My friend's desktop has aggressive popups wanting to "help" him with a virus which is obviously the virus itself.
They will allow Nothing to run, including any legitimate AV scans or the most basic of programs.
There is an icon that looks like a fat white ring with a green stone in the lower right corner that lists as wnufalguerb.exe that I do not recognize.
It -notifies- me that "... Files are infected. Do you want to activate your antivirus software now ?"
Anytime that I try to run Anything at all, I get at least one similar popup, usually more.
"The file XXX infected. Do you want to activate your antivirus software now?"
Occasionally it identifies itself as Antivirus Software Alert with an icon that looks somewhat similar to AVG (but does not open AVG) and says "...internet virus...could be a password-stealing attack, a trojan dropper or similar....".
Occasionally it identifies itself as Windows Security Alert with the green gem but usually is just a gray info box.
I had to boot it in Safe Mode and use a thumb drive of goodies freshly gathered on my computer just to get scans to post here.
Even then, Root Repeal had some sort of problem. Device Control error, error dumping SSDT, & "Could not read the Registry. Warning, the SSD in our driver has been faked".
I forgot to run a HJT but the posting instructions didn't ask for one.
I have done absolutely nothing to it yet. Not even remove old versions of Java or do any updates.
Where shall we start ?
Feel free to give me several steps at once.
Thanks,
Carol
CHECKUP
Results of screen317's Security Check version 0.99.8 "
Windows 7 (UAC is enabled)
Inter~et Explorer28
``````````````````````````````
Antivirus/Firewall Check:
Windows Security0Center service ys not running! This report may not be accurate!_/b]$
EVG Free 9.0
WMI entry may not(exist for antivirus; attempting automatic update.
`````````d```````q```````p`````
Anti-malware/Other Utilities Check:[?b]
Java(TM) 6 Upeate"17 `
[j]Out of date Java installed%[/color]
Adore Flash0Player 10.1.102.64
Adobe$Realer 9.3
_ut of dqte Adobe Reader installed![/color]
Mozilla Fyrefx (3.6.12) [r]Firefox Out of0Date![/r]
```r```````````q```d````````````
Procuss Wheck:
objlist.exe!by Oaurent[?u] �
``````````End ov Log```q````````
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2011/01/26 11:40
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP0
==================================================
SSDT
-------------------
SYSENTER/INT2E Hooked [0x81e89320]!
==EOF==
Logfile of random's system information tool 1.08 (written by random/random)
Run by joe ferr at 2011-01-26 11:31:44
Microsoft Windows 7 Home Premium
System drive C: has 240 GB (83%) free of 290 GB
Total RAM: 3037 MB (89% free)
HijackThis download failed
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{164d3751-cac6-4a6d-becd-ea67df61d232}]
Updater For Comcast Toolbar 3.5 - C:\Program Files\comcasttb\auxi\comcastAu.dll [2010-07-29 259584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-11-25 1623392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}]
Comcast Toolbar - C:\Program Files\comcasttb\comcastdx.dll [2010-07-15 87512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-10-06 2475336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2010-04-16 1067872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-10-06 2475336]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2010-04-16 1067872]
{79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - Comcast Toolbar - C:\Program Files\comcasttb\comcastdx.dll [2010-07-15 87512]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2009-05-23 7514656]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2009-07-12 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2009-07-12 174104]
"Persistence"=C:\Windows\system32\igfxpers.exe [2009-07-12 150552]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2009-06-04 186904]
"PDVDDXSrv"=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2009-06-24 140520]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-11-25 2069344]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-18 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-07-21 141608]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"edmmbxfq"=C:\Users\JOEFER~1\AppData\Local\Temp\xfigetehx\wnufalguerb.exe [2011-01-22 318976]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2009-07-03 215552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======File associations======
.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
======List of files/folders created in the last 1 months======
2011-01-26 11:31:45 ----D---- C:\Program Files\trend micro
2011-01-26 11:31:44 ----D---- C:\rsit
2011-01-26 11:26:52 ----D---- C:\2011 OnLine Scans
2011-01-26 11:26:47 ----D---- C:\2011 OnLine Scans -
2011-01-26 11:20:16 ----A---- C:\Windows\ntbtlog.txt
2011-01-26 06:45:17 ----D---- C:\2011 - Logs
2011-01-26 06:41:06 ----D---- C:\2011 Utilities
2011-01-26 06:40:50 ----D---- C:\2011 AA AV
2011-01-26 06:40:28 ----D---- C:\Users\joe ferr\AppData\Roaming\CyberLink
2011-01-20 20:44:10 ----D---- C:\Users\joe ferr\AppData\Roaming\Mozilla
2011-01-20 07:20:50 ----D---- C:\Users\joe ferr\AppData\Roaming\Adobe
2011-01-14 03:00:49 ----SHD---- C:\Config.Msi
2011-01-13 16:24:42 ----A---- C:\Windows\system32\odbc32.dll
2011-01-13 16:24:39 ----A---- C:\Windows\system32\DWrite.dll
2011-01-13 16:24:39 ----A---- C:\Windows\system32\d3d10warp.dll
2011-01-13 16:24:39 ----A---- C:\Windows\system32\d2d1.dll
2011-01-13 16:24:38 ----A---- C:\Windows\system32\XpsPrint.dll
2011-01-13 16:24:38 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2011-01-13 16:24:38 ----A---- C:\Windows\system32\mf.dll
2011-01-13 16:24:38 ----A---- C:\Windows\system32\FntCache.dll
