PuP and a trogen or two

Started by Ghost, July 04, 2014, 12:34:41 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Ghost

#15
July 05, 2014, 11:05:39 PM
hi Corrine,
here is the dds log and i also went tp bleepingcomputer and under the startup tab i was able to uncheck about 6 programs that were not needed to startup during boot.
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16555
Run by cnb at 18:57:35 on 2014-07-05
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2045.1189 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\ATT\8.3.1.7\ma\bin\MAHostService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATT\8.3.1.7\ma\bin\node.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Avira\My Avira\Avira.OE.ServiceHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.trovi.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M1B52F44A-EEDC-4C55-9B76-069578255C70&SearchSource=55&CUI=&UM=6&UP=SPF1F0919D-34CC-4CB4-A709-1F4F63F9367B&SSPV=
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\codecp~1.lnk - c:\windows\system32\c2mp\UpdateChecker.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{7FCBFC45-6EEB-4E43-A54F-3225DD83B3E9} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{B670FA13-C5A2-461D-9EA4-0C232DD05A5A} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DC7670FE-66EF-4269-B6C9-BEDFE4E47CEB} : DHCPNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs= c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\35.0.1916.153\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2014-7-4 37352]
R2 {2E444BE9-B8EC-4CE6-8C2B-6536FB7F4FB7};Power Control [2013/09/24 23:53:29];c:\program files\dell\mediadirect\000.fcl [2008-2-6 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-2-6 73728]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2014-7-4 430160]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2014-7-4 430160]
R2 ATT MAHostService;ATT MAHostService;c:\program files\att\8.3.1.7\ma\bin\MAHostService.exe [2013-8-26 321024]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2014-7-4 97648]
R2 Avira.OE.ServiceHost;Avira Service Host;c:\program files\avira\my avira\Avira.OE.ServiceHost.exe [2014-6-30 138832]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-8-9 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 CltMngSvc;Search Protect Service;c:\progra~1\searchprotect\main\bin\cltmngsvc.exe --> c:\progra~1\searchprotect\main\bin\CltMngSvc.exe [?]
S3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files\wildtangent games\app\GamesAppIntegrationService.exe [2014-4-24 227904]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2014-4-24 203344]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-6 29744]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-07-05 00:26:18   --------   d-----w-   c:\program files\ESET
2014-07-04 23:27:01   --------   d-sh--w-   C:\$RECYCLE.BIN
2014-07-04 23:23:01   --------   d-----w-   c:\users\cnb\appdata\local\temp
2014-07-04 22:43:28   --------   d-----w-   c:\programdata\BlueStacks
2014-07-04 18:49:37   98816   ----a-w-   c:\windows\sed.exe
2014-07-04 18:49:37   256000   ----a-w-   c:\windows\PEV.exe
2014-07-04 18:49:37   208896   ----a-w-   c:\windows\MBR.exe
2014-07-04 15:53:44   --------   d-----w-   c:\users\cnb\appdata\roaming\Avira
2014-07-04 15:49:07   37352   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2014-07-04 15:49:06   97648   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2014-07-04 15:28:38   --------   d-----w-   c:\program files\Avira
2014-07-04 15:28:35   --------   d-----w-   c:\programdata\Avira
2014-07-04 15:28:18   --------   d-----w-   c:\programdata\Package Cache
2014-07-04 14:39:10   32768   ----a-w-   c:\windows\system32\drivers\sp_rsdrv2.sys
2014-07-04 12:16:31   --------   d-----w-   c:\windows\Migration
2014-07-04 03:52:47   536576   ----a-w-   c:\windows\system32\sqlite3.dll
2014-07-04 03:52:18   --------   d-----w-   C:\AdwCleaner
2014-07-04 03:47:48   --------   d-----w-   c:\windows\ERUNT
2014-07-04 02:41:46   --------   d-----w-   c:\program files\VS Revo Group
2014-07-04 00:46:26   --------   d-----w-   c:\windows\pss
2014-07-03 22:27:57   110296   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-03 22:27:35   74456   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2014-07-03 22:27:35   51928   ----a-w-   c:\windows\system32\drivers\mwac.sys
2014-07-03 22:27:35   23256   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-07-03 22:27:35   --------   d-----w-   c:\programdata\Malwarebytes
2014-07-03 22:27:35   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware
2014-07-03 18:08:10   --------   d-----w-   c:\program files\Power Defrag
2014-07-03 18:03:13   502784   ----a-w-   c:\windows\system32\usp10.dll
2014-07-03 18:03:04   905664   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2014-07-03 18:02:58   1401344   ----a-w-   c:\windows\system32\msxml6.dll
2014-07-03 18:02:57   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2014-07-03 17:58:24   8140904   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{8a0e6dcd-6089-431e-9c84-885b433fc970}\mpengine.dll
2014-07-03 16:40:34   --------   d-----w-   c:\users\cnb\appdata\local\Mozilla
2014-07-03 16:28:56   --------   d-----w-   c:\program files\CCleaner
.
==================== Find3M  ====================
.
2014-07-04 03:02:34   71344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-04 03:02:34   699056   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-06-24 13:09:38   632656   ----a-w-   c:\windows\system32\msvcr80.dll
2014-06-24 13:09:38   554832   ----a-w-   c:\windows\system32\msvcp80.dll
2014-06-24 13:09:38   479232   ----a-w-   c:\windows\system32\msvcm80.dll
2014-05-28 16:39:36   1810432   ----a-w-   c:\windows\system32\jscript9.dll
2014-05-28 16:32:59   1129472   ----a-w-   c:\windows\system32\wininet.dll
2014-05-28 16:32:25   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2014-05-28 16:30:53   421376   ----a-w-   c:\windows\system32\vbscript.dll
2014-05-28 16:30:53   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2014-05-28 16:29:31   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2014-05-28 16:29:27   11776   ----a-w-   c:\windows\system32\mshta.exe
.
============= FINISH: 18:58:18.53 ===============

