-0B87-43DB-83A3-D9D7DBE642CB}
2012-03-02 00:30:13   --------   d-----w-   C:\ProgramData\VirtualizedApplications
2012-03-01 05:19:29   --------   d-----w-   C:\Users\jacobi678\AppData\Local\Microsoft Help
2012-03-01 05:16:12   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\SoftGrid Client
2012-03-01 05:16:12   --------   d-----w-   C:\Users\jacobi678\AppData\Local\SoftGrid Client
2012-03-01 05:15:38   --------   d-----w-   C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-03-01 05:15:30   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\TP
2012-02-27 04:43:10   --------   d-----w-   C:\ProgramData\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-02-27 04:42:48   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\hpqLog
2012-02-27 04:42:12   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\WinBatch
2012-02-25 15:31:10   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\Windows Live Writer
2012-02-25 15:31:10   --------   d-----w-   C:\Users\jacobi678\AppData\Local\Windows Live Writer
2012-02-24 15:24:43   1658880   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\extensions\websitelogon@truesuite.com\components\FFXPCOM.dll
2012-02-20 20:25:15   --------   d-----w-   C:\ProgramData\Blio
2012-02-20 20:25:14   --------   d-----w-   C:\Users\jacobi678\AppData\Roaming\Blio
.
==================== Find3M  ====================
.
2012-03-15 03:57:09   175736   ----a-w-   C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-03-11 16:01:48   414368   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 10:44:20   509952   ----a-w-   C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41   442880   ----a-w-   C:\Windows\SysWow64\ntshrui.dll
2011-12-30 06:26:08   515584   ----a-w-   C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56   478720   ----a-w-   C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24   498688   ----a-w-   C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 13:00:20.04 ===============

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: add & remove items
« Reply #21 on: March 20, 2012, 09:04:31 PM »
Hi, johnson55.

Where did you download WinPatrol from?  From the MBAM log, it doesn't appear that it was from http://www.winpatrol.com/download.htmlAdvice:  When ever possible, only download programs from the vendor site.

Code: [Select]
C:\Users\jacobi678\Downloads\WinPatrol.exe (PUP.Adbunbler) -> Quarantined and deleted successfully.
The above indicates that the downloaded file is a "potentially unwanted program" because it was bundled with ads.  There is absolutely, positively, no way Bill Pytlovany would include that in the installation file for WinPatrol.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
DDS:
TB: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} -
BHO-X64:     Norton Identity Protection -
BHO-X64:     Norton Vulnerability Protection -
BHO-X64:     TSBHO Class -
TB-X64: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} -

Folder::
C:\Program Files (x86)\Yontoo
C:\Users\jacobi678\AppData\Roaming\Babylon
C:\Users\jacobi678\AppData\Local\Babylon
C:\ProgramData\Babylon

Firefox::
FF - ProfilePath - c:\users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110014
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 0a0226710000000000003860779ec705
FF - user.js: extensions.BabylonToolbar_i.hardId - 0a0226710000000000003860779ec705
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15411
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1715:07
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 220
    • View Profile
Re: add & remove items
« Reply #22 on: March 21, 2012, 03:15:33 AM »
Corrine,This has been quite ride cleaning up things more tha I thought but If this helps it's sure worth it.I had to reboot twiceto grt computer to work.I got this message.
Illegaloperation attempted on a registry key that has been marked for deletion.
any comment on that.Even when I clicked on landzdown forum [same thing]OK now.

Edit Note:  Log unzipped & pasted by Corrine:

ComboFix 12-03-18.01 - jacobi678 03/20/2012  22:47:46.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4003.2667 [GMT -5:00]
Running from: c:\users\jacobi678\Downloads\ComboFix.exe
Command switches used :: c:\users\jacobi678\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Yontoo
c:\program files (x86)\Yontoo\YontooIEClient.dll
c:\programdata\Babylon
c:\users\jacobi678\AppData\Local\Babylon
c:\users\jacobi678\AppData\Local\Babylon\Setup\bab033.tbinst.dat
c:\users\jacobi678\AppData\Local\Babylon\Setup\bab091.norecovericon.dat
c:\users\jacobi678\AppData\Local\Babylon\Setup\Babylon.dat
c:\users\jacobi678\AppData\Local\Babylon\Setup\BExternal-9.0.3.35.zpb
c:\users\jacobi678\AppData\Local\Babylon\Setup\BExternal.dll
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\cmbx.png
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\common.js
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\eula.html
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\lngs.png
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page1.css
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page1.html
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page1.js
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page1Lrg.css
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page2.css
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page2.html
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page2.js
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page2Lrg.css
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\page9.html
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\pBar.gif
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\title1.png
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\title2.png
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\toolBar.jpg
c:\users\jacobi678\AppData\Local\Babylon\Setup\HtmlScreens\vIcn.png
c:\users\jacobi678\AppData\Local\Babylon\Setup\IECookieLow.dll
c:\users\jacobi678\AppData\Local\Babylon\Setup\Setup-tbmntr903-9.0.3.35.zpb
c:\users\jacobi678\AppData\Local\Babylon\Setup\Setup.exe
c:\users\jacobi678\AppData\Local\Babylon\Setup\SetupStrings.dat
c:\users\jacobi678\AppData\Local\Babylon\Setup\sqlite3.dll
c:\users\jacobi678\AppData\Roaming\Babylon
c:\users\jacobi678\AppData\Roaming\Babylon\log_file.txt
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-21 to 2012-03-21  )))))))))))))))))))))))))))))))
.
.
2012-03-21 03:50 . 2012-03-21 03:50   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-03-18 22:47 . 2012-03-18 22:47   --------   d-----w-   c:\windows\en
2012-03-18 22:46 . 2012-03-18 22:46   18328   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-03-18 22:45 . 2012-03-18 22:45   15712   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\ca474e921cd055802\MeshBetaRemover.exe
2012-03-15 04:17 . 2011-11-19 15:20   5559152   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-15 04:17 . 2011-11-19 14:50   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-03-15 04:17 . 2011-11-19 14:50   3913584   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 14:43 . 2012-02-03 04:34   3145728   ----a-w-   c:\windows\system32\win32k.sys
2012-03-14 14:43 . 2012-02-10 06:36   1544192   ----a-w-   c:\windows\system32\DWrite.dll
2012-03-14 14:43 . 2012-02-10 05:38   1077248   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-03-14 14:41 . 2012-02-17 06:38   1031680   ----a-w-   c:\windows\system32\rdpcore.dll
2012-03-14 14:41 . 2012-02-17 05:34   826880   ----a-w-   c:\windows\SysWow64\rdpcore.dll
2012-03-14 14:41 . 2012-02-17 04:58   210944   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-03-14 14:41 . 2012-02-17 04:57   23552   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-03-14 14:41 . 2012-01-25 06:38   77312   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-03-14 14:41 . 2012-01-25 06:38   149504   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-03-14 14:41 . 2012-01-25 06:33   9216   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-03-12 23:24 . 2012-03-12 23:24   --------   d-----w-   c:\users\jacobi678\AppData\Local\blekkotb_001
2012-03-12 23:24 . 2012-03-12 23:24   --------   d-----w-   c:\programdata\Anti-phishing Domain Advisor
2012-03-12 23:24 . 2012-03-12 23:24   --------   d-----w-   c:\program files (x86)\blekkotb
2012-03-12 23:24 . 2012-03-12 23:24   --------   d-----w-   c:\users\jacobi678\AppData\Local\jetmp3
2012-03-12 20:22 . 2012-03-21 03:09   --------   d-----w-   c:\programdata\InstallMate
2012-03-12 20:22 . 2012-03-12 20:22   --------   d-----w-   c:\program files (x86)\BillP Studios
2012-03-12 20:22 . 2012-03-14 03:27   --------   d-----w-   c:\users\jacobi678\Tracing
2012-03-12 20:07 . 2012-03-12 20:07   237   ----a-w-   C:\user.js
2012-03-12 20:06 . 2012-03-12 20:06   --------   d-----w-   c:\users\jacobi678\AppData\Local\Zoom_Downloader
2012-03-12 20:06 . 2012-03-12 20:06   --------   d-----w-   c:\program files (x86)\Zoom Downloader
2012-03-11 16:00 . 2012-03-11 16:00   --------   d-----w-   c:\windows\system32\Macromed
2012-03-11 16:00 . 2012-03-11 16:00   --------   d-----w-   c:\programdata\McAfee
2012-03-09 04:30 . 2012-03-15 15:05   --------   d-----w-   c:\windows\system32\drivers\NISx64\1306010.008
2012-03-04 23:39 . 2012-03-04 23:39   162664   ----a-w-   c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-02 19:12 . 2012-03-19 20:24   --------   d-----w-   c:\users\jacobi678\AppData\Local\Windows Live
2012-03-02 00:30 . 2012-03-02 00:30   --------   d-----w-   c:\programdata\VirtualizedApplications