2011-01-13 16:24:38 ----A---- C:\Windows\system32\drivers\dxgkrnl.sys
2011-01-13 16:24:37 ----A---- C:\Windows\system32\XpsRasterService.dll
2011-01-13 16:24:37 ----A---- C:\Windows\system32\WMVDECOD.DLL
2011-01-13 16:24:37 ----A---- C:\Windows\system32\mfreadwrite.dll
2011-01-13 16:24:37 ----A---- C:\Windows\system32\ExplorerFrame.dll
2011-01-13 16:24:37 ----A---- C:\Windows\system32\drivers\dxgmms1.sys
2011-01-13 16:24:37 ----A---- C:\Windows\system32\d3d10_1core.dll
2011-01-13 16:24:37 ----A---- C:\Windows\system32\cdd.dll
2011-01-13 16:24:36 ----A---- C:\Windows\system32\d3d10_1.dll
======List of files/folders modified in the last 1 months======
2011-01-26 11:31:45 ----RD---- C:\Program Files
2011-01-26 11:28:21 ----D---- C:\Windows\System32
2011-01-26 11:28:21 ----D---- C:\Windows\inf
2011-01-26 11:28:21 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-01-26 11:28:16 ----SD---- C:\Users\joe ferr\AppData\Roaming\Microsoft
2011-01-26 11:20:16 ----D---- C:\Windows
2011-01-26 06:56:21 ----D---- C:\Windows\Prefetch
2011-01-26 06:55:14 ----D---- C:\Windows\Temp
2011-01-22 17:45:33 ----D---- C:\Windows\system32\config
2011-01-22 17:41:19 ----D---- C:\Windows\system32\drivers\Avg
2011-01-22 17:39:17 ----D---- C:\Windows\system32\Tasks
2011-01-14 03:17:25 ----D---- C:\Windows\winsxs
2011-01-14 03:17:03 ----D---- C:\Program Files\Microsoft Silverlight
2011-01-14 03:16:16 ----D---- C:\Windows\system32\drivers
2011-01-14 03:01:05 ----SHD---- C:\Windows\Installer
2011-01-14 03:01:04 ----D---- C:\ProgramData\Microsoft Help
2011-01-14 03:00:27 ----SHD---- C:\System Volume Information
2011-01-13 16:24:32 ----D---- C:\Windows\system32\catroot
2011-01-13 16:24:31 ----D---- C:\Windows\system32\catroot2
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 iaStor;Intel AHCI Controller; C:\Windows\system32\DRIVERS\iaStor.sys [2009-06-04 330264]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2009-07-09 45200]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 173648]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
S1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2010-06-02 29584]
S1 AvgTdiX;AVG Free Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 fssfltr;FssFltr; C:\Windows\system32\DRIVERS\fssfltr.sys [2010-04-28 54632]
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2009-07-03 5922816]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2009-05-23 2361952]
S3 JRAID;JRAID; C:\Windows\system32\DRIVERS\jraid.sys [2009-05-21 89048]
S3 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12368]
S3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2010-04-19 41984]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-13 35840]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [2009-07-13 34944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
S2 AERTFilters;Andrea RT Filters Service; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 AntiSpywareService;Comcast AntiSpyware; C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
S2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2009-02-20 30312]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-05-18 345376]
S2 Brother XP spl Service;BrSplService; C:\Windows\system32\brsvc01a.exe [2004-06-14 57344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2009-06-04 354840]
S2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe [2007-09-26 283912]
S2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2010-02-20 72704]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service; C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-10-06 517448]
S3 fsssvc;Windows Live Family Safety Service; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2010-04-28 704872]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-07-21 540968]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2009-01-16 74392]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.08 2011-01-26 11:31:47
======Uninstall list======
.EMBroidery-->C:\Windows\uninst.exe -fC:\EMBWin\DeIsL1.isu
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
Acrobat.com-->msiexec /qb /x {6421F085-1FAA-DE13-D02A-CFB412C522A4}
Acrobat.com-->MsiExec.exe /I{6421F085-1FAA-DE13-D02A-CFB412C522A4}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe -maintain plugin
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2-->msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{85991ED2-010C-4930-96FA-52F43C2CE98A}
Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
Bonjour-->MsiExec.exe /X{0CB9668D-F979-4F31-B8B8-67FE90F929F8}
Business Contact Manager for Outlook 2007 SP2-->"C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
Business Contact Manager for Outlook 2007 SP2-->MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
CA Pest Patrol Realtime Protection-->MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
CoatsEDV-->MsiExec.exe /I{C8E2DEF5-DFC3-4515-B4A7-AC73D38C7B64}
Comcast Toolbar 3.5-->C:\Program Files\comcasttb\uninstall.exe
Dell Backup and Recovery Manager-->MsiExec.exe /I{731B0E4D-F4C7-450C-95B0-E1A3176B1C75}
Dell Edoc Viewer-->MsiExec.exe /I{3138EAD3-700B-4A10-B617-B3F8096EE30D}
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)-->C:\Windows\SQL9_KB970892_ENU\Hotfix.exe /Uninstall
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel(R) TV Wizard-->C:\Windows\system32\TVWizudlg.exe -uninstall
IntelĀ® Matrix Storage Manager-->C:\Program Files\Intel\Intel Matrix Storage Manager\Uninstall\imsmudlg.exe -uninstall
Intuit SiteBuilder-->C:\Users\JF\Desktop\Intuit\SiteBuilder\hkuninst.exe -path C:\Users\JF\Desktop\Intuit\SiteBuilder
iTunes-->MsiExec.exe /I{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Junk Mail filter update-->MsiExec.exe /I{8E5233E1-7495-44FB-8DEB-4BE906D59619}