thanks,
Ghost

Corrine

#16
July 07, 2014, 05:54:27 PM
Hi, Ghost.

Ok, based on our, so to speak, "off site" discussion about using WinPatrol to manage start up programs, the list of items to be removed has been mainly limited to "user's choice" with items that are identified as "not required" being selected.  For the benefit of others reading this topic, information about using WinPatrol for managing start up programs is available at Start Up Programs: Remove, Add, Disable.

Now, back to the issue at hand -- to remove the not required items as well as one stubborn "Search Protect" file. 

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select

DDS::
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\codecp~1.lnk - c:\windows\system32\c2mp\UpdateChecker.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ghost

#17
July 07, 2014, 09:29:18 PM
hi Corrine;-),
here is the combofix log:
ComboFix 14-07-07.01 - cnb 07/07/2014  16:58:15.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2045.989 [GMT -4:00]
Running from: c:\users\cnb\Desktop\ComboFix.exe
Command switches used :: c:\users\cnb\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe
c:\progra~2\micros~1\windows\startm~1\programs\startup\codecp~1.lnk
c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk
c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk
c:\program files\avira\antivir desktop\avgnt.exe
c:\program files\common files\installshield\updateservice\issch.exe
c:\program files\dell\mediadirect\PCMService.exe
c:\program files\dell\quickset\quickset.exe
c:\program files\setpoint\SetPoint.exe
c:\users\cnb\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\windows\system32\c2mp\UpdateChecker.exe
c:\windows\system32\NvCpl.dll
c:\windows\system32\nvHotkey.dll
c:\windows\system32\nvsvc.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-07 to 2014-07-07  )))))))))))))))))))))))))))))))
.
.
2014-07-07 21:07 . 2014-07-07 21:11   --------   d-----w-   c:\users\cnb\AppData\Local\temp
2014-07-07 21:07 . 2014-07-07 21:07   --------   d-----w-   c:\users\Default\AppData\Local\temp
2014-07-05 00:26 . 2014-07-05 00:26   --------   d-----w-   c:\program files\ESET
2014-07-04 22:43 . 2014-07-04 22:43   --------   d-----w-   c:\programdata\BlueStacks
2014-07-04 15:53 . 2014-07-04 15:53   --------   d-----w-   c:\users\cnb\AppData\Roaming\Avira
2014-07-04 15:49 . 2014-06-25 00:39   37352   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2014-07-04 15:49 . 2014-06-25 00:39   97648   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2014-07-04 15:49 . 2014-06-25 00:39   136216   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2014-07-04 15:28 . 2014-07-04 15:48   --------   d-----w-   c:\program files\Avira
2014-07-04 15:28 . 2014-07-04 15:48   --------   d-----w-   c:\programdata\Avira
2014-07-04 15:28 . 2014-07-04 15:28   --------   d-----w-   c:\programdata\Package Cache
2014-07-04 14:39 . 2011-06-21 15:24   32768   ----a-w-   c:\windows\system32\drivers\sp_rsdrv2.sys
2014-07-04 12:16 . 2014-07-04 12:16   --------   d-----w-   c:\windows\Migration
2014-07-04 03:52 . 2014-07-04 04:00   --------   d-----w-   C:\AdwCleaner
2014-07-04 03:47 . 2014-07-04 03:47   --------   d-----w-   c:\windows\ERUNT
2014-07-04 02:41 . 2014-07-04 02:41   --------   d-----w-   c:\program files\VS Revo Group
2014-07-03 22:27 . 2014-07-04 22:32   110296   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-03 22:27 . 2014-07-03 22:27   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware
2014-07-03 22:27 . 2014-07-03 22:27   --------   d-----w-   c:\programdata\Malwarebytes
2014-07-03 22:27 . 2014-05-12 11:55   51928   ----a-w-   c:\windows\system32\drivers\mwac.sys
2014-07-03 22:27 . 2014-05-12 11:54   74456   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2014-07-03 22:27 . 2014-05-12 11:54   23256   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-07-03 18:08 . 2014-07-03 18:11   --------   d-----w-   c:\program files\Power Defrag
2014-07-03 18:07 . 2014-07-03 18:07   --------   d-----w-   c:\program files\7-Zip
2014-07-03 18:03 . 2014-04-05 02:42   905664   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2014-07-03 17:58 . 2014-06-17 06:57   8140904   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{8A0E6DCD-6089-431E-9C84-885B433FC970}\mpengine.dll
2014-07-03 17:34 . 2014-07-03 17:34   --------   d-----w-   c:\programdata\WindowsSearch
2014-07-03 16:40 . 2014-07-03 16:40   --------   d-----w-   c:\users\cnb\AppData\Local\Mozilla
2014-07-03 16:28 . 2014-07-03 16:29   --------   d-----w-   c:\program files\CCleaner