2012-03-01 05:19 . 2012-03-01 05:19   --------   d-----w-   c:\users\jacobi678\AppData\Local\Microsoft Help
2012-03-01 05:19 . 2012-03-01 05:19   --------   d-----w-   c:\programdata\Microsoft Help
2012-03-01 05:16 . 2012-03-12 03:55   --------   d-----w-   c:\users\jacobi678\AppData\Roaming\SoftGrid Client
2012-03-01 05:16 . 2012-03-01 05:16   --------   d-----w-   c:\users\jacobi678\AppData\Local\SoftGrid Client
2012-03-01 05:15 . 2012-03-02 04:17   --------   d-----w-   c:\program files (x86)\Microsoft Application Virtualization Client
2012-03-01 05:15 . 2012-03-01 05:16   --------   d-----w-   c:\users\jacobi678\AppData\Roaming\TP
2012-02-27 04:43 . 2012-02-27 04:43   --------   d-----w-   c:\programdata\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E}
2012-02-27 04:42 . 2012-02-27 04:44   --------   d-----w-   c:\users\jacobi678\AppData\Roaming\hpqLog
2012-02-27 04:42 . 2012-02-27 04:42   --------   d-----w-   c:\users\jacobi678\AppData\Roaming\WinBatch
2012-02-25 15:31 . 2012-03-07 05:21   --------   d-----w-   c:\users\jacobi678\AppData\Local\Windows Live Writer
2012-02-25 15:31 . 2012-03-07 05:08   --------   d-----w-   c:\users\jacobi678\AppData\Roaming\Windows Live Writer
2012-02-23 20:04 . 2012-02-23 20:04   --------   d-----w-   c:\users\jacobi678\AppData\Local\Mozilla
2012-02-20 20:25 . 2012-02-20 20:25   --------   d-----w-   c:\programdata\Blio
2012-02-20 20:25 . 2012-02-20 20:26   --------   d-----w-   c:\users\jacobi678\AppData\Roaming\Blio
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 03:57 . 2011-09-10 05:17   175736   ----a-w-   c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-03-11 16:01 . 2011-09-10 05:12   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 10:44 . 2012-02-15 06:55   509952   ----a-w-   c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-15 06:55   442880   ----a-w-   c:\windows\SysWow64\ntshrui.dll
2011-12-30 06:26 . 2012-02-15 06:54   515584   ----a-w-   c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-15 06:54   478720   ----a-w-   c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-15 06:54   498688   ----a-w-   c:\windows\system32\drivers\afd.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-03-19_15.10.03   )))))))))))))))))))))))))))))))))))))))))
.
- 2010-03-18 16:15 . 2010-03-18 16:15   51024              c:\windows\SysWOW64\vcomp100.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   51024              c:\windows\SysWOW64\vcomp100.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   80720              c:\windows\SysWOW64\mfcm100u.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   80720              c:\windows\SysWOW64\mfcm100u.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   80208              c:\windows\SysWOW64\mfcm100.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   80208              c:\windows\SysWOW64\mfcm100.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   60752              c:\windows\SysWOW64\mfc100rus.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   60752              c:\windows\SysWOW64\mfc100rus.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   43344              c:\windows\SysWOW64\mfc100kor.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   43344              c:\windows\SysWOW64\mfc100kor.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   43856              c:\windows\SysWOW64\mfc100jpn.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   43856              c:\windows\SysWOW64\mfc100jpn.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   62288              c:\windows\SysWOW64\mfc100ita.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   62288              c:\windows\SysWOW64\mfc100ita.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   64336              c:\windows\SysWOW64\mfc100fra.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   64336              c:\windows\SysWOW64\mfc100fra.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   63824              c:\windows\SysWOW64\mfc100esn.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   63824              c:\windows\SysWOW64\mfc100esn.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   55120              c:\windows\SysWOW64\mfc100enu.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   55120              c:\windows\SysWOW64\mfc100enu.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   64336              c:\windows\SysWOW64\mfc100deu.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   64336              c:\windows\SysWOW64\mfc100deu.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   36176              c:\windows\SysWOW64\mfc100cht.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   36176              c:\windows\SysWOW64\mfc100cht.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   36176              c:\windows\SysWOW64\mfc100chs.dll
- 2010-03-18 16:15 . 2010-03-18 16:15   36176              c:\windows\SysWOW64\mfc100chs.dll