jZip-->C:\PROGRA~1\jZip\UNWISE.EXE /U C:\PROGRA~1\jZip\INSTALL.LOG
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies-->MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0122-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall SMALLBUSINESSR /dll OSETUP.DLL
Microsoft Office Small Business 2007-->MsiExec.exe /X{91120000-00CA-0000-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Search Enhancement Pack-->MsiExec.exe /I{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual J# 2.0 Redistributable Package-->C:\Windows\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Mozilla Firefox (3.6.12)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
PowerDVD DX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x9 -cluninstall
QuickBooks Premier Edition 2003-->C:\Program Files\Installshield Installation Information\{237a4b24-78c4-11d6-a394-00104bd190b1}\QBReplace.exe {237a4b24-78c4-11d6-a394-00104bd190b1}#{AD46C591-FB19-11D5-A316-00104BD190B1}
QuickTime-->MsiExec.exe /I{3D9892BB-A751-4E48-ADC8-E4289956CE1D}
Realtek High Definition Audio Driver-->C:\Program Files\Realtek\Audio\HDA\RtlUpd.exe -r -m -nrg2709
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE 10.3-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE 10.3-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SAGE Online-->MsiExec.exe /X{A310CA85-AACA-11D5-91C4-00A0CC5BB661}
Security Update for 2007 Microsoft Office System (KB2288621)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}
Security Update for 2007 Microsoft Office System (KB2288931)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {CD769337-C8AC-46DB-A7DC-643E50089263}
Security Update for 2007 Microsoft Office System (KB2289158)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {210B16C0-CEBD-4DE9-B474-04A7E8735E16}
Security Update for 2007 Microsoft Office System (KB2344875)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {6FC5C4C1-D7AE-44C3-94B7-6424FC3E752F}
Security Update for 2007 Microsoft Office System (KB2345043)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {536FB502-775F-4494-BACE-C02CC90B7A5B}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for Microsoft Office Excel 2007 (KB2345035)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {B23002DD-34EC-4988-B810-A5E2A0BF04F1}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {3DED0A62-44C8-4E00-A785-5212F297A9D9}
Security Update for Microsoft Office Publisher 2007 (KB2284697)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {3A4CDE54-2403-483D-8D9A-15E3264410DF}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91100000-00CA-0000-0000-0000000FF1CE} /uninctall {71127%77-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB2344993)-->msiexec /package k91120000-00CA-0 00-0000-0000000FF1CE} /uninstall {7A5B74FA-7A92)4FC9-821A-2@D5D0E73E48}
Update for 2007 Microsoft Office Sqstem (KB967642)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CA} /uninbtall {C$44285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Micbosoft Office 2007 Hdlp dor �ommon Features KB96367#)-->msiexec /packaga {90120000-006E-040)-0000-0 00000FF1CE} /uninstall {AB325881-0395-4FAD-B702-CA5985D%3D42}
Epdate for Microsoft Office Excel 20 7 Help (KB96367()--.msiexec /package {9 120 00-0016-0409-00 0-00000 0FF1CE} /uninstall i199DF7B6-16(C-408C-B511-1054101BE9C)}
Apdate for Microsoft Offhce Lutlook "007 (KB"412171)-->msiexec /`ackage j91120000-00CA-0000-0000%0000000FF1C�} /dninctal {7%2A0B7C-BD24-4362-AC 6-AB63FDE6F�6F}
Update for Microsoft Office Oudlooj 20 7 HAlp (KB9�3677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Outlook 2007 Junk Email Filter (KB2483110)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {592B47F5-D305-431A-9781-ED6CBB44FA8B}
Windows Live Call-->MsiExec.exe /I{E6158D07-2637-4ECF-B576-37C489669174}
Windows Live Communications Platform-->MsiExec.exe /I{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}
Windows Live Family Safety-->MsiExec.exe /X{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}
Windows Live Movie Maker-->MsiExec.exe /X{9F479685-180E-4C05-9400-D59292A1B29C}
Windows Live Photo Gallery-->MsiExec.exe /X{EE39FFBD-544E-49E4-A999-6819828EAE91}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{B10914FD-8812-47A4-85A1-50FCDE7F1F33}
Windows Live Toolbar-->MsiExec.exe /X{1BD07DF4-FB06-41BA-B896-B2DA59000C96}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
WinZip 14.5-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
======System event log======
Computer Name: JF-PC
Event Code: 1014
Message: Name resolution for the name isatap.patriotplastics.com timed out after none of the configured DNS servers responded.
Record Number: 1536
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100131202148.730872-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: JF-PC
Event Code: 11
Message: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Record Number: 1522
Source Name: Microsoft-Windows-Wininit
Time Written: 20100131202133.817246-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: JF-PC
Event Code: 1014
Message: Name resolution for the name isatap.patriotplastics.com timed out after none of the configured DNS servers responded.
Record Number: 1434
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100131202018.537279-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE
Computer Name: JF-PC
Event Code: 11
Message: Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Record Number: 1410
Source Name: Microsoft-Windows-Wininit
Time Written: 20100131202000.004446-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: JF-PC
Event Code: 7011
Message: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Norton Internet Security service.
