Hi Bill,
I've rebooted my PC, and I did not run Rkill for a second time. My PC does not seem to be having those annoying anti virus popups anymore, and logged onto the internet without incident.
Hi Bill,
I've rebooted my PC, and I did not run Rkill for a second time. My PC does not seem to be having those annoying anti virus popups anymore, and logged onto the internet without incident.
Greetings Carolyn
Things are looking much better from this end, you are doing an excellent job.
I see that you have a myheritage toolbar installed on your system. It is not technically malware but it can be a nuisance, is it something you wish to keep?
Next
Please go to one of the below sites to scan the following files:
jotti.org
Kaspersky Virus File Scanner
Virus Total click on Browse, and upload the following file for analysis:
c:\programdata\SPL2290.tmp
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
I also see remanents of Norton Anti-Virus on your PC. If you tried uninstalling Norton and had problems you could try using the Norton uninstaller found here. ftp://ftp.symantec.com/public/englis...moval_Tool.exe
Next
Please download Malwarebytes' Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner
- Place a check mark in the box YES, I accept the Terms Of Use
- Click the Start button.
- Now click the Install button.
- Click Start. The scanner engine will initialize and update.
- Do Not place a check mark in the box beside Remove found threats.
- Click the Scan button. The scan will now run, please be patient.
- When the scan finishes if there are any infections you will see a List of found threats.
- Click Export to text file
- Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
- If no threats are found there will be no list, this is good, just tell me that no threats were found.
Logs to post:
- Results of c:\programdata\SPL2290.tmp scan
- Do you want to keep MyHeritage toolbar
- mbam.txt
- results of ESET scan
Hi Bill, you have been wonderful thank you!
Jotti's malware scan results:
Filename: SPL2290.tmp
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 31 May 2011 01:01:47 (CET
---
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6726
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
5/30/2011 7:26:40 PM
mbam-log-2011-05-30 (19-26-40).txt
Scan type: Quick scan
Objects scanned: 168433
Time elapsed: 2 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\activex.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\carolyn\AppData\Local\nqd.exe" -a "") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\carolyn\AppData\Local\nqd.exe" -a "") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\carolyn\AppData\Local\nqd.exe" -a "") Good: (iexplore.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\carolyn\Desktop\test.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
---
And the last scan came back clear, so I'm happy to report that there is no log to post.
And yes, I would like to get rid of the myheritage bar.
Thank you
That is great news Carolyn, but please don't leave yet, there is still a bit more to do.
No worries Bill. I'm here until you give me the all clear.
Greetings Carolyn,
My apologies for the delayed response, some minor computer problems, hopefully cleared up now.
you are doing great Carolyn, we are almost done now.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exeFile::
Folder::
Registry::
Driver::
DDS::
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Next
- Rremove MyHeritage toolbar, celebrity toolbar, or look-alike toolbar from Firefox, simply click on the "Tools" menu at the top of the screen, and then select "Add-ons".
- This will bring up the screen where all the plug-ins and toolbars are installed for your browser. This is also where you should be able to find "MyHeritage Toolbar". When you locate it, just click on it, then click the "Uninstall" button that appears. This will allow you to remove the plug-in easily and without any hassle.
Next
Your Java appears to be down level.
Navigate to Control Panel then open on Programs and Features.
Highlight eachJava then click on Uninstall in tool bar.
Visit this site to down load and install the latest Java.
Next
Your Adobe appears to be down level
Please visit this site. Click on the Adobe Reader icon on the right side and you will be presented with the correct Adobe for your system.
Down load and install this Adobe please.
Next
Download TFC to your desktop
- Close any open windows.
- Double click the TFC icon to run the program
- TFC will close all open programs itself in order to run,
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish it's job
- Once its finished it should automatically reboot your machine,
- if it doesn't, manually reboot to ensure a complete clean
Please let me know when done with the steps above and how things are going, we will then continue.
Hi Bill,
I successfully downloaded adobe and java. Here is the log for comobfix. It took an incredibly long time and caused my computer to make a loud clicking and humming sound.
ComboFix 11-06-04.02 - carolyn 06/03/2011 18:58:41.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4713 [GMT -4:00]
Running from: c:\users\carolyn\Desktop\ComboFix.exe
Command switches used :: c:\users\carolyn\Desktop\cfscript.txt
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-03 to 2011-06-03 )))))))))))))))))))))))))))))))
.
.
2011-06-03 23:23 . 2011-06-03 23:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-03 22:55 . 2011-06-03 22:55 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-06-03 22:54 . 2011-06-03 22:54 -------- d-----w- c:\program files (x86)\Java
2011-06-03 22:53 . 2011-06-03 22:53 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-06-03 22:45 . 2011-06-03 22:45 -------- d-----w- c:\programdata\McAfee
2011-06-03 22:45 . 2011-06-03 22:45 -------- d-----w- c:\programdata\McAfee Security Scan
2011-06-03 22:45 . 2011-06-03 22:45 -------- d-----w- c:\program files (x86)\McAfee Security Scan
2011-06-03 22:45 . 2011-05-25 19:15 29544 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\np_gp.dll
2011-06-03 22:45 . 2011-06-03 22:45 -------- d-----w- c:\programdata\NOS
2011-06-03 22:45 . 2011-06-03 22:45 -------- d-----w- c:\program files (x86)\NOS
2011-05-30 23:21 . 2011-05-30 23:21 -------- d-----w- c:\users\carolyn\AppData\Roaming\Malwarebytes
2011-05-30 23:21 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-30 23:21 . 2011-05-30 23:21 -------- d-----w- c:\programdata\Malwarebytes
2011-05-30 23:21 . 2011-05-30 23:21 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-30 23:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-30 23:00 . 2011-05-30 23:00 16005720 ----a-w- c:\programdata\SPL5BF4.tmp
2011-05-30 22:58 . 2011-05-30 22:58 16005720 ----a-w- c:\programdata\SPL26B2.tmp
2011-05-27 17:53 . 2011-05-27 17:54 -------- d-----w- c:\program files (x86)\ERUNT
2011-05-27 16:37 . 2011-05-27 16:37 -------- d-----w- c:\users\carolyn\AppData\Local\Threat Expert
2011-05-27 16:30 . 2011-04-27 19:37 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-27 16:30 . 2011-04-27 19:37 2074576 ----a-w- c:\windows\PCTBDCore.dll
2011-05-27 16:30 . 2011-04-27 19:37 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-27 16:30 . 2011-04-27 19:36 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-27 16:23 . 2011-03-24 16:39 140800 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2011-05-27 16:23 . 2011-01-17 13:09 334976 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2011-05-27 16:23 . 2010-07-16 18:53 816016 ----a-w- c:\windows\system32\drivers\pctEFA64.sys
2011-05-27 16:23 . 2010-06-29 14:35 452872 ----a-w- c:\windows\system32\drivers\pctDS64.sys
2011-05-27 16:23 . 2011-03-10 14:07 282440 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
2011-05-27 16:23 . 2011-03-10 13:08 279344 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2011-05-27 16:23 . 2010-12-16 11:46 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2011-05-27 16:23 . 2011-05-30 14:56 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-05-27 16:23 . 2011-05-27 16:31 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2011-05-27 16:15 . 2011-05-27 16:23 -------- d-----w- c:\programdata\PC Tools
2011-05-27 14:18 . 2011-05-09 22:00 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{410EBB12-7A43-422F-BFD7-0D2432607534}\mpengine.dll
2011-05-24 11:56 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-05-24 11:56 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-05-10 23:32 . 2011-04-09 06:45 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-10 23:32 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-05-10 23:32 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-03 22:54 . 2010-05-23 10:56 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-05-10 12:10 . 2011-01-16 00:24 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-07 19:03 . 2011-04-07 19:03 681932 ----a-w- c:\programdata\SPL2290.tmp
2011-03-11 06:19 . 2011-04-15 23:45 1395712 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 06:19 . 2011-04-15 23:45 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40 . 2011-04-15 23:45 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2011-03-11 05:40 . 2011-04-15 23:45 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2011-03-08 06:14 . 2011-04-15 23:43 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-08 05:38 . 2011-04-15 23:43 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-30_15.09.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 20:36 . 2011-06-03 21:19 59460 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-06-03 21:19 46256 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-05 19:37 . 2011-06-03 21:19 37028 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3553799495-3861673437-910748531-1001_UserData.bin
- 2009-12-06 12:58 . 2011-05-30 14:38 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-06 12:58 . 2011-06-03 21:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-06 12:58 . 2011-05-30 14:38 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-06 12:58 . 2011-06-03 21:18 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-06 12:58 . 2011-05-30 14:38 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-06 12:58 . 2011-06-03 21:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-05 18:35 . 2011-05-30 14:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 18:35 . 2011-06-03 21:18 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 18:35 . 2011-06-03 21:18 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-05 18:35 . 2011-05-30 14:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-06-03 22:50 . 2011-06-03 22:50 32256 c:\windows\Installer\4e9f60.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 73624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\wow_helper.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
- 2011-05-30 14:32 . 2011-05-30 14:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-06-03 21:17 . 2011-06-03 21:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-06-03 21:17 . 2011-06-03 21:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-05-30 14:32 . 2011-05-30 14:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-06-03 22:54 . 2011-06-03 22:54 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-06-03 22:54 . 2011-06-03 22:54 145184 c:\windows\SysWOW64\javaw.exe
- 2010-05-23 10:56 . 2010-04-12 21:29 145184 c:\windows\SysWOW64\javaw.exe
- 2010-05-23 10:56 . 2010-04-12 21:29 145184 c:\windows\SysWOW64\java.exe
+ 2011-06-03 22:54 . 2011-06-03 22:54 145184 c:\windows\SysWOW64\java.exe
+ 2009-12-06 19:38 . 2011-06-03 22:41 260160 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2011-06-03 22:55 . 2011-06-03 22:55 183808 c:\windows\Installer\4ea4fc.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2010-11-10 20:54 . 2010-11-10 20:54 2307584 c:\windows\Installer\4ea4f1.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
- 2009-07-14 02:34 . 2011-05-30 14:51 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-06-03 21:30 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-06-03 22:52 . 2011-06-03 22:52 12584960 c:\windows\Installer\4ea4f7.msi
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\4ea4f2.msp
+ 2010-11-10 16:49 . 2010-11-10 16:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 39408]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-05-13 26192168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-24 588648]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"FaxCenterServer"="c:\program files (x86)\Lexmark Fax Solutions\fm3032.exe" [2008-03-27 320168]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"PCTools FGuard"="c:\program files (x86)\PC Tools Security\BDT\FGuard.exe" [2011-04-27 247760]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Uninstall Adobe Download Manager"="c:\program files (x86)\NOS\bin\getPlusUninst_Adobe.exe" [2011-05-25 35552]
.
c:\users\carolyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\PC Tools Security\pctsAuxs.exe [2011-02-18 371472]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys [x]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys [x]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD64.sys [x]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [2011-04-27 337872]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2008-02-27 1044648]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdnserv.exe [2008-02-27 33960]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 11:35]
.
2011-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-05 11:35]
.
2011-05-27 c:\windows\Tasks\Norton Security Scan for carolyn.job
- c:\program files (x86)\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-02-01 07:25]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 16333856]
"lxdnmon.exe"="c:\program files (x86)\Lexmark 2600 Series\lxdnmon.exe" [2008-03-27 660136]
"lxdnamon"="c:\program files (x86)\Lexmark 2600 Series\lxdnamon.exe" [2008-03-27 16040]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17361209g116p0375v1h5r4891s251
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 156.154.119.11 156.154.129.11
DPF: {CEBE157C-C91E-4A45-BB3C-45F8C77C012F} - hxxp://aolsvc.aol.com/onlinegames/free-trial-wandering-willows/WanderingWillowsWeb.1.0.0.18.cab
FF - ProfilePath - c:\users\carolyn\AppData\Roaming\Mozilla\Firefox\Profiles\2vu8fbkb.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-03 19:38:35
ComboFix-quarantined-files.txt 2011-06-03 23:38
ComboFix2.txt 2011-05-30 15:10
.
Pre-Run: 673,780,551,680 bytes free
Post-Run: 673,418,444,800 bytes free
.
- - End Of File - - 722CCDF28F2A7CA2925E516EE04C2D55
I will run the TFC now.
Greetings Carolyn,
We need to start to clean up now:
First
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Next
On your desktop, find DDS.scr or DDS.com, right click then select delete, do the same for DDS.txt and Attach.txt
You should keep ERUNT, Malwarebytes, TFC, and ESET online scanner, update and run them periodically to keep your system clean.
Last
From the looks of your logs your PC is All Clean and your machine seems to be performing as it should. You know how much work and effort you've had to put into getting it back into working order, so hopefully you can impress upon the others who use this machine, to be more careful.
For the future safety of this machine and your data, try to ensure they sit down and read the following threads: (it won't take them very long)
Cracked/Illegal Software
Perils of P2P File Sharing
Think Prevention
If there aren't any more problems, we have some final housekeeping to tend to now.
To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
* Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
* SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
o SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.
* WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
o Green to go
o Yellow for caution
o Red to stop
WOT has an addon available for both Firefox and IE.
* Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
* BACKING UP YOUR REGISTRY
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.
Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/ba...y-using-erunt/
NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Thank you for your hard work and patience Carolyn, please reply with any questions or issues this thread will close within a few days of the last post.
Last edited by tashi; 2011-06-07 at 06:32. Reason: Thank you redcar92 :-)