+ 2010-11-21 03:09 . 2012-03-21 03:18   36562              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-21 03:18   34694              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-07 20:02 . 2011-01-07 20:02   57168              c:\windows\system32\vcomp100.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   57168              c:\windows\system32\vcomp100.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   91472              c:\windows\system32\mfcm100u.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   91472              c:\windows\system32\mfcm100u.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   91472              c:\windows\system32\mfcm100.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   91472              c:\windows\system32\mfcm100.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   60752              c:\windows\system32\mfc100rus.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   60752              c:\windows\system32\mfc100rus.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   43344              c:\windows\system32\mfc100kor.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   43344              c:\windows\system32\mfc100kor.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   43856              c:\windows\system32\mfc100jpn.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   43856              c:\windows\system32\mfc100jpn.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   62288              c:\windows\system32\mfc100ita.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   62288              c:\windows\system32\mfc100ita.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   64336              c:\windows\system32\mfc100fra.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   64336              c:\windows\system32\mfc100fra.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   63824              c:\windows\system32\mfc100esn.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   63824              c:\windows\system32\mfc100esn.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   55120              c:\windows\system32\mfc100enu.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   55120              c:\windows\system32\mfc100enu.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   64336              c:\windows\system32\mfc100deu.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   64336              c:\windows\system32\mfc100deu.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   36176              c:\windows\system32\mfc100cht.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   36176              c:\windows\system32\mfc100cht.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   36176              c:\windows\system32\mfc100chs.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   36176              c:\windows\system32\mfc100chs.dll
+ 2012-02-10 20:24 . 2012-03-20 04:05   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-02-10 20:24 . 2012-03-19 14:22   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-02-10 20:24 . 2012-03-19 14:22   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-02-10 20:24 . 2012-03-20 04:05   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-19 14:22   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-20 04:05   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-03-19 15:13   95344              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-02-12 21:11 . 2012-03-21 03:18   6962              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1866074403-788936854-74266964-1000_UserData.bin
+ 2012-03-21 03:51 . 2012-03-21 03:51   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-19 15:09 . 2012-03-19 15:09   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-11 18:41 . 2012-03-21 03:00   233960              c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-07-14 02:36 . 2012-03-19 14:22   660520              c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-21 03:21   660520              c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-21 03:21   121190              c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-19 14:22   121190              c:\windows\system32\perfc009.dat
- 2010-03-18 16:36 . 2010-03-18 16:36   827728              c:\windows\system32\msvcr100.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   827728              c:\windows\system32\msvcr100.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   608080              c:\windows\system32\msvcp100.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   158536              c:\windows\system32\atl100.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   158536              c:\windows\system32\atl100.dll
- 2009-07-14 05:01 . 2012-03-19 15:08   228692              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-21 03:50   228692              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-03-18 16:15 . 2010-03-18 16:15   4368720              c:\windows\SysWOW64\mfc100u.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   4368720              c:\windows\SysWOW64\mfc100u.dll
+ 2011-01-07 20:39 . 2011-01-07 20:39   4342600              c:\windows\SysWOW64\mfc100.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   5523280              c:\windows\system32\mfc100u.dll
+ 2011-01-07 20:02 . 2011-01-07 20:02   5493576              c:\windows\system32\mfc100.dll
- 2010-03-18 16:36 . 2010-03-18 16:36   5493576              c:\windows\system32\mfc100.dll
+ 2011-01-08 01:10 . 2011-01-08 01:10   3991040              c:\windows\Installer\2c2b676.msp
+ 2011-01-08 01:05 . 2011-01-08 01:05   4583936              c:\windows\Installer\2c28645.msp
+ 2012-02-13 07:44 . 2012-03-21 03:50   13087636              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1866074403-788936854-74266964-1000-8192.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{E5C66DD8-308B-4a4f-AF0A-3D04F25B5343}]
2010-11-21 03:24   297808   ----a-w-   c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-01-17 232616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-15 136176]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-15 136176]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1306010.008\SYMDS64.SYS