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-04 03:02 . 2013-09-15 03:23   699056   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-07-04 03:02 . 2012-02-12 16:42   71344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-06-24 13:09 . 2013-09-25 04:36   479232   ----a-w-   c:\windows\system32\msvcm80.dll
2014-06-24 13:09 . 2008-03-01 07:04   632656   ----a-w-   c:\windows\system32\msvcr80.dll
2014-06-24 13:09 . 2008-03-01 07:04   554832   ----a-w-   c:\windows\system32\msvcp80.dll
2014-05-28 16:39 . 2014-07-03 18:00   1810432   ----a-w-   c:\windows\system32\jscript9.dll
2014-05-28 16:32 . 2014-07-03 18:00   1129472   ----a-w-   c:\windows\system32\wininet.dll
2014-05-28 16:32 . 2014-07-03 18:00   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2014-05-28 16:30 . 2014-07-03 18:00   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2014-05-28 16:30 . 2014-07-03 18:00   421376   ----a-w-   c:\windows\system32\vbscript.dll
2014-05-28 16:29 . 2014-07-03 18:00   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2014-05-28 16:29 . 2014-07-03 18:00   11776   ----a-w-   c:\windows\system32\mshta.exe
2014-04-26 16:01 . 2014-07-03 18:03   502784   ----a-w-   c:\windows\system32\usp10.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-6 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^cnb^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Severe Weather Alerts.lnk]
path=c:\users\cnb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts.lnk
backup=c:\windows\pss\Severe Weather Alerts.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2014-05-08 13:48   959904   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27   159744   ----a-w-   c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avira Systray]
2014-06-30 16:08   187984   ----a-w-   c:\program files\Avira\My Avira\Avira.OE.Systray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
2007-10-11 15:49   465136   ----a-w-   c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-10 00:57   16384   ----a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03   17920   ----a-w-   c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-08-30 11:03   29744   ----a-w-   c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 21:31   80896   ----a-w-   c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 05:24   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2014-01-22 17:05   106496   ----a-w-   c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-25 09:13   81920   ----a-w-   c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 07:59   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-09-28 04:54   405504   ----a-w-   c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-02-06 11:10   68856   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-28 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ      BthServ
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
HPService   REG_MULTI_SZ      HPSLPSVC
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-07-03 21:48   1091912   ----a-w-   c:\program files\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-15 03:02]
.
2014-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 04:03]
.
2014-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 04:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trovi.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M1B52F44A-EEDC-4C55-9B76-069578255C70&SearchSource=55&CUI=&UM=6&UP=SPF1F0919D-34CC-4CB4-A709-1F4F63F9367B&SSPV=
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
.
.
**************************************************************************
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{2E444BE9-B8EC-4CE6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\Dell\MediaDirect\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3072)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\ATT\8.3.1.7\ma\bin\MAHostService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATT\8.3.1.7\ma\bin\node.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Avira\My Avira\Avira.OE.ServiceHost.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2014-07-07  17:17:04 - machine was rebooted
ComboFix-quarantined-files.txt  2014-07-07 21:17
ComboFix2.txt  2014-07-04 23:34
ComboFix3.txt  2014-07-04 19:12
.
Pre-Run: 205,309,652,992 bytes free
Post-Run: 204,540,710,912 bytes free
.
- - End Of File - - BD8DE6270B8E9A46D2CE8ED50D3D0C2D
5C616939100B85E558DA92B899A0FC36

thanks,
Ghost

Corrine

#18
July 07, 2014, 11:13:35 PM
Hi, Ghost.

Thanks for the log which shows that I was concentrating too much on those "user's choice" items and didn't remove two important lines from the script.  Sorry, Ghost, I'm going to need you to restore a couple files from Quarantine so that Avira will work correctly from the notification icon.

Please post a copy of C:\Qoobox\Quarantine\Registry_backups


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ghost

#19
July 07, 2014, 11:40:11 PM
here is the C:\Qoobox\Quarantine\Registry_backups log

Ghost

#20
July 07, 2014, 11:41:44 PM
hi Corrine,
here is the C:\Qoobox\Quarantine\Registry_backups you requested
2014-07-07 23:30:42 . 2014-07-07 23:30:42              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Wdf01000.sys.reg.dat
2014-07-07 21:15:59 . 2014-07-07 21:15:59              896 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-avgnt.reg.dat
2014-07-07 21:15:50 . 2014-07-07 21:15:50              153 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-avgnt.reg.dat
2014-07-04 23:28:27 . 2014-06-30 16:08:10           49,744 ----a-w-  C:\Qoobox\Quarantine\C\Users\cnb\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll.vir
2014-07-04 23:22:10 . 2014-07-04 23:22:10            1,892 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_{3b232d24-d5de-4194-b4d7-d53b41a09748}t.reg.dat
2014-07-04 23:22:10 . 2014-07-04 23:22:10            1,472 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Legacy_{3b232d24-d5de-4194-b4d7-d53b41a09748}t.reg.dat
2014-07-04 23:11:04 . 2014-07-07 23:19:44                0 ----a-w-  C:\Qoobox\Quarantine\catchme.txt
2014-07-04 19:11:44 . 2014-07-04 19:11:44              608 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-The Weather Channel Desktop 6.reg.dat
2014-07-04 19:11:44 . 2014-07-04 19:11:44              772 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-SearchProtect.reg.dat
2014-07-04 19:11:33 . 2014-07-04 19:11:33              902 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-PMCLoader.reg.dat
2014-07-04 19:11:32 . 2014-07-04 19:11:32              914 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DW6.reg.dat
2014-07-04 19:11:32 . 2014-07-04 19:11:32              534 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfRd.reg.dat
2014-07-04 19:11:32 . 2014-07-04 19:11:32              534 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-WudfPf.reg.dat
2014-07-04 18:56:28 . 2014-07-04 18:56:28            1,360 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_pcCMService.reg.dat
2014-07-04 18:56:05 . 2014-07-07 23:26:01            9,134 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2014-07-04 18:51:17 . 2014-07-07 23:19:42              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2014-07-04 18:49:33 . 2014-07-07 23:19:43              268 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2014-07-04 15:49:06 . 2014-06-25 00:39:06          750,160 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\Avira\AntiVir Desktop\avgnt.exe.vir
2014-07-04 15:30:30 . 2014-07-04 15:32:24            4,830 ----a-w-  C:\Qoobox\Quarantine\C\Users\cnb\AppData\Local\SearchProtect\SearchProtect\rep\Cvc.dat.vir
2014-07-04 14:33:59 . 2014-07-04 14:33:59            1,948 ----a-w-  C:\Qoobox\Quarantine\C\Users\cnb\AppData\Local\SearchProtect\SearchProtect\rep\UserSettings.dat.vir
2014-07-04 14:33:54 . 2014-07-04 16:42:59            5,278 ----a-w-  C:\Qoobox\Quarantine\C\Users\cnb\AppData\Local\SearchProtect\UI\rep\UIRepository.dat.vir
2014-07-04 14:33:52 . 2014-07-04 19:00:53          133,534 ----a-w-  C:\Qoobox\Quarantine\C\Users\cnb\AppData\Local\SearchProtect\SearchProtect\rep\UserRepository.dat.vir
2014-07-04 14:33:08 . 2014-07-04 14:51:28            9,038 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\Main\rep\SystemRepository.dat.vir
2014-07-03 16:26:07 . 2014-06-27 21:50:10           55,232 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\drivers\{3b232d24-d5de-4194-b4d7-d53b41a09748}t.sys.vir
2014-06-26 09:30:04 . 2014-06-26 09:30:04        1,743,680 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\SearchProtect\bin\SPTool64.exe.vir
2014-06-26 09:30:04 . 2014-06-26 09:30:04          182,080 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll.vir
2014-06-26 09:30:04 . 2014-06-26 09:30:04        3,376,960 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\SearchProtect\bin\SPVC64.dll.vir
2014-06-26 09:30:04 . 2014-06-26 09:30:04          220,992 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\SearchProtect\bin\SPVC64Loader.dll.vir
2014-06-26 09:30:04 . 2014-06-26 09:30:04        3,214,144 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\bin\cltmngui.exe.vir
2014-06-26 09:05:26 . 2014-06-26 09:05:26            3,304 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\libs\SPDialogAPI.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           30,153 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\EULA.txt.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            8,030 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\settings.html.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            7,233 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\style.css.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,810 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\bubble\bubble.css.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,220 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\bubble\bubble.html.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            2,353 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\bubble\bubble.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              189 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\bubble\defaults.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            2,240 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\Apply-default.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            2,328 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\Apply-onclick.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            2,348 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\Apply-Rollover.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           11,390 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bg-uninstall.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           35,253 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bg-with-logo.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           31,085 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bg.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            9,918 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bgNotif.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           12,299 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bgSettings.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            9,198 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bgSettingsDS.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           16,798 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\bgUninstall.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,256 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\btnBlue.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              933 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\btnClose.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,065 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\btnSilver.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,364 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\button-bg.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              378 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\checkbox.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              360 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\checkbox_checked.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              274 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\checkbox_def.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,264 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\close-win-def.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,405 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\close-win-over-click.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            2,993 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\gray-bg.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,038 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\hez-def.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,049 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\hez-selected.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              256 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\hez.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,339 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\icon-win.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              424 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\info-icon.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,014 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\menu-rollover.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            3,264 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\menu-selected.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,553 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\radio-button-def.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,715 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\radio-button-selected.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              859 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\radio-button.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              886 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\radio-button2.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,257 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\Settings-icon.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,198 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\text-field.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,214 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\v.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,332 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\Images\x.png.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              983 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\libs\defaults.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,909 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\libs\dialogUtils.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           93,868 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            2,780 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\libs\json2.min.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           10,183 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\libs\main.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              862 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protection\defaults.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            4,223 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protection\protection.css.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            3,023 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protection\protection.html.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            4,762 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protection\protection.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54              287 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protectionDS\defaults.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            3,578 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protectionDS\protectionDS.css.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,254 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protectionDS\protectionDS.html.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            3,645 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\protectionDS\protectionDS.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,298 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\settings\defaults.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            8,098 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\settings\settings.css.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           12,472 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\settings\settings.html.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54           11,919 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\settings\settings.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            1,196 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\uninstall\defaults.js.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            5,128 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\uninstall\uninstall.css.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            5,144 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\uninstall\uninstall.html.vir
2014-06-26 09:01:54 . 2014-06-26 09:01:54            5,359 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SearchProtect\UI\dialogs\uninstall\uninstall.js.vir
2014-06-24 14:15:10 . 2014-06-24 14:15:10        1,581,872 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\5113\nsib.dll.vir
2014-06-24 14:15:08 . 2014-06-24 14:15:08          640,304 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\dnkt.exe.vir
2014-06-24 14:09:10 . 2014-06-24 14:09:10           27,136 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\ImHttpComm.dll.vir
2014-06-24 14:09:10 . 2014-06-24 14:09:10           27,136 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\5113\ImHttpComm.dll.vir
2014-06-24 13:09:40 . 2014-06-24 13:09:40          421,200 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\msvcp100.dll.vir
2014-06-24 13:09:40 . 2014-06-24 13:09:40          773,968 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\msvcr100.dll.vir
2014-06-24 13:09:40 . 2014-06-24 13:09:40          421,200 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\5113\msvcp100.dll.vir
2014-06-24 13:09:40 . 2014-06-24 13:09:40          773,968 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\mjcm\5113\msvcr100.dll.vir
2013-09-25 04:37:49 . 2013-09-25 04:37:49            1,710 ----a-w-  C:\Qoobox\Quarantine\C\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\codecp~1.lnk.vir
2013-09-02 02:23:22 . 2013-09-02 02:23:22           48,248 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\C2MP\UpdateChecker.exe.vir
2012-09-24 00:43:54 . 2012-09-24 00:43:54              472 ----a-w-  C:\Qoobox\Quarantine\C\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744BA0000000010\11.0.0\eula.ini.vir
2012-09-24 00:43:50 . 2012-09-24 00:43:50            1,046 ----a-w-  C:\Qoobox\Quarantine\C\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744BA0000000010\11.0.0\eula.ini2.vir
2009-04-07 04:15:23 . 2014-07-04 16:43:04            2,429 ----a-w-  C:\Qoobox\Quarantine\C\Users\cnb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LaunchU3.exe.lnk.vir
2008-11-04 07:36:31 . 2008-11-04 07:36:31            1,690 ----a-w-  C:\Qoobox\Quarantine\C\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\logite~1.lnk.vir
2008-02-06 18:16:12 . 2007-06-25 09:13:18           86,016 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\nvsvc.dll.vir
2008-02-06 18:16:12 . 2007-06-25 09:13:14           67,584 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\nvHotkey.dll.vir
2008-02-06 18:16:09 . 2007-06-25 09:13:06        8,433,664 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\NvCpl.dll.vir
2008-02-06 11:12:04 . 2008-10-21 02:43:30          184,320 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\Dell\MediaDirect\PCMService.exe.vir
2008-02-06 10:55:50 . 2008-05-02 07:44:08          805,392 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\SetPoint\SetPoint.exe.vir
2008-02-06 10:53:11 . 2008-02-06 10:53:11            1,929 ----a-w-  C:\Qoobox\Quarantine\C\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\quickset.lnk.vir
2007-07-21 00:13:26 . 2007-07-21 00:13:26        1,180,952 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\Dell\QuickSet\quickset.exe.vir
2006-10-03 17:37:04 . 2006-10-03 17:37:04           81,920 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\issch.exe.vir
2006-10-03 17:35:42 . 2006-10-03 17:35:42          221,184 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe.vir

thanks,
Ghost

Corrine

#21
July 08, 2014, 01:28:49 AM
Thank you, Ghost. 

We'll do this in two steps.

1.  Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select

DeQuarantine::
C:\Qoobox\Quarantine\c:\program files\avira\antivir desktop\avgnt.exe
C:\Qoobox\Quarantine\c:\users\cnb\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll

Quit::


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2.  Next, we'll retrieve the registry entries.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code Select
@echo off
regedit "C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-avgnt.reg.dat"
regedit "C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-avgnt.reg.dat"
del %0


Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:
Double-click on fix.bat to run it and choose Yes to merge/add it to the registry.

Restart the computer and let me know if Avira is working correctly now.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ghost

#22
July 08, 2014, 02:13:36 AM
hi Corrine;-).
avira is working again;-)).
the latest combofix log. run before the "fix".
ComboFix 14-07-07.01 - cnb 07/07/2014  21:51:59.5.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2045.915 [GMT -4:00]
Running from: c:\users\cnb\Desktop\ComboFix.exe
Command switches used :: c:\users\cnb\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-08 to 2014-07-08  )))))))))))))))))))))))))))))))
.
.
2014-07-08 01:59 . 2014-07-08 01:59   --------   d-----w-   c:\users\cnb\AppData\Local\temp
2014-07-08 01:59 . 2014-07-08 01:59   --------   d-----w-   c:\users\Default\AppData\Local\temp
2014-07-05 00:26 . 2014-07-05 00:26   --------   d-----w-   c:\program files\ESET
2014-07-04 22:43 . 2014-07-04 22:43   --------   d-----w-   c:\programdata\BlueStacks
2014-07-04 15:53 . 2014-07-04 15:53   --------   d-----w-   c:\users\cnb\AppData\Roaming\Avira
2014-07-04 15:49 . 2014-06-25 00:39   37352   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2014-07-04 15:49 . 2014-06-25 00:39   97648   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2014-07-04 15:49 . 2014-06-25 00:39   136216   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2014-07-04 15:28 . 2014-07-04 15:48   --------   d-----w-   c:\program files\Avira
2014-07-04 15:28 . 2014-07-04 15:48   --------   d-----w-   c:\programdata\Avira
2014-07-04 15:28 . 2014-07-04 15:28   --------   d-----w-   c:\programdata\Package Cache
2014-07-04 14:39 . 2011-06-21 15:24   32768   ----a-w-   c:\windows\system32\drivers\sp_rsdrv2.sys
2014-07-04 12:16 . 2014-07-04 12:16   --------   d-----w-   c:\windows\Migration
2014-07-04 03:52 . 2010-08-30 12:34   536576   ----a-w-   c:\windows\system32\sqlite3.dll
2014-07-04 03:52 . 2014-07-04 04:00   --------   d-----w-   C:\AdwCleaner
2014-07-04 03:47 . 2014-07-04 03:47   --------   d-----w-   c:\windows\ERUNT
2014-07-04 02:41 . 2014-07-04 02:41   --------   d-----w-   c:\program files\VS Revo Group
2014-07-03 22:27 . 2014-07-04 22:32   110296   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-03 22:27 . 2014-07-03 22:27   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware
2014-07-03 22:27 . 2014-07-03 22:27   --------   d-----w-   c:\programdata\Malwarebytes
2014-07-03 22:27 . 2014-05-12 11:55   51928   ----a-w-   c:\windows\system32\drivers\mwac.sys
2014-07-03 22:27 . 2014-05-12 11:54   74456   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2014-07-03 22:27 . 2014-05-12 11:54   23256   ----a-w-   c:\windows\system32\drivers\mbam.sys
2014-07-03 18:08 . 2014-07-03 18:11   --------   d-----w-   c:\program files\Power Defrag
2014-07-03 18:07 . 2014-07-03 18:07   --------   d-----w-   c:\program files\7-Zip
2014-07-03 18:03 . 2014-04-26 16:01   502784   ----a-w-   c:\windows\system32\usp10.dll
2014-07-03 18:03 . 2014-04-05 02:42   905664   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2014-07-03 18:02 . 2014-03-10 01:22   1401344   ----a-w-   c:\windows\system32\msxml6.dll
2014-07-03 18:02 . 2014-03-10 01:22   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2014-07-03 17:58 . 2014-06-17 06:57   8140904   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{8A0E6DCD-6089-431E-9C84-885B433FC970}\mpengine.dll
2014-07-03 17:34 . 2014-07-03 17:34   --------   d-----w-   c:\programdata\WindowsSearch
2014-07-03 16:40 . 2014-07-03 16:40   --------   d-----w-   c:\users\cnb\AppData\Local\Mozilla
2014-07-03 16:28 . 2014-07-03 16:29   --------   d-----w-   c:\program files\CCleaner
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-04 03:02 . 2013-09-15 03:23   699056   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2014-07-04 03:02 . 2012-02-12 16:42   71344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2014-06-24 13:09 . 2013-09-25 04:36   479232   ----a-w-   c:\windows\system32\msvcm80.dll
2014-06-24 13:09 . 2008-03-01 07:04   632656   ----a-w-   c:\windows\system32\msvcr80.dll
2014-06-24 13:09 . 2008-03-01 07:04   554832   ----a-w-   c:\windows\system32\msvcp80.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [BU]
"Avira Systray"="c:\program files\Avira\My Avira\Avira.OE.Systray.exe" [2014-06-30 187984]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-6 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^cnb^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Severe Weather Alerts.lnk]
path=c:\users\cnb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts.lnk
backup=c:\windows\pss\Severe Weather Alerts.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2014-05-08 13:48   959904   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27   159744   ----a-w-   c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
2007-10-11 15:49   465136   ----a-w-   c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-10 00:57   16384   ----a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03   17920   ----a-w-   c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-08-30 11:03   29744   ----a-w-   c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24   54840   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 21:31   80896   ----a-w-   c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 05:24   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2014-01-22 17:05   106496   ----a-w-   c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-25 09:13   81920   ----a-w-   c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 07:59   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-09-28 04:54   405504   ----a-w-   c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-02-06 11:10   68856   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-28 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ      BthServ
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
HPService   REG_MULTI_SZ      HPSLPSVC
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-07-03 21:48   1091912   ----a-w-   c:\program files\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-15 03:02]
.
2014-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 04:03]
.
2014-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 04:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trovi.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M1B52F44A-EEDC-4C55-9B76-069578255C70&SearchSource=55&CUI=&UM=6&UP=SPF1F0919D-34CC-4CB4-A709-1F4F63F9367B&SSPV=
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-07 21:59
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{2E444BE9-B8EC-4CE6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\Dell\MediaDirect\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-07-07  22:01:17
ComboFix-quarantined-files.txt  2014-07-08 02:01
ComboFix2.txt  2014-07-07 23:31
ComboFix3.txt  2014-07-07 21:17
ComboFix4.txt  2014-07-04 23:34
ComboFix5.txt  2014-07-08 01:50
.
Pre-Run: 204,576,591,872 bytes free
Post-Run: 204,542,222,336 bytes free
.
- - End Of File - - 483AD21B0C1F7C4A258D1121A6F7F9DD
5C616939100B85E558DA92B899A0FC36

thanks,
Ghost

Corrine

#23
July 08, 2014, 02:26:52 AM
Quote from: Ghost on July 08, 2014, 02:13:36 AM
hi Corrine;-).
avira is working again;-)).

:dance:  Now I'll be able to shut down not worrying about it. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ghost

#24
July 08, 2014, 02:42:37 AM
well you earned a break//good nights sleep for sure;-).
lets cleanup things tomorrow afternoon.
thanks,
Ghost;-)

Corrine

#25
July 08, 2014, 09:33:16 PM
Oh, Ghost, it is back in your hands now to clean up the mess I we made on your friend's laptop.

Let's take care of removing the tools used:

Please download Delfix from here.

Ensure the following boxes are checked:
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore

  • Click Run
The program will run for a few moments and then notepad will open with a log.   Please paste the log in your next reply.

In addition, as was mentioned previously, WinPatrol has many features, one of which is managing start up programs.  See See WinPatrol Features And Documentation for information on Monitoring, Removing and Disabling Startup Programs.  Also see my post in the Lzd WinPatrol "   
How To's, Tips & Information" forum, Start Up Programs: Remove, Add, Disable

WinPatrol is available for download from here:  Ruiware Download Page


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ghost

#26
July 08, 2014, 09:58:25 PM
hi Corrine;-),
delfix log
# DelFix v10.7 - Logfile created 08/07/2014 at 17:49:13
# Updated 27/04/2014 by Xplode
# Username : cnb - CNB-COMP
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\AdwCleaner
Deleted : C:\ComboFix.txt
Deleted : C:\Users\cnb\Desktop\AdwCleaner[S0].txt
Deleted : C:\Users\cnb\Desktop\adwcleaner_3.214.exe
Deleted : C:\Users\cnb\Desktop\ComboFix-quarantined-files.txt
Deleted : C:\Users\cnb\Desktop\ComboFix.exe
Deleted : C:\Users\cnb\Desktop\combofix.txt
Deleted : C:\Users\cnb\Desktop\combofix2.txt
Deleted : C:\Users\cnb\Desktop\combofix3.txt
Deleted : C:\Users\cnb\Desktop\combofix4.txt
Deleted : C:\Users\cnb\Desktop\dds.scr
Deleted : C:\Users\cnb\Desktop\dds.txt
Deleted : C:\Users\cnb\Desktop\DDS2.txt
Deleted : C:\Users\cnb\Desktop\JRT.exe
Deleted : C:\Users\cnb\Desktop\JRT.txt
Deleted : C:\Users\cnb\Desktop\SecurityCheck.exe
Deleted : C:\Users\cnb\Desktop\TFC.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #954 [Windows Update | 10/17/2013 02:32:50]
Deleted : RP #955 [Windows Update | 10/20/2013 03:39:27]
Deleted : RP #956 [Windows Update | 10/25/2013 22:10:44]
Deleted : RP #957 [Windows Update | 10/31/2013 01:11:20]
Deleted : RP #958 [Windows Update | 11/16/2013 19:26:20]
Deleted : RP #959 [Windows Update | 11/17/2013 00:55:21]
Deleted : RP #960 [Windows Update | 12/23/2013 19:32:20]
Deleted : RP #961 [Windows Update | 03/16/2014 14:57:53]
Deleted : RP #962 [Windows Update | 07/03/2014 15:23:48]
Deleted : RP #963 [starting system cleanup | 07/03/2014 18:15:29]
Deleted : RP #965 [Revo Uninstaller's restore point - Java(TM) SE Runtime Environment 6 | 07/04/2014 02:42:45]
Deleted : RP #966 [Installed Adobe Reader XI  MUI. | 07/04/2014 03:30:14]
Deleted : RP #967 [Windows Update | 07/04/2014 11:55:14]
Deleted : RP #972 [Revo Uninstaller's restore point - Avira Free Antivirus | 07/04/2014 14:20:31]
Deleted : RP #974 [Revo Uninstaller's restore point - Avira Free Antivirus | 07/04/2014 14:25:15]
Deleted : RP #976 [Revo Uninstaller's restore point - Rid Spyware with PC Tech Hotline 1.1.0.2 | 07/04/2014 15:07:16]
Deleted : RP #978 [Revo Uninstaller's restore point - MyPC Backup  | 07/04/2014 15:22:34]
Deleted : RP #979 [Windows Update | 07/04/2014 22:21:41]
Deleted : RP #980 [Scheduled Checkpoint | 07/05/2014 20:54:00]
Deleted : RP #981 [Windows Update | 07/05/2014 21:28:05]
Deleted : RP #982 [Scheduled Checkpoint | 07/07/2014 16:51:59]

New restore point created !

########## - EOF - ##########
im going to install WP tonight and thatnks for the WP links;-)
thanks for all your help. you rock!  :rose:
Ghost

Corrine

#27
July 08, 2014, 10:13:02 PM
You're welcome, Ghost.  I always enjoy helping you help your friends.  :hug:

Oh, and by the way, don't forget that today is "Patch Tuesday".  Both Adobe Flash Player and Microsoft Security Updates released today.  You'll probably want to install those before returning the laptop to your friend.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ghost

#28
July 08, 2014, 10:28:45 PM
QuoteYou're welcome, Ghost.  I always enjoy helping you help your friends.
and i enjoy it also;-)).

QuoteOh, and by the way, don't forget that today is "Patch Tuesday".  Both Adobe Flash Player and Microsoft Security Updates released today.  You'll probably want to install those before returning the laptop to your friend.
thanks for reminding me. being a linux guy i sometimes forget "patch tuesday";-D
thanks again,
Ghost
Print
Go Up Pages 1 2
User actions