Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Win 7 Total Security Issues

  1. #1
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default Win 7 Total Security Issues

    Hi there! I contracted a virus this morning called Win 7 Total Security. It acts like an anti virus program randomly popping up to scan or warn me of threats in the hopes that I will buy their fake program.

    I've been trying to fix this issue myself all morning, and have made progress but I am still missing the key component as it keeps popping up. It was initially blocking the internet, but I am now able to get on. I have identified the malicious process as ndq.exe. I am able to delete it out of task manager but it keeps returning.

    I have ran Avast, Norton Detection Scan and a trial of Spyware doctor. None of them located the virus. I tried to download spybot search and destroy however IE stops responding as soon as I try to download it. It seems the malware has blocked me from downloading any program which could potentially delete it. I downloaded erant and saved a copy of my registry post-deleting the following registry entries.
    ------
    I have thus far deleted all or as many as I could find of the following, however some keep reappearing:
    HKEY_CLASSES_ROOT\.exe\DefaultIcon “(Default)” = ‘%1′
    HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
    HKEY_CLASSES_ROOT\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\exefile “Content Type” = ‘application/x-msdownload’
    HKEY_CLASSES_ROOT\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\exefile\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘
    HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
    HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’
    HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1′ = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’
    HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’
    HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1′
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “(Default)” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “IsolatedCommand” – ‘”%1″ %*’
    ------
    I also tried to delete the following files but could not locate them:
    %AllUsersProfile%\t3e0ilfioi3684m2nt3ps2b6lru (or random)
    %AppData%\Local\[random].exe (look for 3-letter names)
    %AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru (or random)
    %AppData%\Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru (or random)
    %Temp%\t3e0ilfioi3684m2nt3ps2b6lru (or random)"
    -----
    And tried the following:
    1. Click Start->Run (or WinKey+R). Input: "command". Press Enter or click OK.
    2. Type "notepad" as shown in the image below and press Enter. Notepad will open.
    3. Copy and past the following text into Notepad:
    "Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USERSoftwareClasses.exe]
    [-HKEY_CURRENT_USERSoftwareClassessecfile]
    [-HKEY_CLASSES_ROOTsecfile]
    [-HKEY_CLASSES_ROOT.exeshellopencommand]

    [HKEY_CLASSES_ROOTexefileshellopencommand]
    @=""%1" %*"

    [HKEY_CLASSES_ROOT.exe]
    @="exefile"
    "Content Type"="application/x-msdownload" "