Record Number: 1141
Source Name: Service Control Manager
Time Written: 20100131182348.931680-000
Event Type: Error
User:
=====Application event log=====
Computer Name: JF-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-4167064011-2287867627-3421243339-1004:
Process 540 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Record Number: 928
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20100131194123.451995-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: JF-PC
Event Code: 3036
Message: The content source <mapi://{S-1-5-21-4167064011-2287867627-3421243339-1004}/> cannot be accessed.
Context: Application, SystemIndex Catalog
Details:
No protocol handler is available. Install a protocol handler that can process this URL type. (HRESULT : 0x80040d37) (0x80040d37)
Record Number: 916
Source Name: Microsoft-Windows-Search
Time Written: 20100131193053.000000-000
Event Type: Warning
User:
Computer Name: JF-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
205 user registry handles leaked from \Registry\User\S-1-5-21-4167064011-2287867627-3421243339-1004:
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 3516 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Process 2700 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 2700 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Record Number: 841
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20100131182443.752249-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: JF-PC
Event Code: 10010
Message: Application 'C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\8BACC656\16.7.0.30\InstStub.exe' (pid 1344) cannot be restarted - Application SID does not match Conductor SID..
Record Number: 834
Source Name: Microsoft-Windows-RestartManager
Time Written: 20100131182410.664923-000
Event Type: Warning
User: JF-PC\JF
Computer Name: JF-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-4167064011-2287867627-3421243339-1004:
Process 488 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-4167064011-2287867627-3421243339-1004
Record Number: 752
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20100131160818.194478-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
=====Security event log=====
Computer Name: JF-PC
Event Code: 1100
Message: The event logging service has shut down.
Record Number: 258
Source Name: Microsoft-Windows-Eventlog
Time Written: 20100131160819.083679-000
Event Type: Audit Success
User:
Computer Name: JF-PC
Event Code: 4647
Message: User initiated logoff:
Subject:
Security ID: S-1-5-21-4167064011-2287867627-3421243339-1004
Account Name: JF
Account Domain: JF-PC
Logon ID: 0x6a728
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Record Number: 257
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131160818.147678-000
Event Type: Audit Success
User:
Computer Name: JF-PC
Event Code: 4672
Message: Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 256
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131160756.911582-000
Event Type: Audit Success
User:
Computer Name: JF-PC
Event Code: 4624
Message: An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: DBHQNHK1$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x218
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 255
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100131160756.911582-000
Event Type: Audit Success
User:
Computer Name: JF-PC
Event Code: 1102
Message: The audit log was cleared.
Subject:
Security ID: S-1-5-21-4167064011-2287867627-3421243339-1004
Account Name: JF
Domain Name: JF-PC
Logon ID: 0x69394
Record Number: 254
Source Name: Microsoft-Windows-Eventlog
Time Written: 20100131160747.816766-000
Event Type: Audit Success
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\jZip;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=2
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=MINIMAL
-----------------EOF-----------------
XXXXXX
Hi, Carol.
Your friend has quite a mess (but at least no AAW ;) ).
Please download rkill from one of the following links and save to your Desktop:
One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)
- Double-click rkill to run.
- A command window will open then disappear upon completion, this is normal.
- Please leave rkill on the Desktop until otherwise advised.
- Do NOT restart your computer after running rkill as the malware program(s) will start again.
Notes: If you you receive security warnings about rkill, please ignore and allow the download to continue. Since MBAM is not installed on the computer, it will be necessary to run rkill again in order to run MBAM.
Please download
Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware - Click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, be sure Quick scan is selected, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253) - Click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Please post contents of that file in your next reply.
** Note **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click
OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Gathered programs on Thumb.
Booted to Safe Mode.
Ran rkill from desktop / saved log.
Ran MBAM from desktop. (Could not update but it was only 37 days old)
Quick scanned, Found 3 (none in System Restore), Chose to remove. / saved Log.
Restarted per MBAM request.
Restart to normal showed just as many notifications and popups as before / no difference. :(
Something nasty is still on it.
Control panel, uninstalled programs AVG & Bonjour. Seemed successful.
AppRemover was bombarded by popups which usually stopped it but despite that, a few times it seemed like it might have started to run but never looked like it did much else.
Task Manager & Paint won't run due to popups stopping it.
HJT prevented from installing.
MSE & latest updates awaiting an opportunity to install.
I can, however, look at files with windows explorer.
Sigh
Carol
xxxxxxx
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 01/26/2011 at 22:52:52.
Operating System: Windows 7 Home Premium
Processes terminated by Rkill or while it was running:
Rkill completed on 01/26/2011 at 22:52:53.
xxxxxxx
1/26/2011 11:06:16 PM
mbam-log-2011-01-26 (23-06-16).txt
Scan type: Quick scan
Objects scanned: 153391
Time elapsed: 2 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\JF\AppData\Local\Temp\0.6345747546323995.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\Users\JF\AppData\Local\Temp\0.6404524095177484.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\joe ferr\AppData\Local\Temp\0.5816106735231465.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
xxxxxxx
Hi, Carol.
Since AVG has been removed, let's see what ComboFix can do.
Please follow these instructions carefully.Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
!!! IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html).
Now, please run ComboFix:
- Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
- Double-click ComboFix.exe on your desktop and follow the prompts.
- As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
- When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)
- After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)
- Click "Yes" to continue scanning for malware.
- When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Ran ComboFix . . .
ComboFix 11-01-27.02 - joe ferr 01/27/2011 20:14:33.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.2288 [GMT -5:00]
Running from: c:\2011 aa av\ComboFix from bleeping\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\JF\AppData\Roaming\asdfasfas.bat
c:\users\JF\AppData\Roaming\completescan_pal
c:\users\JF\AppData\Roaming\install_pal
c:\users\JF\AppData\Roaming\palladium.exe
c:\users\JF\AppData\Roaming\uid_pal
.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.