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1306010.008\SYMEFA64.SYS

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120317.002\BHDrvx64.sys [2012-03-02 1157240]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1306010.008\ccSetx64.sys

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120320.002\IDSvia64.sys [2012-03-06 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1306010.008\Ironx64.SYS

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1306010.008\SYMNETS.SYS

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-06-09 264008]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.6.1.8\ccSvcHst.exe [2012-01-17 138232]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE

S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2011-05-05 1128952]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-13 138360]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-15 22:32]
.
2012-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-15 22:32]
.
2012-03-18 c:\windows\Tasks\HPCeeScheduleForjacobi678.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-25 168216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-25 391960]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-25 418584]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\jacobi678\AppData\Roaming\Mozilla\Firefox\Profiles\azgatbp3.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL - hxxp://blekko.com/?source=c6125cca&tbp=url&toolbarid=blekkotb_001&u=___userid___&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extentions.y2layers.installId - f345d036-dd66-4a32-b9e3-08c109616990
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,dropdowndeals,buzzdock,toprelatedtopics,twittube,ezlooker
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WinPatrol Explorer - c:\program files (x86)\BillP Studios\WinPatrol\WinPatrolEx.exe
WebBrowser-{977AE9CC-AF83-45E8-9E03-E2798216E2D5} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.6.1.8\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.6.1.8\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
.
**************************************************************************
.
Completion time: 2012-03-20  22:53:39 - machine was rebooted
ComboFix-quarantined-files.txt  2012-03-21 03:53
ComboFix2.txt  2012-03-19 15:12
.
Pre-Run: 947,119,824,896 bytes free
Post-Run: 947,229,106,176 bytes free
.
- - End Of File - - A006EAA1D11AA793BAFADACA08A35B96

Offline zep516

  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 274
    • View Profile
Re: add & remove items
« Reply #23 on: March 21, 2012, 10:48:57 AM »
Hi Corrine,

I'd like to add to that too. I ran Combofix last nite for a school exercise. Combofix had no deletions and I did not expect any, however when Combofix finished there were a few items on the desktop that would not open, Firefox, IE, OTL, just to name a few. I also received the error below when trying to open many items on the desktop,

Quote
Illegal operation attempted on a registry key that has been marked for deletion.

I did not want to reboot, just in case they were marked for deletion at that time. I ended up doing a system restore. I will mention this to to my instructor also.

Joe
You're only as safe as your last update.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: add & remove items
« Reply #24 on: March 21, 2012, 12:42:44 PM »
Microsoft explains Illegal operation attempted on a Registry key which has been marked for deletion. as "A Registry key has been marked for deletion and still have open handles."  The solution is to restart or launch Task Manager and restart explorer.exe.

johnson55, please answer the question I asked. 

Quote
Where did you download WinPatrol from?  From the MBAM log, it doesn't appear that it was from http://www.winpatrol.com/download.html.

Is WinPatrol working correctly?  What about the initial slowness? 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline johnson55

  • Full Member
  • ***
  • Posts: 220
    • View Profile
Re: add & remove items
« Reply #25 on: March 21, 2012, 02:01:06 PM »
Corrine,
 I got rid of winpatrol as soon as you mentioned downloading from another source.
I'll get it from winpatrol home.
My computer really hasn't hardly been used since I got it.Surprised to have to
do this to a new computer.hp probably make a little money with advertising.
Computer hyperlinks are slow to retalliate.I still miss the ease of XP.
My old computer with only 512 memory is almost as good as this windows7.
 Thank you and others for your help and comments and I've had a good education
on all of this.johnson55

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: add & remove items
« Reply #26 on: March 21, 2012, 04:18:53 PM »
Hi, johnson55.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


You can also remove DDS.  Should you need help in the future, you can always download it again.

Yes, OEM vendors such as HP do get a lot of revenue by including ad-supported programs.  If all the games that are installed on the computer came from HP and you don't want them or other HP add-ons, you can certainly uninstall them. 

I do not know if it is still the case, but know that there were many people who had problems with Norton on Windows 7. Those issues may have been fixed.  Another point, if the Norton license is a limited-time, be sure to pay attention to the expiration date (although you'll likely receive "nag notices" :) ).

Should you decide to replace Norton, Microsoft Security Essentials plus the Windows 7 firewall work quite nicely.  If you prefer a licensed antivirus solution, I have found ESET to "play nicely" with Windows 7.

You have Malwarebytes installed on your new computer.  I suggest you update and run a quick scan every week or two.  If you're looking for a licensed anti-malware program, MBAM Pro is a good investment.

I noticed you are very good at creating a System Restore point before making changes to your computer.  That is a very wise thing to do.

I recently located this old article by fellow MVP Andre Da Costa for someone else.  It may be helpful in getting adjusted to Windows 7:  For the ‘former’ Windows XP User – Welcome to Windows 7! | Teching It Easy: with Windows.

Another place you'll want to be sure to check is this Microsoft Windows 7 website:  Windows 7 Help & How-to - Microsoft Windows

Of course, you are most welcome to stop by here and ask questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.