    4. Save file as "exefix.reg" (without quotation-marks) to your Desktop.
    NOTE: choose Save as type: All files
    5. Double-click to open exefix.reg. Click "Yes" for Registry Editor prompt window.
    -----
    Here is a copy of my log: .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
    Run by carolyn at 13:56:01 on 2011-05-27
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.3744 [GMT -4:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    C:\Windows\system32\spool\DRIVERS\x64\3\lxdnserv.exe
    C:\Windows\system32\lxdncoms.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
    c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\Lexmark 2600 Series\lxdnMsdMon.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\explorer.exe
    C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
    C:\Program Files (x86)\PC Tools Security\pctsSvc.exe
    C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
    C:\Program Files (x86)\PC Tools Security\pctsGui.exe
    C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Windows\system32\taskmgr.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\prevhost.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\SysWOW64\werfault.exe
    C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\carolyn\AppData\Local\nqd.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files\eMachines\eMachines Updater\alu.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\carolyn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LXMMEOD1\dds[1].scr
    C:\Windows\SysWOW64\WSCRIPT.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=1
    uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17361209g116p0375v1h5r4891s251
    mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17361209g116p0375v1h5r4891s251
    mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17361209g116p0375v1h5r4891s251
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
    uURLSearchHooks: H - No File
    uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
    mWinlogon: Userinit=userinit.exe
    BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - No File
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
    TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
    mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
    mRun: [FaxCenterServer] "C:\Program Files (x86)\Lexmark Fax Solutions\fm3032.exe" /s
    mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    mRun: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
    mRun: [PCTools FGuard] C:\Program Files (x86)\PC Tools Security\BDT\FGuard.exe
    StartupFolder: C:\Users\carolyn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
    StartupFolder: C:\Users\carolyn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
    LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
    DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://download-games.pogo.com/online2/pogo/diner_dash_flo_on_the_go/ddfotg.1.0.0.33.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CEBE157C-C91E-4A45-BB3C-45F8C77C012F} - hxxp://aolsvc.aol.com/onlinegames/free-trial-wandering-willows/WanderingWillowsWeb.1.0.0.18.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/free-trial-peggle-deluxe/popcaploader_v10.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg64.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    TB-X64: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
    TB-X64: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
    TB-X64: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    TB-X64: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
    TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    mRun-x64: [lxdnmon.exe] "C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe"
    mRun-x64: [lxdnamon] "C:\Program Files (x86)\Lexmark 2600 Series\lxdnamon.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\carolyn\AppData\Roaming\Mozilla\Firefox\Profiles\2vu8fbkb.default\
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\carolyn\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: google.toolbar.linkdoctor.enabled - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PCTCore;PCTools KDS;C:\Windows\system32\drivers\PCTCore64.sys --> C:\Windows\system32\drivers\PCTCore64.sys [?]
    R0 pctDS;PC Tools Data Store;C:\Windows\system32\drivers\pctDS64.sys --> C:\Windows\system32\drivers\pctDS64.sys [?]
    R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\system32\drivers\pctEFA64.sys --> C:\Windows\system32\drivers\pctEFA64.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R1 PCTSD;PC Tools Spyware Doctor Driver;C:\Windows\system32\Drivers\PCTSD64.sys --> C:\Windows\system32\Drivers\PCTSD64.sys [?]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-15 40384]
    R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [2011-5-27 337872]
    R2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-6-4 1150496]
    R2 lxdn_device;lxdn_device;C:\Windows\system32\lxdncoms.exe -service --> C:\Windows\system32\lxdncoms.exe -service [?]
    R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\lxdnserv.exe [2008-2-27 33960]
    R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2011-5-27 371472]
    R2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2011-5-27 1117144]
    R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-8-15 240160]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-5 135664]
    S3 FlyUsb;FLY Fusion;C:\Windows\system32\DRIVERS\FlyUsb.sys --> C:\Windows\system32\DRIVERS\FlyUsb.sys [?]
    S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-5 135664]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-05-27 16:37:19 -------- d-----w- C:\Users\carolyn\AppData\Local\Threat Expert
    2011-05-27 16:30:59 767952 ----a-w- C:\Windows\BDTSupport.dll
    2011-05-27 16:30:59 2074576 ----a-w- C:\Windows\PCTBDCore.dll
    2011-05-27 16:30:59 1533904 ----a-w- C:\Windows\PCTBDRes.dll
    2011-05-27 16:30:59 149456 ----a-w- C:\Windows\SGDetectionTool.dll
    2011-05-27 16:23:43 816016 ----a-w- C:\Windows\System32\drivers\pctEFA64.sys
    2011-05-27 16:23:43 452872 ----a-w- C:\Windows\System32\drivers\pctDS64.sys
    2011-05-27 16:23:43 334976 ----a-w- C:\Windows\System32\drivers\pctgntdi64.sys
    2011-05-27 16:23:43 140800 ----a-w- C:\Windows\System32\drivers\pctwfpfilter64.sys
    2011-05-27 16:23:40 282440 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys
    2011-05-27 16:23:39 279344 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
    2011-05-27 16:23:36 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys
    2011-05-27 16:23:29 -------- d-----w- C:\Program Files (x86)\PC Tools Security
    2011-05-27 16:23:29 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
    2011-05-27 16:15:13 -------- d-----w- C:\ProgramData\PC Tools
    2011-05-27 15:38:26 339968 --sha-w- C:\Users\carolyn\AppData\Local\nqd.exe
    2011-05-27 15:38:23 339968 --sha-w- C:\Users\carolyn\AppData\Local\cbk.exe
    2011-05-27 14:18:44 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{410EBB12-7A43-422F-BFD7-0D2432607534}\mpengine.dll
    2011-05-24 11:56:25 142336 ----a-w- C:\Windows\System32\poqexec.exe
    2011-05-24 11:56:25 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
    2011-05-10 23:32:49 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-05-10 23:32:48 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-05-10 23:32:48 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    .
    ==================== Find3M ====================
    .
    2011-04-07 19:03:12 681932 ----a-w- C:\ProgramData\SPL2290.tmp
    2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll
    2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
    2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
    2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
    2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll
    2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
    2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
    2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
    2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
    2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys
    .
    ============= FINISH: 13:57:02.08 ===============


    I'm at a loss as to how to proceed. Thank you in advance for any help you can offer!

    Sincerely, Carolyn

    ------------------------------------------
    Edit
    Please do not continue to delete registry entries. Please wait for assistance.
    Last edited by tashi; 2011-05-27 at 22:28. Reason: Edit

  2. #2
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Hello Carolyn and welcome to the Safernetworking Form.
    I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

    • Please observe these rules while we work:
    • Read the entire procedure
    • It is important to perform ALL actions in sequence.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
    • Remember, absence of symptoms does not mean the infection is all gone.
    • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.


    Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
    This may cause a delay, but I will do my best to keep it as short as possible.

    Please bear with me, I will post back to you as soon as I can.