2011-01-28 01:10 . 2011-01-28 01:13 -------- d-----w- C:\32788R22FWJFW
2011-01-28 00:48 . 2011-01-28 00:48 388096 ----a-r- c:\users\joe ferr\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-27 04:20 . 2011-01-27 04:20 -------- d-----w- c:\users\joe ferr\AppData\Local\Apple
2011-01-27 03:57 . 2011-01-27 03:57 -------- d-----w- c:\users\joe ferr\AppData\Roaming\Malwarebytes
2011-01-27 03:57 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-27 03:57 . 2011-01-27 03:57 -------- d-----w- c:\programdata\Malwarebytes
2011-01-27 03:57 . 2011-01-27 03:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-27 03:57 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-27 03:47 . 2011-01-27 03:50 -------- d-----w- C:\2011 addl
2011-01-27 03:46 . 2011-01-27 03:46 -------- d-----w- C:\2011 addl-
2011-01-26 16:31 . 2011-01-28 00:48 -------- d-----w- c:\program files\trend micro
2011-01-26 16:31 . 2011-01-26 16:31 -------- d-----w- C:\rsit
2011-01-26 16:26 . 2011-01-26 16:26 -------- d-----w- C:\2011 OnLine Scans
2011-01-26 16:26 . 2011-01-26 16:26 -------- d-----w- C:\2011 OnLine Scans -
2011-01-26 11:45 . 2011-01-28 00:53 -------- d-----w- C:\2011 - Logs
2011-01-26 11:41 . 2011-01-26 11:41 -------- d-----w- C:\2011 Utilities
2011-01-26 11:40 . 2011-01-28 00:43 -------- d-----w- C:\2011 AA AV
2011-01-26 11:40 . 2011-01-26 11:40 -------- d-----w- c:\users\joe ferr\AppData\Roaming\CyberLink
2011-01-21 01:44 . 2011-01-21 01:44 -------- d-----w- c:\users\joe ferr\AppData\Local\Mozilla
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 05:52 . 2010-12-15 12:41 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48 . 2010-12-15 12:41 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41 . 2010-12-15 12:41 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08 . 2010-12-15 12:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41 . 2010-12-15 12:41 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40 . 2010-12-15 12:41 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40 . 2010-12-15 12:41 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39 . 2010-12-15 12:41 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34 . 2010-12-15 12:41 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34 . 2010-12-15 12:41 179712 ----a-w- c:\windows\system32\schtasks.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{164d3751-cac6-4a6d-becd-ea67df61d232}]
2010-07-29 13:10 259584 ----a-w- c:\program files\comcasttb\auxi\comcastAu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-23 7514656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-12 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-12 150552]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
c:\users\JF\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-3 651264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:8992
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\joe ferr\AppData\Roaming\Mozilla\Firefox\Profiles\s2sl5kum.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(536)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
Completion time: 2011-01-27 20:17:57
ComboFix-quarantined-files.txt 2011-01-28 01:17
Pre-Run: 251,945,168,896 bytes free
Post-Run: 252,564,570,112 bytes free
- - End Of File - - FDA2AE276FD650E42924DEC33D3BC078
- ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~
... and ran a HJT after the ComboFix
HJT complains that it is denied access to write to the hosts file and therefore I may have to make any changes to the hosts file myself
. . .even when I un-readonly and unhide it before I run HJT. I don't know why it complains about that - . . . and doesn't fix things. Even minor ones like annoying toolbars.
I had tried to pluck a few annoying Toolbars off with HJT but they seem be to be stuck on like glue.
When it's "fixed", there are some things I would like taken off.
FYI: This one had a MVPS Hosts file from a few years ago and I had it Read only and Hidden.
It looked like it was still safe and I put a fresh one on anyway.
- ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~ - ~
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:23:56 PM, on 1/27/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8992
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Updater For Comcast Toolbar 3.5 - {164d3751-cac6-4a6d-becd-ea67df61d232} - C:\Program Files\comcasttb\auxi\comcastAu.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMgBRAEcAUgAtAFMAWAAwAEsARwAtAEcAMABOAFYAQQAtAEIAQQBCADYAOAAtAEQARgBUAFQAUAA"&"inst=NwA3AC0ANAA0ADMAMwA1ADQAMgA2ADIALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgA"&"prod=90"&"ver=9.0.872
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 6914 bytes
xxxxxx
Hi, Carol.
Did you create these folders?
C:\2011 addl
C:\2011 addl-
C:\2011 OnLine Scans
C:\2011 OnLine Scans -
C:\2011 - Logs
C:\2011 Utilities
C:\2011 AA AV
With Windows Vista and Windows 7, you need to run HJT as Administrator for access to the HOSTS file information. To edit the HOSTS file on Windows 7, it is necessary to first click on Start, type in Notepad and then right-click on Notepad and choose Run as Administrator. (Read more in http://securitygarden.blogspot.com/2010/12/how-to-block-new-fast-flux-botnet.html#ixzz1CIKdHovt which shows how easy it is to edit the HOSTS file with WinPatrol.) The most recent HOSTS file is at http://www.mvps.org/winhelp2002/hosts.txt
QuoteI had tried to pluck a few annoying Toolbars off with HJT but they seem be to be stuck on like glue.
When it's "fixed", there are some things I would like taken off.
Let me know what you want taken off. I may be able to include it in ComboFix instrutions.
Yes I created all of those just recently for this project.
They are tools like TFC RSIT MBAM MSE RKILL ERUNT . . .
that I have been asked, or knew I would be asked to download and moved to a desktop when I need then.
Also, Logs created to be posted here.
I am only giving internet access to these computers when necessary while working on them.
I figure the less internet access and use in general, the less opportunity for some of these bugs to re-download, clone, or self repair.
They are too sluggish to want to use anyway. I bring the logs to my trusty steed to post from there.
I gather the tools from my trusty steed also.
I shift to & fro with my thumbdrive (which has been getting scanned a lot lately).
In my "spare time" I have been gathering utilities like Firefox, Adobe, JavaRa, Java . . ..
I know that most or all of these are old and should be updated for safety & security at least, ...if I get time.
I have not yet had cause to manually edit the host file.
I asked HJT to, but it didn't seem to want to.
I looked at, removed and replaced the Hosts file with a good fresh one, without any trouble.
I did not know that that I had to do that to manually edit Hosts now.
Thank you very much.
That would have eventually frustrated me.
I will read up on it.
Whilst working on these, I was hoping to remove:
BetZip, Viewpoint, Windows Messenger, (Viewpoint & Windows Messenger can be stinkers)
Google Toolbar, Yahoo toolbar, Windows Live toolbar, Comcast toolbar, AVG toolbar, . . .
How about we kill all the toolbars
and let him get just one new one from scratch if he really wants.
They are easy to get but can be hard to get rid of. Then nasty ones can sneak in there without notice.
Any online poker stuff if you see any. I was pleasantly surprised not to.
Perhaps any Norton/Symantec fragments from 2004 you might notice but that isn't truly a big worry.
wnufalguerb-exe seemed to be the name of the weird green gem icon that gives some of the nag popups
so that one does worry me.
BetZip, Viewpoint, Windows Messenger and all the toolbars mostly.
Those would be great, thanks.
Carol
Hi, Carol.
Although wnufalguerb.exe didn't show up in the ComboFix log, it was in a previous log, so I'll add it in, just to be thorough, although I expect it was removed with the rest of the mess. I'm not seeing either BetZip or Viewpoint in the logs. There should be uninstallers for the toolbars but I've included them in the script.
AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll
Comcast Toolbar - C:\Program Files\comcasttb\comcastdx.dll
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8992 Custom CFScript
Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"edmmbxfq"=-
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
O2 - BHO: Updater For Comcast Toolbar 3.5 - {164d3751-cac6-4a6d-becd-ea67df61d232} -
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} -
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} -
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} -
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
Folder::
C:\Users\JOEFER~1\AppData\Local\Temp\xfigetehx
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers.
- Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
I noticed a Windows Defender that seems to turned off.
It has a brick wall icon somewhat similar to the problem icon of before.
Perhaps not the same. Dunno.
Either way it isn't something I'm planning on using and I don't just want it there to cause a problem.
It does not show in control panel/ remove programs list but does have it's own listing in control panel -but without the option to remove it. Only to turn off or on.
I can't delete it manually, not even in Safe Mode, or even with HJT/tools/delete file on reboot.
It's permissions are Read-Only unless I am some phantom user called TrustedInstAller.
Who is TrustedInstAller?
And how can I get rid of Windows Defender?
HJT still complains "your system denied write access to the Hosts file" (with an unprotected Hosts file, I checked)
A re-run shows that it did remove the HKCU\Software... Registry entry.
(I would have done it myself if I had to)
But why is it saying that ?
My Hosts got blanked out - replaced again, ReadOnly& hidden.
I can't run Msconfig.
It says "illegal operation on a registry key marked for deletion"
This is after HJT's restart so I have no idea what's up with that.
That's gonna have to get fixed. I need my Msconfig.
Ran ComboFix with custom CFScript.
Log follows:
ComboFix 11-01-25.03 - joe ferr 01/28/2011 21:42:09.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.2376 [GMT -5:00]
Running from: c:\users\joe ferr\Desktop\ComboFix.exe
Command switches used :: c:\users\joe ferr\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.
2011-01-29 02:44 . 2011-01-29 02:44 -------- d-----w- c:\users\JF\AppData\Local\temp
2011-01-29 02:44 . 2011-01-29 02:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-29 01:56 . 2011-01-29 01:56 -------- d-----w- C:\1-28-2011 Desktop links-
2011-01-28 01:17 . 2011-01-29 02:44 -------- d-----w- c:\users\joe ferr\AppData\Local\temp
2011-01-28 00:48 . 2011-01-28 00:48 388096 ----a-r- c:\users\joe ferr\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-27 04:20 . 2011-01-27 04:20 -------- d-----w- c:\users\joe ferr\AppData\Local\Apple
2011-01-27 03:57 . 2011-01-27 03:57 -------- d-----w- c:\users\joe ferr\AppData\Roaming\Malwarebytes
2011-01-27 03:57 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-27 03:57 . 2011-01-27 03:57 -------- d-----w- c:\programdata\Malwarebytes
2011-01-27 03:57 . 2011-01-27 03:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-27 03:57 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-27 03:47 . 2011-01-27 03:50 -------- d-----w- C:\2011 addl
2011-01-27 03:46 . 2011-01-27 03:46 -------- d-----w- C:\2011 addl-
2011-01-26 16:31 . 2011-01-28 00:48 -------- d-----w- c:\program files\trend micro
2011-01-26 16:31 . 2011-01-26 16:31 -------- d-----w- C:\rsit
2011-01-26 16:26 . 2011-01-26 16:26 -------- d-----w- C:\2011 OnLine Scans
2011-01-26 16:26 . 2011-01-29 01:57 -------- d-----w- C:\2011 OnLine Scans -
2011-01-26 11:45 . 2011-01-28 00:53 -------- d-----w- C:\2011 - Logs
2011-01-26 11:41 . 2011-01-26 11:41 -------- d-----w- C:\2011 Utilities
2011-01-26 11:40 . 2011-01-28 00:43 -------- d-----w- C:\2011 AA AV
2011-01-26 11:40 . 2011-01-26 11:40 -------- d-----w- c:\users\joe ferr\AppData\Roaming\CyberLink
2011-01-21 01:44 . 2011-01-21 01:44 -------- d-----w- c:\users\joe ferr\AppData\Local\Mozilla
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 05:52 . 2010-12-15 12:41 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48 . 2010-12-15 12:41 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41 . 2010-12-15 12:41 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08 . 2010-12-15 12:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41 . 2010-12-15 12:41 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40 . 2010-12-15 12:41 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40 . 2010-12-15 12:41 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39 . 2010-12-15 12:41 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34 . 2010-12-15 12:41 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34 . 2010-12-15 12:41 179712 ----a-w- c:\windows\system32\schtasks.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-23 7514656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-12 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-12 150552]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
c:\users\JF\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-3 651264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath - c:\users\joe ferr\AppData\Roaming\Mozilla\Firefox\Profiles\s2sl5kum.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
Completion time: 2011-01-28 21:45:10
ComboFix-quarantined-files.txt 2011-01-29 02:45
ComboFix2.txt 2011-01-28 02:15
ComboFix3.txt 2011-01-28 01:17
Pre-Run: 252,991,422,464 bytes free
Post-Run: 252,943,888,384 bytes free
- - End Of File - - 9FE91BD93C5007D5552FCA2DFFE25CC5
xxxxxx
Hi, Carol.
Let's start with MSConfig. The System Configuration Utility (the proper name for MSConfig) is a troubleshooting tool and changes made in msconfig really should not be used to make permanent changes. From http://windows.microsoft.com/en-US/windows-vista/Run-Selective-Startup-using-System-Configuration
QuoteSystem Configuration is intended to find and isolate problems, but it is not meant as a startup management program. To permanently remove or turn off programs or services that run at startup,
In addition,
never use MSConfig to force Safeboot if the system is infected with malware. Some types of malware can delete or alter the Safeboot key in the registry. This results in the inability to reboot into safe mode or back to normal mode. Using the /Safeboot option on the Boot.ini tab to force safe mode when the F8 key does not work, could have disastrous results. The Safeboot option modifies the Boot.ini file and can result in being locked in a continuous reboot loop, unable to return to MSConfig to undo the selection.
If you want to troubleshoot start-up programs, use WinPatrol.
As to HJT and the HOSTS file, your friend has a Windows 7 operating system. Running HJT as Admin will allow the display of the HOSTS file in logs but, as I said previously, to edit the HOSTS file on Windows 7, it is necessary to first click on Start, type in Notepad and then right-click on Notepad and choose Run as Administrator. Each time ComboFix is run, it will create a new restore point and clear the HOSTS file so please leave it until we are finished. Then you can update the HOSTS file as indicated previously.
The anti-spyware engine of Windows Defender is incorporated in MSE. Thus, installing MSE deactivates Windows Defender. Windows Defender is included in Windows 7. Do not uninstall it. Just leave it deactivated. If MSE is removed at some future date, Windows Defender can then be reactivated.
Trusted Installer was incorporated in Windows Vista and is in Windows 7
QuoteThe Trusted Installer is actually a service, not a user, even though you see permissions granted to it all over the file system. Service hardening allows each service to be treated as a full-fledged security principal that can be assigned permissions just like any other user.
More at http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx and http://technet.microsoft.com/en-us/magazine/2007.01.securitywatch.aspx
How is the computer running now?
Corrine,
Forced Safeboot, no no. Besides F8 was working fine and I haven't needed it lately anyway.
I was going into MSConfig to see if Windows Defender was set to run and possibly disable it. That's all.
However, it does seriously distress me that I CAN'T get into it. MSConfig is a must-have regardless of how rarely used.
I guess I'll keep Windows Defender, so long as it's deactivated. I can't have some whatever AntiVirus program running at the same time as another one.
TrustedInstaller is interesting and sure seems to work well.
It's disappointing that my 650 page Windows 7 Administrator's Pocket Consultant does not have an entry for Trusted Installer in it's index. Not so handy as I thought it might be. I had tried to look it up and I just checked again. No mistake. It's not there. Your links are good though, Thanks.
How it's running?...
Well I don't see popups and it it's no turtle.
- -When it looks clean, I'd still like to run a slew more scans to make sure any scraps are gone before I send it away. Also, do some updating or replacing with current version of some basics.
...but alas, a quick check of using Firefox, ...and Calculator, & Paint & Solitare & HJT... & probably anything....
gets a box everytime that says
"illegal operation on a registry key that has been marked for deletion"
and nothing runs.
That ain't good.
Do I have some pending request placed by HJT hanging around that it simply will never do for me ?
The whole gotta do Hosts by hand thing.
Is this perhaps the -registry key that has been marked for deletion- ? and isn't this just a pain in the tush.
I might have placed a check in something harmless in HJT but the only actual "registry" entry (HKCU... etc) that I ever checked was the one you said to (and a re-run showed it NOT mentioned again so it must have done it)
Thanks,
Carol
After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." Shutdown/restart the computer and the error should disappear.
What do you mean you can't get into MSConfig? Please explain. If typing msconfig in the search box when you click the start orb doesn't bring up MSConfig.exe, look in C:\Windows\System32. (Personally, I have no use for MSConfig and have never used it on any computer since Windows 95. I use WinPatrol to manage Start-up Programs, Services, ActiveX, hidden files . . . )
On Windows 7, you would go to the Action Center and expand the section on Security. Click on "View installed antispyware programs" and it should show Windows Defender as being off.
What do you mean, "do the HOSTS file by hand"? HJT was never intended as a HOSTS file manager and has only had very minor updates since Merijn sold it to TrendMicro. If you don't like running Notepad as Admin to modify the HOSTS file, use WinPatrol. Since you mentioned previously using MVPS HOSTS file, see the instructions for Windows 7 at http://www.mvps.org/winhelp2002/hostswin7.htm . You may also want to try HostsXpert for managing the HOSTS File: http://www.funkytoad.com/index.php?option=com_content&view=article&id=13&Itemid=31
I use MSConfig from the run box and run always goes straight to it the rare times I use it.
Actually don't sweat the MSConfig (I was).
It's not a MSConfig thing at all, it was an everything thing.
Quotea quick check of using Firefox, ...and Calculator, & Paint & Solitare & HJT... & probably anything....
gets a box everytime that says
"illegal operation on a registry key that has been marked for deletion"
and nothing runs.
I was mistaken about it being restarted.
A restart got rid of all of that. It all runs.
So well that I put MSE (& Definition Updates) on, thusly turning off Windows defender (verified was on but now off),
and I should never have to deal with it again (on either computer).
MSE Quick scan good, 5 or 10 minutes.
Full MSE scan in progress (both computers).
I usually do major adds to Hosts with notepad (by hand), then just put a whole new copy on -but I know it has to be run as Admin now, thanks. I have a personal list of stinkers and I like to add anything that ever succeeded in a hijack to the standard fresh hosts from MVPS.
HJT will have be a mainly informational resource for me but still insightful.
It looks like WinPatrol might come in handy. I'll get that later. I haven't had to clean in ages. I must have enough protection on my trusty steed. It stays clean enough to eat off of (and more importantly pay bills with).
Anyway no popups now on this one and it might be on the downhill slide.
Where shall this one go next?
Anything, anything at all, that I can scan with (either one) ? Feel free to list.
Root repeal never ran successfully on this one. Should I try that again ?
I don't think that AppRemover ever ran successfully on this one either, unless it's real quiet like.
(I checked my thread and I write it All down.)
Then let me know when I should work on (either one ) ...old/new versions of basics, obnoxious, excessive and potentially problem toolbars, Viewpoint & Windows Messenger off, fresh & locked hosts, Windows updates, overdue SP3s, ...
Hi, Carol.
First, please do the following to implement cleanup procedures and also to reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).
MVPS HOSTS File: Mike Burgess doesn't merely add to the HOSTS file. The sites listed are regularly retested. As a result, sites no longer live are removed. If you wish to continue with your personal list, that is just fine. However, it seems a bit of an exercise.
You can remove RootRepeal and AppRemover from the computer (as well as the folders you created).
Viewpoint media player and toolbar was identified as adware and was (is?) distributed with AOL and other software. Whether it still is or not, I don't know as I have not seen it in some time. If you wish to block it, I guess it is back to your customized HOSTS file because it is no longer in MVPS HOSTS but is included in hpHOSTS, managed by Steve Burn. See http://hosts-file.net/?s=209.73.249.108&view=matches
The first Service Pack for Windows 7 has not been released yet, although it is expected to be released fairly soon. I do not recommend hitting computers with every scanner known to man. It is unnecessary. With Windows 7, the firewall is very good. Make sure it is turned on. The computer has a good antivirus software that works well with Windows 7.
Make sure UAC is on -- the Default setting is fine. Since your friend is not good about keeping updated, set Windows Update to automatic. I also suggest you install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to ensure third-party software is kept updated.
As you probably have figured out, my favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html It can be used to update the HOSTS file, warn if changes are made to the HOSTS and other critical system files, lock file types, control start up programs, IE Add-ons, and more.
MSE off
Ran ComboFix /Uninstall
MSE back on
Firewall is on
UAC is on.
A standard MVPS Hosts on for now. (Readonly)
Removing tools & logs...
Getting Secunia....
Is there any other scanning or anything I can do to be sure this is ok?
How many ways I can block/disable/even root out or remove windows messenger ?
I know a few but it has been known to come back if I don't get them all.
(Scotty works great. I think I'll get the deluxe one for my computer)
Quote from: Blue55 on January 31, 2011, 08:44:29 AM
Is there any other scanning or anything I can do to be sure this is ok?
No, Carol, unless you plan on doing a clean install.
Quote from: Blue55 on January 31, 2011, 10:33:31 AM
How many ways I can block/disable/even root out or remove windows messenger ?
I know a few but it has been known to come back if I don't get them all.
(Scotty works great. I think I'll get the deluxe one for my computer)
Love Scotty. :)
Carol, this is a Windows 7 computer. The Windows Messenger Service was on Windows XP and Windows 2000. It was removed from Windows Vista and Windows 7.
If you are referring to the Windows Live Essentials programs, including Windows Live Messenger, that is up to the owner whether he wants it installed.