    IMPORTANT NOTE : Please do not delete anything unless instructed to.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

    Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

    These tools MUST be run from the executable. (.exe) every time you run them
    with Admin Rights (Right click, choose "Run as Administrator")

    Stay with this topic until I give you the all clean post.

  3. #3
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    Hi, and thank you for your response.

    "These tools MUST be run from the executable. (.exe) every time you run them with Admin Rights (Right click, choose "Run as Administrator")" Right click on desktop? How do I make sure something is running in .exe?

    I tried turning on my pc, just mere hours later, and the desktop is nothing more than a plain black screen. I am able to do ctrl alt delete but the task manager just comes up over the black screen. I am able to log on in safe mode and use the internet in safe mode with networking but I have to work to get on, repeatedly fighting with the fake 'anti virus' popups which come up whenever I try to get on IE. I'll keep trying to check this forum, but I'm not sure if this malware will some how block all of my access to my desktop/internet even in safe mode. The malware has blocked me from running any kind of anti virus on my computer, even in safe mode.

    Thank you for your help.

  4. #4
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Carolyn
    • Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the**save log button, save it to your desktop and post it in your next reply.

  5. #5
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    Hi Bill. Here are the results. Today I was able to log on successfully to my desktop in normal mode without having changed anything, although a few windows boxes did pop up to tlel me certain processes couldn't run correctly.

    aswMBR version 0.9.5.310 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-28 14:29:08
    -----------------------------
    14:29:08.571 OS Version: Windows x64 6.1.7600
    14:29:08.571 Number of processors: 2 586 0x602
    14:29:08.572 ComputerName: CAROLYN-PC UserName: carolyn
    14:29:11.027 Initialize success
    14:29:19.458 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
    14:29:19.460 Disk 0 Vendor: ST375052 CC44 Size: 715404MB BusType: 3
    14:29:21.486 Disk 0 MBR read successfully
    14:29:21.488 Disk 0 MBR scan
    14:29:21.490 Disk 0 unknown MBR code
    14:29:21.492 Service scanning
    14:29:22.587 Disk 0 trace - called modules:
    14:29:22.607 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore64.sys ACPI.sys storport.sys hal.dll nvstor64.sys
    14:29:22.610 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006441060]
    14:29:22.614 3 CLASSPNP.SYS[fffff88001afe43f] -> nt!IofCallDriver -> [0xfffffa800643e790]
    14:29:22.617 5 PCTCore64.sys[fffff8800117a894] -> nt!IofCallDriver -> [0xfffffa8005f94040]
    14:29:22.621 7 ACPI.sys[fffff88000eed781] -> nt!IofCallDriver -> \Device\00000058[0xfffffa8005f989d0]
    14:29:22.624 Scan finished successfully
    14:29:48.668 Disk 0 MBR has been saved successfully to "C:\Users\carolyn\Desktop\MBR.dat"
    14:29:48.673 The log file has been saved successfully to "C:\Users\carolyn\Desktop\Log52811.txt"

  6. #6
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Hello Carolyn,
    Maybe the following will be of some help.
    Print out these instructions as we may need to close every window that is open later in the fix.
    It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

    Do not reboot your computer after running rkill as the malware programs will start again.

    Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
    There are 3 different versions.**If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click and choose Run as Admin
    You only need to get one of them to run, not all of them.
    1. rkill.exe
    2. rkill.com
    3. rkill.scr


    Do not reboot your computer after running rkill as the malware programs will start again.

  7. #7
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    Thank you for that information Bill. Maybe I'm getting ahead of myself here, but am I supposed to never reboot my computer after this? Are there going to be more steps after this and if so, can you please post at least the next one so I don't have to leave my computer running full time?

  8. #8
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Carolyn,
    You can turn your pc off. If you have problems running a program then use RKill. You will need to run RKill after rebooting your PC and a program will not run.

  9. #9
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Carolyn

    Next
    ***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
    Download Combofix from any of the links below. Save it to your desktop.

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Also let me know how your pc is behaving after running the above procedure please.

  10. #10
    Junior Member
    Join Date
    May 2011
    Posts
    9

    Default

    Hi Bill. I ran Rkill and Combofix. I disabled all anti spyware programs, notably Avast prior to running the program, however, Combofix still detected them as running. I uninstalled the program before continuing to hopefully fix the problem.

    Here is the log.
    ComboFix 11-05-29.02 - carolyn 05/30/2011 11:03:23.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4259 [GMT -4:00]
    Running from: c:\users\carolyn\Desktop\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\users\carolyn\AppData\Local\cbk.exe
    c:\users\carolyn\AppData\Local\Microsoft\Windows\Temporary Internet Files\r-W_g3jH
    c:\users\carolyn\AppData\Local\nqd.exe
    c:\users\carolyn\g2mdlhlpx.exe
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-30 15:08 . 2011-05-30 15:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-27 17:53 . 2011-05-27 17:54 -------- d-----w- c:\program files (x86)\ERUNT
    2011-05-27 16:37 . 2011-05-27 16:37 -------- d-----w- c:\users\carolyn\AppData\Local\Threat Expert
    2011-05-27 16:30 . 2011-04-27 19:37 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2011-05-27 16:30 . 2011-04-27 19:37 2074576 ----a-w- c:\windows\PCTBDCore.dll
    2011-05-27 16:30 . 2011-04-27 19:37 1533904 ----a-w- c:\windows\PCTBDRes.dll
    2011-05-27 16:30 . 2011-04-27 19:36 767952 ----a-w- c:\windows\BDTSupport.dll
    2011-05-27 16:23 . 2011-03-24 16:39 140800 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
    2011-05-27 16:23 . 2011-01-17 13:09 334976 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
    2011-05-27 16:23 . 2010-07-16 18:53 816016 ----a-w- c:\windows\system32\drivers\pctEFA64.sys
    2011-05-27 16:23 . 2010-06-29 14:35 452872 ----a-w- c:\windows\system32\drivers\pctDS64.sys
    2011-05-27 16:23 . 2011-03-10 14:07 282440 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
    2011-05-27 16:23 . 2011-03-10 13:08 279344 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
    2011-05-27 16:23 . 2010-12-16 11:46 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
    2011-05-27 16:23 . 2011-05-30 14:56 -------- d-----w- c:\program files (x86)\PC Tools Security
    2011-05-27 16:23 . 2011-05-27 16:31 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
    2011-05-27 16:15 . 2011-05-27 16:23 -------- d-----w- c:\programdata\PC Tools
    2011-05-27 14:18 . 2011-05-09 22:00 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{410EBB12-7A43-422F-BFD7-0D2432607534}\mpengine.dll
    2011-05-24 11:56 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
    2011-05-24 11:56 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
    2011-05-10 23:32 . 2011-04-09 06:45 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-05-10 23:32 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2011-05-10 23:32 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-10 12:10 . 2011-01-16 00:24 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-04-07 19:03 . 2011-04-07 19:03 681932 ----a-w- c:\programdata\SPL2290.tmp
    2011-03-11 06:19 . 2011-04-15 23:45 1395712 ----a-w- c:\windows\system32\mfc42.dll
    2011-03-11 06:19 . 2011-04-15 23:45 1359872 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-11 05:40 . 2011-04-15 23:45 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
    2011-03-11 05:40 . 2011-04-15 23:45 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
    2011-03-08 06:14 . 2011-04-15 23:43 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-08 05:38 . 2011-04-15 23:43 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-03-03 06:17 . 2011-04-15 23:43 182272 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-03-03 06:14 . 2011-04-15 23:43 30208 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-03-03 05:27 . 2011-04-15 23:43 28672 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
    2011-03-03 03:58 . 2011-04-15 23:46 3133440 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]
    "msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-05-13 26192168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]
    "Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
    "FaxCenterServer"="c:\program files (x86)\Lexmark Fax Solutions\fm3032.exe" [2008-03-27 320168]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "PCTools FGuard"="c:\program files (x86)\PC Tools Security\BDT\FGuard.exe" [2011-04-27 247760]
    .
    c:\users\carolyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - PCTSDInjDriver64
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 11:35]
    .
    2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 11:35]
    .
    2011-05-27 c:\windows\Tasks\Norton Security Scan for carolyn.job
    - c:\program files (x86)\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-02-01 07:25]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 16333856]
    "lxdnmon.exe"="c:\program files (x86)\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]
    "lxdnamon"="c:\program files (x86)\Lexmark 2600 Series\lxdnamon.exe" [2008-03-27 16040]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=1
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17361209g116p0375v1h5r4891s251
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
    TCP: DhcpNameServer = 156.154.119.11 156.154.129.11
    DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
    DPF: {CEBE157C-C91E-4A45-BB3C-45F8C77C012F} - hxxp://aolsvc.aol.com/onlinegames/free-trial-wandering-willows/WanderingWillowsWeb.1.0.0.18.cab
    FF - ProfilePath - c:\users\carolyn\AppData\Roaming\Mozilla\Firefox\Profiles\2vu8fbkb.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
    WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-YInstHelper - c:\windows\system32\regsvr32
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-30 11:10:52
    ComboFix-quarantined-files.txt 2011-05-30 15:10
    .
    Pre-Run: 672,598,958,080 bytes free
    Post-Run: 673,176,498,176 bytes free
    .
    - - End Of File - - 0F982838F1A3DCF7F8A33E349BD922AA

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •