# found virus - takeover of search engine



## bsacco (Jun 12, 2003)

Problem:

My 13 year old son is a beginning gamer and has downloaded all kinds of trojans, virus and takeover software on my PC.

I'm attempting to clean it all up using TSG.

Below is the info you requested.

thanks,
bob

here's my system:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, 64 bit
Processor: AMD Phenom(tm) II X4 810 Processor, AMD64 Family 16 Model 4 Stepping 2
Processor Count: 4
RAM: 5887 Mb
Graphics Card: ATI Radeon HD 5450, 512 Mb
Hard Drives: C: Total - 936359 MB, Free - 864025 MB; E: Total - 152617 MB, Free - 21034 MB;
Motherboard: Gateway, RS780
Antivirus: Microsoft Security Essentials, Updated and Enabled

---------------------------------------------------------------------------------------------------------

1. Copy and paste the HijackThis log.
2. Copy and paste the contents of the DDS.txt file.
3. Upload as an attachment the Attach.txt file. There is no need to zip it as suggested in the DDS instructions

-------------------------------------------------------------------------------------------------------------

1) HijackThis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:18:09 PM, on 8/12/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\WhatPulse\WhatPulse.exe
C:\Program Files (x86)\Free Download Manager\fdm.exe
C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe
C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173612094204p2329u985408l17472
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3198785
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173612094204p2329u985408l17472
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com/?crg=3.1010000.10002&barid={72A4EB45-B58E-11E1-BB3F-90FBA6492CD1}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: InternetHelper Toolbar - {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
R3 - URLSearchHook: WhiteSmoke US Toolbar - {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: 216.239.32.20 www.google.ae # bck9
O1 - Hosts: 216.239.32.20 www.google.at # bck9
O1 - Hosts: 216.239.32.20 www.google.be # bck9
O1 - Hosts: 216.239.32.20 www.google.ca # bck9
O1 - Hosts: 216.239.32.20 www.google.ch # bck9
O1 - Hosts: 216.239.32.20 www.google.cl # bck9
O1 - Hosts: 216.239.32.20 www.google.co.il # bck9
O1 - Hosts: 216.239.32.20 www.google.co.in # bck9
O1 - Hosts: 216.239.32.20 www.google.co.jp # bck9
O1 - Hosts: 216.239.32.20 www.google.co.kr # bck9
O1 - Hosts: 216.239.32.20 www.google.co.nz # bck9
O1 - Hosts: 216.239.32.20 www.google.co.uk # bck9
O1 - Hosts: 216.239.32.20 www.google.co.ve # bck9
O1 - Hosts: 216.239.32.20 www.google.co.za # bck9
O1 - Hosts: 216.239.32.20 www.google.com # bck9
O1 - Hosts: 216.239.32.20 www.google.com.ar # bck9
O1 - Hosts: 216.239.32.20 www.google.com.au # bck9
O1 - Hosts: 216.239.32.20 www.google.com.br # bck9
O1 - Hosts: 216.239.32.20 www.google.com.co # bck9
O1 - Hosts: 216.239.32.20 www.google.com.gr # bck9
O1 - Hosts: 216.239.32.20 www.google.com.hk # bck9
O1 - Hosts: 216.239.32.20 www.google.com.mx # bck9
O1 - Hosts: 216.239.32.20 www.google.com.my # bck9
O1 - Hosts: 216.239.32.20 www.google.com.pe # bck9
O1 - Hosts: 216.239.32.20 www.google.com.ph # bck9
O1 - Hosts: 216.239.32.20 www.google.com.pk # bck9
O1 - Hosts: 216.239.32.20 www.google.com.sg # bck9
O1 - Hosts: 216.239.32.20 www.google.com.tr # bck9
O1 - Hosts: 216.239.32.20 www.google.com.tw # bck9
O1 - Hosts: 216.239.32.20 www.google.com.ua # bck9
O1 - Hosts: 216.239.32.20 www.google.de # bck9
O1 - Hosts: 216.239.32.20 www.google.dk # bck9
O1 - Hosts: 216.239.32.20 www.google.es # bck9
O1 - Hosts: 216.239.32.20 www.google.fi # bck9
O1 - Hosts: 216.239.32.20 www.google.fr # bck9
O1 - Hosts: 216.239.32.20 www.google.it # bck9
O1 - Hosts: 216.239.32.20 www.google.lt # bck9
O1 - Hosts: 216.239.32.20 www.google.lv # bck9
O1 - Hosts: 216.239.32.20 www.google.nl # bck9
O1 - Hosts: 216.239.32.20 www.google.pl # bck9
O1 - Hosts: 216.239.32.20 www.google.pt # bck9
O1 - Hosts: 216.239.32.20 www.google.ro # bck9
O1 - Hosts: 216.239.32.20 www.google.ru # bck9
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: DefaultTabBHO - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InternetHelper - {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
O2 - BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
O2 - BHO: WhiteSmoke US - {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
O2 - BHO: WeCareReminder - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
O3 - Toolbar: SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: InternetHelper Toolbar - {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
O3 - Toolbar: WhiteSmoke US Toolbar - {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [Aeria Ignite] "C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe" silent
O4 - HKLM\..\Run: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files (x86)\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files (x86)\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [InstallIQUpdater] "C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Blue Coat Systems, Inc. - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: DefaultTabSearch - Unknown owner - C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe
O23 - Service: DefaultTabUpdate - Unknown owner - C:\Users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: Hi-Rez Studios Authenticate and Update Service (HiPatchService) - Hi-Rez Studios - C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
O23 - Service: HPMSSConnectorService (HPMSSConnectorSvc) - HP - C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe
O23 - Service: MediaCollectorService - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
O23 - Service: Updater Service - Acer - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 16324 bytes

--------------------------------------------
2. Copy and paste the contents of the DDS.txt file

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by Gateway at 18:04:33 on 2012-08-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.2674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\svchost.exe -k yksvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
C:\Program Files\Windows Home Server\esClient.exe
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\WhatPulse\WhatPulse.exe
C:\Program Files (x86)\Free Download Manager\fdm.exe
C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe
C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Gateway\Gateway Updater\alu.exe
C:\Windows\system32\taskhost.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Gateway\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173612094204p2329u985408l17472
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173612094204p2329u985408l17472
mStart Page = hxxp://home.sweetim.com/?crg=3.1010000.10002&barid={72A4EB45-B58E-11E1-BB3F-90FBA6492CD1}
uURLSearchHooks: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
uURLSearchHooks: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
mURLSearchHooks: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
mURLSearchHooks: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
mWinlogon: Userinit=userinit.exe
BHO: Vid-Saver: {11111111-1111-1111-1111-110011341191} - C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: DefaultTab Browser Helper: {7f6afbf1-e065-4627-a2fd-810366367d01} - C:\Users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
BHO: Free Download Manager: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO: SweetPacks Browser Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
TB: SweetPacks Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
TB: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
TB: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
uRun: [msnmsgr] ~"C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [WhatPulse] C:\Program Files (x86)\WhatPulse\WhatPulse.exe
uRun: [Free Download Manager] "C:\Program Files (x86)\Free Download Manager\fdm.exe" -autorun
uRun: [InstallIQUpdater] "C:\Program Files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe
mRun: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Aeria Ignite] "C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe" silent
mRun: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{AD811550-F883-428A-A036-A346B5E500A4} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Vid-Saver: {11111111-1111-1111-1111-110011341191} - C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll
BHO-X64: CrossriderApp0003491 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
BHO-X64: DefaultTabBHO - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
BHO-X64: InternetHelper - No File
BHO-X64: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO-X64: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
BHO-X64: WhiteSmoke US - No File
BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO-X64: WeCareReminder - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO-X64: SweetPacks Browser Helper: {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
BHO-X64: SWEETIE - No File
BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
TB-X64: SweetPacks Toolbar for Internet Explorer: {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
TB-X64: InternetHelper Toolbar: {9d0f7eb2-452d-4766-b535-8d23e36c300e} - C:\Program Files (x86)\InternetHelper\prxtbInte.dll
TB-X64: WhiteSmoke US Toolbar: {cce665dd-f6dd-4808-968e-eaec971f70ef} - C:\Program Files (x86)\WhiteSmoke_US\prxtbWhit.dll
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe
mRun-x64: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun-x64: [Aeria Ignite] "C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe" silent
mRun-x64: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
Hosts: 216.239.32.20 www.google.ae # bck9
Hosts: 216.239.32.20 www.google.at # bck9
Hosts: 216.239.32.20 www.google.be # bck9
Hosts: 216.239.32.20 www.google.ca # bck9
Hosts: 216.239.32.20 www.google.ch # bck9
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3237160&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke US Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Gateway\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\{9d0f7eb2-452d-4766-b535-8d23e36c300e}\plugins\np-mswmp.dll
FF - plugin: C:\Users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, eed588e4-6889-4bbe-98bc-a96b805bc761
FF - user.js: extentions.y2layers.defaultEnableAppsList - pagerage,ezLooker,buzzdock,toprelatedtopics,twittube
.
FF - user.js: extensions.autoDisableScopes - 14
.
============= SERVICES / DRIVERS ===============
.
P2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-7-22 8704]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 bckd;bckd;C:\Windows\system32\drivers\bckd.sys --> C:\Windows\system32\drivers\bckd.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 231280]
R2 bckwfs;Blue Coat K9 Web Protection;C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2012-2-13 2122000]
R2 DefaultTabUpdate;DefaultTabUpdate;C:\Users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [2012-8-1 107520]
R2 esClient;Windows Media Center Client Service;C:\Program Files\Windows Home Server\esClient.exe [2011-1-10 109936]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-6-4 1150496]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-2-28 2343816]
R2 HPMSSConnectorSvc;HPMSSConnectorService;C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-5 20992]
R2 MediaCollectorService;MediaCollectorService;C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-5 81920]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech HD Webcam C310(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 DefaultTabSearch;DefaultTabSearch;C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [2012-5-18 563200]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-5 250056]
S3 cxpl_mhd;CX23885/7 PCI-E AvStream Video Capture (PalomarMHD);C:\Windows\system32\drivers\y_cx88x.sys --> C:\Windows\system32\drivers\y_cx88x.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-6-17 237008]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n64.sys --> C:\Windows\system32\DRIVERS\RTL85n64.sys [?]
S3 SrvHsfPCI;SrvHsfPCI;C:\Windows\system32\DRIVERS\VSTBS26.SYS --> C:\Windows\system32\DRIVERS\VSTBS26.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
.
=============== Created Last 30 ================
.
2012-08-13 01:03:57	388096	----a-r-	C:\Users\Gateway\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-08-13 01:03:56	--------	d-----w-	C:\Program Files (x86)\Trend Micro
2012-08-13 00:33:35	69000	----a-w-	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{237C8975-F16F-4925-9E3B-893291D738A2}\offreg.dll
2012-08-13 00:13:34	9133488	----a-w-	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{237C8975-F16F-4925-9E3B-893291D738A2}\mpengine.dll
2012-08-12 22:37:12	--------	d-----w-	C:\Program Files (x86)\Windows Home Server
2012-08-12 22:37:10	--------	d-----w-	C:\Program Files\Windows Home Server
2012-08-12 20:58:35	9133488	----a-w-	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-05 04:52:40	--------	d-----w-	C:\Users\Gateway\AppData\Roaming\.minecraft
2012-08-01 23:49:39	544008	----a-w-	C:\Windows\System32\npdeployJava1.dll
2012-08-01 23:49:39	525576	----a-w-	C:\Windows\System32\deployJava1.dll
2012-08-01 23:48:48	--------	d-----w-	C:\Program Files (x86)\WhiteSmoke_US
2012-08-01 23:48:40	--------	d-----w-	C:\Program Files (x86)\Optimizer Pro
2012-08-01 23:48:38	--------	d-----w-	C:\Users\Gateway\AppData\Local\The Weather Channel
2012-08-01 23:48:34	--------	d-----w-	C:\Users\Gateway\AppData\Local\Vid-Saver
2012-08-01 23:48:30	--------	d-----w-	C:\Program Files (x86)\Vid-Saver
2012-08-01 23:47:00	--------	d-----w-	C:\Users\Gateway\AppData\Roaming\.techniclauncher
2012-08-01 23:45:33	--------	d-----w-	C:\Program Files (x86)\Yontoo
2012-08-01 23:45:31	--------	d-----w-	C:\ProgramData\Tarma Installer
2012-08-01 23:45:28	--------	d-----w-	C:\Users\Gateway\AppData\Local\antiphishing-vmninternethelper1_1dn
2012-08-01 23:45:27	--------	d-----w-	C:\ProgramData\Anti-phishing Domain Advisor
2012-08-01 23:45:17	--------	d-----w-	C:\Program Files (x86)\Conduit
2012-08-01 23:45:15	--------	d-----w-	C:\Users\Gateway\AppData\Local\Conduit
2012-08-01 23:45:14	--------	d-----w-	C:\Program Files (x86)\InternetHelper
2012-08-01 23:45:04	--------	d-----w-	C:\Users\Gateway\AppData\Local\CRE
2012-08-01 23:44:56	--------	d-----w-	C:\Users\Gateway\AppData\Roaming\Free Download Manager
2012-08-01 23:44:52	--------	d-----w-	C:\Program Files (x86)\Free Download Manager
2012-08-01 23:40:55	--------	d-----w-	C:\Program Files (x86)\DefaultTab
2012-08-01 23:40:48	--------	d-----w-	C:\Users\Gateway\AppData\Roaming\DefaultTab
2012-08-01 23:40:44	--------	d-----w-	C:\ProgramData\W3i
2012-08-01 23:40:44	--------	d-----w-	C:\Program Files (x86)\W3i
2012-08-01 23:40:27	--------	d-----w-	C:\ProgramData\WeCareReminder
2012-07-27 21:27:43	737072	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-07-26 21:28:10	4283672	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-07-26 21:27:58	42776	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-07-26 16:25:18	--------	d-----w-	C:\Program Files (x86)\Aeria Games
2012-07-22 17:48:05	77656	----a-w-	C:\Windows\System32\XAPOFX1_5.dll
2012-07-22 17:48:05	74072	----a-w-	C:\Windows\SysWow64\XAPOFX1_5.dll
2012-07-22 17:48:04	527192	----a-w-	C:\Windows\SysWow64\XAudio2_7.dll
2012-07-22 17:48:04	518488	----a-w-	C:\Windows\System32\XAudio2_7.dll
2012-07-22 17:48:04	2526056	----a-w-	C:\Windows\System32\D3DCompiler_43.dll
2012-07-22 17:48:04	2106216	----a-w-	C:\Windows\SysWow64\D3DCompiler_43.dll
2012-07-22 17:48:03	276832	----a-w-	C:\Windows\System32\d3dx11_43.dll
2012-07-22 17:48:03	248672	----a-w-	C:\Windows\SysWow64\d3dx11_43.dll
2012-07-22 17:48:02	511328	----a-w-	C:\Windows\System32\d3dx10_43.dll
2012-07-22 17:48:02	470880	----a-w-	C:\Windows\SysWow64\d3dx10_43.dll
2012-07-22 17:48:00	2401112	----a-w-	C:\Windows\System32\D3DX9_43.dll
2012-07-22 17:48:00	1998168	----a-w-	C:\Windows\SysWow64\D3DX9_43.dll
2012-07-22 17:47:59	24920	----a-w-	C:\Windows\System32\X3DAudio1_7.dll
2012-07-22 17:47:59	22360	----a-w-	C:\Windows\SysWow64\X3DAudio1_7.dll
2012-07-22 17:22:27	--------	d-----w-	C:\ProgramData\Hi-Rez Studios
2012-07-22 17:22:24	--------	d-----w-	C:\Program Files (x86)\Hi-Rez Studios
2012-07-22 16:48:12	--------	d-----w-	C:\Users\Gateway\AppData\Roaming\WhatPulse
2012-07-22 16:48:11	--------	d-----w-	C:\Program Files (x86)\WhatPulse
2012-07-21 01:45:44	--------	d-----w-	C:\Users\Gateway\AppData\Local\Ubisoft Game Launcher
2012-07-21 01:42:26	189248	----a-w-	C:\Windows\SysWow64\PnkBstrB.exe
2012-07-21 01:42:24	75136	----a-w-	C:\Windows\SysWow64\PnkBstrA.exe
2012-07-21 01:39:59	469264	----a-w-	C:\Windows\System32\d3dx10.dll
2012-07-20 23:55:05	--------	d-----w-	C:\Users\Gateway\AppData\Local\Macromedia
2012-07-20 23:47:48	--------	d-----w-	C:\Program Files (x86)\Common Files\Steam
2012-07-20 23:47:46	--------	d-----w-	C:\Program Files (x86)\Steam
2012-07-20 23:46:09	--------	d-----w-	C:\Users\Gateway\AppData\Local\Mozilla
2012-07-19 05:34:02	--------	d-----w-	C:\Users\Gateway\AppData\Local\Aeria Games
2012-07-19 02:41:18	--------	d-----w-	C:\Users\Gateway\AppData\Local\Microsoft Games
2012-07-19 02:15:55	737072	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-07-19 02:05:14	4283672	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-07-19 02:05:02	42776	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-07-19 02:04:53	539984	----a-w-	C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-07-17 04:30:58	--------	d-----w-	C:\Windows Home Server Drivers for Restore
.
==================== Find3M ====================
.
2012-08-03 02:55:31	70344	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-03 02:55:31	426184	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-03 20:46:44	24904	----a-w-	C:\Windows\System32\drivers\mbam.sys
2012-06-13 04:28:13	772592	----a-w-	C:\Windows\SysWow64\npDeployJava1.dll
2012-06-12 03:02:52	3147264	----a-w-	C:\Windows\System32\win32k.sys
2012-06-06 05:50:50	2003968	----a-w-	C:\Windows\System32\msxml6.dll
2012-06-06 05:50:50	1880064	----a-w-	C:\Windows\System32\msxml3.dll
2012-06-06 05:09:46	1389568	----a-w-	C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:09:46	1236992	----a-w-	C:\Windows\SysWow64\msxml3.dll
2012-06-02 22:19:42	186752	----a-w-	C:\Windows\System32\wuwebv.dll
2012-06-02 22:15:31	2622464	----a-w-	C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12	36864	----a-w-	C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08	99840	----a-w-	C:\Windows\System32\wudriver.dll
2012-06-02 12:12:17	2311680	----a-w-	C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28	1392128	----a-w-	C:\Windows\System32\wininet.dll
2012-06-02 12:04:50	1494528	----a-w-	C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40	173056	----a-w-	C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08	2382848	----a-w-	C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25	1800192	----a-w-	C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08	1129472	----a-w-	C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03	1427968	----a-w-	C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33	142848	----a-w-	C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52	2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:38:26	95088	----a-w-	C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24	152432	----a-w-	C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45	459216	----a-w-	C:\Windows\System32\drivers\cng.sys
2012-06-02 05:27:02	340992	----a-w-	C:\Windows\System32\schannel.dll
2012-06-02 05:27:00	307200	----a-w-	C:\Windows\System32\ncrypt.dll
2012-06-02 04:48:39	22016	----a-w-	C:\Windows\SysWow64\secur32.dll
2012-06-02 04:48:35	225280	----a-w-	C:\Windows\SysWow64\schannel.dll
2012-06-02 04:47:31	219136	----a-w-	C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51	96768	----a-w-	C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 18:06:14.60 ===============

-----------------------------------------------------------------------------------------------------

3. Upload as an attachment the Attach.txt file. There is no need to zip it as suggested in the DDS instructions

see attached


----------



## DaveBurnett (Nov 11, 2002)

I can understand why it has taken a while for you to get a response. That is quite a lot of stuff there and not easy to unravel and not all of it good. Some of the things there I have never seen before so I would have to research.
Unfortunately I'm not qualified on this forum to help, as the malware people all do special courses as a lot of the advice can be dangerous to your machine.
I do think someone has looked at it but possibly been overwhelmed by later posts.
Now I have replied it will go back to the top. If it drops to below page two without a response, politely add a "bump" post.


----------



## bsacco (Jun 12, 2003)

Hi Dave
Thanks for the advice.

Can you tell me what a bump post is and the best to do it?


----------



## DaveBurnett (Nov 11, 2002)

It is just a reply to your post. Whenever someone replies, it takes the time from the reply when showing posts in "newest first" sequence. But don't abuse it or a moderator will jump in and kill it.


----------



## bsacco (Jun 12, 2003)

Hi this a polite "bump" as its been several days and a PayPal donation. Still awaiting some TSG help.

thanks in advance.

Bob


----------



## bsacco (Jun 12, 2003)

can someone recommend comboFix.exe? Just want to know if its safe before I run it.


----------



## bsacco (Jun 12, 2003)

OK, well, no response here on TSG so I went ahead and ran ComboFix. Below is the log file. Anyone want to take a shot at looking at it and tell me if any further action is needed?

ComboFix 12-08-16.01 - Gateway 08/16/2012 14:52:54.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.3885 [GMT -7:00]
Running from: c:\users\Gateway\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Vid-Saver
c:\program files (x86)\Vid-Saver\Uninstall.exe
c:\program files (x86)\Vid-Saver\Vid-Saver.exe
c:\program files (x86)\Vid-Saver\Vid-Saver.ico
c:\program files (x86)\Vid-Saver\Vid-Saver.ini
c:\program files (x86)\Vid-Saver\Vid-SaverInstaller.log
c:\users\Gateway\AppData\Local\Vid-Saver
c:\users\Gateway\AppData\Local\Vid-Saver\Chrome\Vid-Saver.crx
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\addon.ico
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\bing.ico
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabStart.exe
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabWrap.dll
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DT.ico
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\google.ico
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\searchhere.ico
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\yahoo.ico
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome.manifest
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\background.html
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\browser.xul
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\crossrider.js
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\crossriderapi.js
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\dialog.js
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\options.js
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\options.xul
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\search_dialog.xul
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\chrome\content\update.html
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\defaults\preferences\prefs.js
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\install.rdf
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\locale\en-US\translations.dtd
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\button1.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\button2.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\button3.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\button4.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\button5.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\crossrider_statusbar.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\icon128.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\icon16.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\icon24.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\icon48.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\panelarrow-up.png
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\popup.css
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\popup.html
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\popup_binding.xml
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\skin.css
c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\extensions\[email protected]\skin\update.css
c:\users\Gateway\Desktop\Setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_DefaultTabUpdate
-------\Service_DefaultTabUpdate
.
.
((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))
.
.
2012-08-16 22:02 . 2012-08-16 22:02	--------	d-----w-	c:\users\Nico\AppData\Local\temp
2012-08-16 22:02 . 2012-08-16 22:02	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-08-16 18:57 . 2012-08-16 20:10	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-08-16 16:00 . 2012-08-16 16:00	--------	d-----w-	c:\users\Public\OEM
2012-08-16 09:42 . 2012-08-16 09:42	--------	d-----w-	C:\Windows Home Server Drivers for Restore
2012-08-15 18:42 . 2012-06-29 10:04	9133488	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9686DDA-F6BC-4063-A9F4-33BA51601607}\mpengine.dll
2012-08-15 13:56 . 2012-05-05 08:30	503808	----a-w-	c:\windows\system32\srcore.dll
2012-08-15 13:56 . 2012-05-05 07:44	43008	----a-w-	c:\windows\SysWow64\srclient.dll
2012-08-15 13:56 . 2012-02-11 06:36	751104	----a-w-	c:\windows\system32\win32spl.dll
2012-08-15 13:56 . 2012-02-11 06:29	67584	----a-w-	c:\windows\splwow64.exe
2012-08-15 13:56 . 2012-02-11 05:44	492032	----a-w-	c:\windows\SysWow64\win32spl.dll
2012-08-15 13:56 . 2012-02-11 06:29	559104	----a-w-	c:\windows\system32\spoolsv.exe
2012-08-15 13:55 . 2012-07-04 21:23	41472	----a-w-	c:\windows\SysWow64\browcli.dll
2012-08-15 13:55 . 2012-07-04 22:04	73216	----a-w-	c:\windows\system32\netapi32.dll
2012-08-15 13:55 . 2012-07-04 22:01	58880	----a-w-	c:\windows\system32\browcli.dll
2012-08-15 13:55 . 2012-07-04 22:01	136704	----a-w-	c:\windows\system32\browser.dll
2012-08-15 13:55 . 2012-07-18 17:31	3146752	----a-w-	c:\windows\system32\win32k.sys
2012-08-15 13:55 . 2012-05-14 05:20	956416	----a-w-	c:\windows\system32\localspl.dll
2012-08-14 19:55 . 2012-08-14 19:55	9826504	----a-w-	c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-08-14 16:04 . 2012-06-29 10:04	9133488	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-13 16:56 . 2012-08-13 16:56	--------	d-----w-	c:\users\Gateway\AppData\Local\LogMeIn Rescue Applet
2012-08-13 01:03 . 2012-08-13 01:03	388096	----a-r-	c:\users\Gateway\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-08-13 01:03 . 2012-08-13 01:03	--------	d-----w-	c:\program files (x86)\Trend Micro
2012-08-12 22:37 . 2012-08-12 22:37	--------	d-----w-	c:\program files (x86)\Windows Home Server
2012-08-12 22:37 . 2012-08-12 22:37	--------	d-----w-	c:\program files\Windows Home Server
2012-08-05 04:52 . 2012-08-05 04:53	--------	d-----w-	c:\users\Gateway\AppData\Roaming\.minecraft
2012-08-03 02:00 . 2012-08-03 04:34	--------	d-----w-	c:\users\Nico\AppData\Local\antiphishing-vmninternethelper1_1dn
2012-08-01 23:49 . 2012-08-01 23:49	544008	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-08-01 23:49 . 2012-08-01 23:49	525576	----a-w-	c:\windows\system32\deployJava1.dll
2012-08-01 23:49 . 2012-08-01 23:49	191240	----a-w-	c:\windows\system32\javaws.exe
2012-08-01 23:40 . 2012-08-01 23:41	--------	d-----w-	c:\program files (x86)\DefaultTab
2012-08-01 23:40 . 2012-08-01 23:40	--------	d-----w-	c:\program files (x86)\7-zip
2012-08-01 23:40 . 2012-08-16 22:00	--------	d-----w-	c:\users\Gateway\AppData\Roaming\DefaultTab
2012-08-01 23:40 . 2012-08-13 07:23	--------	d-----w-	c:\programdata\WeCareReminder
2012-07-31 22:55 . 2012-07-31 22:56	--------	d-----w-	c:\users\Olivia
2012-07-27 21:27 . 2012-07-27 21:27	737072	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-07-26 21:28 . 2012-07-26 21:28	4283672	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-07-26 21:27 . 2012-07-26 21:27	42776	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-07-26 16:25 . 2012-07-26 16:25	--------	d-----w-	c:\program files (x86)\Aeria Games
2012-07-23 16:43 . 2012-07-23 16:44	--------	d-----w-	c:\users\Nico\AppData\Local\Ubisoft Game Launcher
2012-07-22 19:53 . 2012-07-22 19:59	--------	d-----w-	c:\users\Nico\AppData\Roaming\WhatPulse
2012-07-22 17:48 . 2010-06-02 11:55	77656	----a-w-	c:\windows\system32\XAPOFX1_5.dll
2012-07-22 17:48 . 2010-06-02 11:55	74072	----a-w-	c:\windows\SysWow64\XAPOFX1_5.dll
2012-07-22 17:48 . 2010-06-02 11:55	527192	----a-w-	c:\windows\SysWow64\XAudio2_7.dll
2012-07-22 17:48 . 2010-06-02 11:55	518488	----a-w-	c:\windows\system32\XAudio2_7.dll
2012-07-22 17:48 . 2010-05-26 18:41	2526056	----a-w-	c:\windows\system32\D3DCompiler_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	2106216	----a-w-	c:\windows\SysWow64\D3DCompiler_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	276832	----a-w-	c:\windows\system32\d3dx11_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	248672	----a-w-	c:\windows\SysWow64\d3dx11_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	511328	----a-w-	c:\windows\system32\d3dx10_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	470880	----a-w-	c:\windows\SysWow64\d3dx10_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	1998168	----a-w-	c:\windows\SysWow64\D3DX9_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	2401112	----a-w-	c:\windows\system32\D3DX9_43.dll
2012-07-22 17:47 . 2010-02-04 17:01	24920	----a-w-	c:\windows\system32\X3DAudio1_7.dll
2012-07-22 17:47 . 2010-02-04 17:01	22360	----a-w-	c:\windows\SysWow64\X3DAudio1_7.dll
2012-07-22 17:22 . 2012-07-22 17:22	--------	d-----w-	c:\programdata\Hi-Rez Studios
2012-07-22 17:22 . 2012-07-22 17:22	--------	d-----w-	c:\program files (x86)\Hi-Rez Studios
2012-07-22 16:54 . 2012-07-22 16:54	--------	d-----w-	c:\windows\Sun
2012-07-22 16:48 . 2012-07-22 16:55	--------	d-----w-	c:\users\Gateway\AppData\Roaming\WhatPulse
2012-07-22 16:48 . 2012-07-22 16:48	--------	d-----w-	c:\program files (x86)\WhatPulse
2012-07-21 01:45 . 2012-07-21 01:48	--------	d-----w-	c:\users\Gateway\AppData\Local\Ubisoft Game Launcher
2012-07-21 01:45 . 2012-07-21 01:45	--------	d-----w-	c:\programdata\Ubisoft
2012-07-21 01:42 . 2012-07-21 01:42	--------	d-----w-	c:\program files (x86)\Ubisoft
2012-07-21 01:42 . 2012-07-21 01:42	189248	----a-w-	c:\windows\SysWow64\PnkBstrB.exe
2012-07-21 01:42 . 2012-07-21 01:42	75136	----a-w-	c:\windows\SysWow64\PnkBstrA.exe
2012-07-21 01:39 . 2006-11-29 20:06	469264	----a-w-	c:\windows\system32\d3dx10.dll
2012-07-20 23:55 . 2012-07-20 23:55	--------	d-----w-	c:\users\Gateway\AppData\Local\Macromedia
2012-07-20 23:47 . 2012-08-02 20:13	--------	d-----w-	c:\program files (x86)\Common Files\Steam
2012-07-20 23:47 . 2012-08-16 22:04	--------	d-----w-	c:\program files (x86)\Steam
2012-07-20 23:46 . 2012-07-20 23:46	--------	d-----w-	c:\users\Gateway\AppData\Local\Mozilla
2012-07-19 05:34 . 2012-07-19 05:34	--------	d-----w-	c:\users\Gateway\AppData\Local\Aeria Games
2012-07-19 02:41 . 2012-07-19 02:41	--------	d-----w-	c:\users\Gateway\AppData\Local\Microsoft Games
2012-07-19 02:15 . 2012-07-19 02:15	737072	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-07-19 02:05 . 2012-07-19 02:05	4283672	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-07-19 02:05 . 2012-07-19 02:05	42776	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-07-19 02:04 . 2012-07-19 02:04	539984	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-07-19 01:42 . 2012-07-19 01:42	--------	d-----w-	c:\users\Guest
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-14 19:55 . 2012-05-05 22:06	70344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-14 19:55 . 2012-05-05 22:06	426184	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 20:46 . 2012-04-19 04:01	24904	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-13 04:28 . 2012-06-13 04:28	772592	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2012-06-09 05:30 . 2012-07-11 21:36	14165504	----a-w-	c:\windows\system32\shell32.dll
2012-06-07 03:59 . 2012-06-07 03:59	1070152	----a-w-	c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 05:50 . 2012-07-11 21:36	1880064	----a-w-	c:\windows\system32\msxml3.dll
2012-06-06 05:50 . 2012-07-11 21:36	2003968	----a-w-	c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 21:36	1389568	----a-w-	c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-11 21:36	1236992	----a-w-	c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-21 17:59	38424	----a-w-	c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 17:59	2428952	----a-w-	c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 17:59	57880	----a-w-	c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 17:59	44056	----a-w-	c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 17:58	186752	----a-w-	c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 17:59	701976	----a-w-	c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 17:59	2622464	----a-w-	c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 17:58	36864	----a-w-	c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-21 17:59	99840	----a-w-	c:\windows\system32\wudriver.dll
2012-06-02 05:38 . 2012-07-11 21:36	95088	----a-w-	c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-11 21:36	152432	----a-w-	c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-11 21:36	459216	----a-w-	c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-11 21:36	340992	----a-w-	c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-11 21:36	307200	----a-w-	c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-11 21:36	22016	----a-w-	c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-11 21:36	225280	----a-w-	c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-11 21:36	219136	----a-w-	c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-11 21:36	96768	----a-w-	c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9d0f7eb2-452d-4766-b535-8d23e36c300e}"= "c:\program files (x86)\InternetHelper\prxtbInte.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{9d0f7eb2-452d-4766-b535-8d23e36c300e}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{9d0f7eb2-452d-4766-b535-8d23e36c300e}]
2011-05-09 09:49	176936	----a-w-	c:\program files (x86)\InternetHelper\prxtbInte.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{9d0f7eb2-452d-4766-b535-8d23e36c300e}"= "c:\program files (x86)\InternetHelper\prxtbInte.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{9d0f7eb2-452d-4766-b535-8d23e36c300e}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-08-02 5661056]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-05-03 17355912]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-04 1353080]
"WhatPulse"="c:\program files (x86)\WhatPulse\WhatPulse.exe" [2011-11-15 3990528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-12 244480]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-18 98304]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-29 1987976]
"Aeria Ignite"="c:\program files (x86)\Aeria Games\Ignite\aeriaignite.exe" [2012-07-20 1403032]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2012-8-12 666992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DefaultTabSearch;DefaultTabSearch;c:\program files (x86)\DefaultTab\DefaultTabSearch.exe [2012-05-18 563200]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 250056]
R3 cxpl_mhd;CX23885/7 PCI-E AvStream Video Capture (PalomarMHD);c:\windows\system32\drivers\y_cx88x.sys [2009-06-22 714752]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 PCDSRVC{FCB8192B-340B18D0-06020101}_0;PCDSRVC{FCB8192B-340B18D0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\users\gateway\appdata\local\temp\9xgmq9v6heqc\pcdrdiag\bin\pcdsrvc_x64.pkms [x]
R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\DRIVERS\RTL85n64.sys [2009-07-03 452128]
R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-19 1255736]
S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2012-02-13 108304]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-18 202752]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-01-10 231280]
S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2012-02-13 2122000]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2011-01-10 109936]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-29 2343816]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-05 20992]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-05 81920]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 489840]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
S3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-15 393216]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 19:55]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-906736673-1750738731-1279657910-1000Core.job
- c:\users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-19 03:55]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-906736673-1750738731-1279657910-1000UA.job
- c:\users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-19 03:55]
.
2012-08-16 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 1d0b0e93-2507-453c-bfa8-379645e4128e.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-08-16 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 20b8a137-78c3-402f-bf94-8f372a6a81ae.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-16 7883296]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-16 1833504]
"combofix"="c:\combofix\CF24806.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173612094204p2329u985408l17472
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3237160&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke US Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-Sweetpacks Communicator - c:\program files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
Toolbar-Locked - (no file)
AddRemove-DefaultTab - c:\users\Gateway\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{FCB8192B-340B18D0-06020101}_0]
"ImagePath"="\??\c:\users\gateway\appdata\local\temp\9xgmq9v6heqc\pcdrdiag\bin\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
.
**************************************************************************
.
Completion time: 2012-08-16 15:20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-16 22:20
.
Pre-Run: 846,051,241,984 bytes free
Post-Run: 845,913,120,768 bytes free
.
- - End Of File - - 0FC5F8F8659F7E2DF00761AECD76B73D


----------



## jeffce (May 10, 2011)

Hi,

Sorry for any delay but as you can see we are very busy here.

Please download *aswMBR* to your desktop.


Right click and Run as Administrator the aswMBR icon to run it.
Click the *Scan* button to start scan.
If asked whether you would like to update the Avast virus database please do.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


_Click the image to enlarge it_
----------


----------



## bsacco (Jun 12, 2003)

OK, thanks for the reply Jeff.

Here is the scan you requested.

quick question.....I'm running Microsoft Essentials, SuperAntiSpyware, and Malwarebytes manually. Should I install Avast- full version?

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-16 20:48:46
-----------------------------
20:48:46.230 OS Version: Windows x64 6.1.7600 
20:48:46.230 Number of processors: 4 586 0x402
20:48:46.231 ComputerName: GATEWAY-PC UserName: Gateway
20:48:47.698 Initialize success
20:50:48.778 AVAST engine defs: 12081601
20:51:19.008 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:51:19.013 Disk 0 Vendor: WDC_WD10EADS-22M2B0 01.00A01 Size: 953869MB BusType: 3
20:51:19.019 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-5
20:51:19.024 Disk 1 Vendor: MAXTOR_STM3160815AS 3.AAD Size: 152627MB BusType: 3
20:51:19.047 Disk 0 MBR read successfully
20:51:19.050 Disk 0 MBR scan
20:51:19.138 Disk 0 unknown MBR code
20:51:19.140 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 17408 MB offset 2048
20:51:19.182 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 35653632
20:51:19.208 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 936359 MB offset 35858432
20:51:19.260 Disk 0 scanning C:\Windows\system32\drivers
20:51:30.527 Service scanning
20:51:57.006 Modules scanning
20:51:57.028 Disk 0 trace - called modules:
20:51:57.057 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 
20:51:57.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006249790]
20:51:57.068 3 CLASSPNP.SYS[fffff880018b143f] -> nt!IofCallDriver -> [0xfffffa8005cb08d0]
20:51:57.073 5 ACPI.sys[fffff88000e9c781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80061b3060]
20:51:58.445 AVAST engine scan C:\Windows
20:52:02.383 AVAST engine scan C:\Windows\system32
20:55:45.558 AVAST engine scan C:\Windows\system32\drivers
20:56:01.224 AVAST engine scan C:\Users\Gateway
21:04:00.626 AVAST engine scan C:\ProgramData
21:05:11.462 Scan finished successfully
21:13:54.762 Disk 0 MBR has been saved successfully to "C:\Users\Gateway\Desktop\MBR.dat"
21:13:54.836 The log file has been saved successfully to "C:\Users\Gateway\Desktop\aswMBR.txt"


----------



## jeffce (May 10, 2011)

Hi,



> Should I install Avast- full version?


No let's hold off on that for a bit. 

Please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present _*inside*_ the box below:


> ClearJavaCache::
> 
> DDS::
> uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785
> ...



Save this as *CFScript.txt* and change the *"Save as type"* to *"All Files"* and place it on your desktop.










*Very Important!* Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
*When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.*
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------


----------



## bsacco (Jun 12, 2003)

Hi Jeff-

Here is the log you requested:

ComboFix 12-08-17.03 - Gateway 08/17/2012 10:09:45.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4487 [GMT -7:00]
Running from: c:\users\Gateway\Desktop\ComboFix.exe
Command switches used :: c:\users\Gateway\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Conduit
c:\program files (x86)\Conduit\Community Alerts\Alert.dll
c:\program files (x86)\InternetHelper\prxtbInte.dll
c:\program files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
c:\users\Gateway\AppData\Local\Conduit
c:\users\Gateway\AppData\Local\Conduit\CT3237160\InternetHelperAutoUpdateHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
.
.
2012-08-17 17:17 . 2012-08-17 17:17	--------	d-----w-	c:\users\Nico\AppData\Local\temp
2012-08-17 17:17 . 2012-08-17 17:17	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-08-17 13:01 . 2012-08-17 13:01	--------	d-----w-	c:\users\Gateway\AppData\Roaming\Canneverbe Limited
2012-08-17 13:01 . 2012-08-17 13:01	--------	d-----w-	c:\programdata\Canneverbe Limited
2012-08-17 13:01 . 2012-08-17 13:01	--------	d-----w-	c:\program files (x86)\CDBurnerXP
2012-08-16 22:49 . 2012-06-29 10:04	9133488	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D89F875D-961D-4462-BD41-B447C271A766}\mpengine.dll
2012-08-16 18:57 . 2012-08-16 20:10	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-08-16 16:00 . 2012-08-16 16:00	--------	d-----w-	c:\users\Public\OEM
2012-08-15 18:42 . 2012-06-29 10:04	9133488	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-15 13:56 . 2012-05-05 08:30	503808	----a-w-	c:\windows\system32\srcore.dll
2012-08-15 13:56 . 2012-05-05 07:44	43008	----a-w-	c:\windows\SysWow64\srclient.dll
2012-08-15 13:56 . 2012-02-11 06:36	751104	----a-w-	c:\windows\system32\win32spl.dll
2012-08-15 13:56 . 2012-02-11 06:29	67584	----a-w-	c:\windows\splwow64.exe
2012-08-15 13:56 . 2012-02-11 05:44	492032	----a-w-	c:\windows\SysWow64\win32spl.dll
2012-08-15 13:56 . 2012-02-11 06:29	559104	----a-w-	c:\windows\system32\spoolsv.exe
2012-08-15 13:55 . 2012-07-04 21:23	41472	----a-w-	c:\windows\SysWow64\browcli.dll
2012-08-15 13:55 . 2012-07-04 22:04	73216	----a-w-	c:\windows\system32\netapi32.dll
2012-08-15 13:55 . 2012-07-04 22:01	58880	----a-w-	c:\windows\system32\browcli.dll
2012-08-15 13:55 . 2012-07-04 22:01	136704	----a-w-	c:\windows\system32\browser.dll
2012-08-15 13:55 . 2012-07-18 17:31	3146752	----a-w-	c:\windows\system32\win32k.sys
2012-08-15 13:55 . 2012-05-14 05:20	956416	----a-w-	c:\windows\system32\localspl.dll
2012-08-14 19:55 . 2012-08-14 19:55	9826504	----a-w-	c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-08-13 16:56 . 2012-08-13 16:56	--------	d-----w-	c:\users\Gateway\AppData\Local\LogMeIn Rescue Applet
2012-08-13 01:03 . 2012-08-13 01:03	388096	----a-r-	c:\users\Gateway\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-08-13 01:03 . 2012-08-13 01:03	--------	d-----w-	c:\program files (x86)\Trend Micro
2012-08-12 22:37 . 2012-08-12 22:37	--------	d-----w-	c:\program files (x86)\Windows Home Server
2012-08-12 22:37 . 2012-08-12 22:37	--------	d-----w-	c:\program files\Windows Home Server
2012-08-05 04:52 . 2012-08-05 04:53	--------	d-----w-	c:\users\Gateway\AppData\Roaming\.minecraft
2012-08-03 02:00 . 2012-08-03 04:34	--------	d-----w-	c:\users\Nico\AppData\Local\antiphishing-vmninternethelper1_1dn
2012-08-01 23:49 . 2012-08-01 23:49	544008	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-08-01 23:40 . 2012-08-01 23:41	--------	d-----w-	c:\program files (x86)\DefaultTab
2012-08-01 23:40 . 2012-08-01 23:40	--------	d-----w-	c:\program files (x86)\7-zip
2012-08-01 23:40 . 2012-08-16 22:00	--------	d-----w-	c:\users\Gateway\AppData\Roaming\DefaultTab
2012-08-01 23:40 . 2012-08-13 07:23	--------	d-----w-	c:\programdata\WeCareReminder
2012-07-31 22:55 . 2012-07-31 22:56	--------	d-----w-	c:\users\Olivia
2012-07-27 21:27 . 2012-07-27 21:27	737072	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-07-26 21:28 . 2012-07-26 21:28	4283672	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-07-26 21:27 . 2012-07-26 21:27	42776	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-07-26 16:25 . 2012-07-26 16:25	--------	d-----w-	c:\program files (x86)\Aeria Games
2012-07-23 16:43 . 2012-07-23 16:44	--------	d-----w-	c:\users\Nico\AppData\Local\Ubisoft Game Launcher
2012-07-22 19:53 . 2012-07-22 19:59	--------	d-----w-	c:\users\Nico\AppData\Roaming\WhatPulse
2012-07-22 17:48 . 2010-06-02 11:55	77656	----a-w-	c:\windows\system32\XAPOFX1_5.dll
2012-07-22 17:48 . 2010-06-02 11:55	74072	----a-w-	c:\windows\SysWow64\XAPOFX1_5.dll
2012-07-22 17:48 . 2010-06-02 11:55	527192	----a-w-	c:\windows\SysWow64\XAudio2_7.dll
2012-07-22 17:48 . 2010-06-02 11:55	518488	----a-w-	c:\windows\system32\XAudio2_7.dll
2012-07-22 17:48 . 2010-05-26 18:41	2526056	----a-w-	c:\windows\system32\D3DCompiler_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	2106216	----a-w-	c:\windows\SysWow64\D3DCompiler_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	276832	----a-w-	c:\windows\system32\d3dx11_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	248672	----a-w-	c:\windows\SysWow64\d3dx11_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	511328	----a-w-	c:\windows\system32\d3dx10_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	470880	----a-w-	c:\windows\SysWow64\d3dx10_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	1998168	----a-w-	c:\windows\SysWow64\D3DX9_43.dll
2012-07-22 17:48 . 2010-05-26 18:41	2401112	----a-w-	c:\windows\system32\D3DX9_43.dll
2012-07-22 17:47 . 2010-02-04 17:01	24920	----a-w-	c:\windows\system32\X3DAudio1_7.dll
2012-07-22 17:47 . 2010-02-04 17:01	22360	----a-w-	c:\windows\SysWow64\X3DAudio1_7.dll
2012-07-22 17:22 . 2012-07-22 17:22	--------	d-----w-	c:\programdata\Hi-Rez Studios
2012-07-22 17:22 . 2012-07-22 17:22	--------	d-----w-	c:\program files (x86)\Hi-Rez Studios
2012-07-22 16:54 . 2012-07-22 16:54	--------	d-----w-	c:\windows\Sun
2012-07-22 16:48 . 2012-07-22 16:55	--------	d-----w-	c:\users\Gateway\AppData\Roaming\WhatPulse
2012-07-22 16:48 . 2012-07-22 16:48	--------	d-----w-	c:\program files (x86)\WhatPulse
2012-07-21 01:45 . 2012-07-21 01:48	--------	d-----w-	c:\users\Gateway\AppData\Local\Ubisoft Game Launcher
2012-07-21 01:45 . 2012-07-21 01:45	--------	d-----w-	c:\programdata\Ubisoft
2012-07-21 01:42 . 2012-07-21 01:42	--------	d-----w-	c:\program files (x86)\Ubisoft
2012-07-21 01:42 . 2012-07-21 01:42	189248	----a-w-	c:\windows\SysWow64\PnkBstrB.exe
2012-07-21 01:42 . 2012-07-21 01:42	75136	----a-w-	c:\windows\SysWow64\PnkBstrA.exe
2012-07-21 01:39 . 2006-11-29 20:06	469264	----a-w-	c:\windows\system32\d3dx10.dll
2012-07-20 23:55 . 2012-07-20 23:55	--------	d-----w-	c:\users\Gateway\AppData\Local\Macromedia
2012-07-20 23:47 . 2012-08-02 20:13	--------	d-----w-	c:\program files (x86)\Common Files\Steam
2012-07-20 23:47 . 2012-08-17 17:24	--------	d-----w-	c:\program files (x86)\Steam
2012-07-20 23:46 . 2012-07-20 23:46	--------	d-----w-	c:\users\Gateway\AppData\Local\Mozilla
2012-07-19 05:34 . 2012-07-19 05:34	--------	d-----w-	c:\users\Gateway\AppData\Local\Aeria Games
2012-07-19 02:41 . 2012-07-19 02:41	--------	d-----w-	c:\users\Gateway\AppData\Local\Microsoft Games
2012-07-19 02:15 . 2012-07-19 02:15	737072	----a-w-	c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-07-19 02:05 . 2012-07-19 02:05	4283672	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-07-19 02:05 . 2012-07-19 02:05	42776	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-07-19 02:04 . 2012-07-19 02:04	539984	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-07-19 01:42 . 2012-07-19 01:42	--------	d-----w-	c:\users\Guest
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-14 19:55 . 2012-05-05 22:06	70344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-14 19:55 . 2012-05-05 22:06	426184	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 20:46 . 2012-04-19 04:01	24904	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-13 04:28 . 2012-06-13 04:28	772592	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2012-06-09 05:30 . 2012-07-11 21:36	14165504	----a-w-	c:\windows\system32\shell32.dll
2012-06-07 03:59 . 2012-06-07 03:59	1070152	----a-w-	c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-06 05:50 . 2012-07-11 21:36	1880064	----a-w-	c:\windows\system32\msxml3.dll
2012-06-06 05:50 . 2012-07-11 21:36	2003968	----a-w-	c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 21:36	1389568	----a-w-	c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-11 21:36	1236992	----a-w-	c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-21 17:59	38424	----a-w-	c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 17:59	2428952	----a-w-	c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 17:59	57880	----a-w-	c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 17:59	44056	----a-w-	c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 17:58	186752	----a-w-	c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 17:59	701976	----a-w-	c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 17:59	2622464	----a-w-	c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 17:58	36864	----a-w-	c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-21 17:59	99840	----a-w-	c:\windows\system32\wudriver.dll
2012-06-02 05:38 . 2012-07-11 21:36	95088	----a-w-	c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-11 21:36	152432	----a-w-	c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-11 21:36	459216	----a-w-	c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-11 21:36	340992	----a-w-	c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-11 21:36	307200	----a-w-	c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-11 21:36	22016	----a-w-	c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-11 21:36	225280	----a-w-	c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-11 21:36	219136	----a-w-	c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-11 21:36	96768	----a-w-	c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( [email protected]_22.05.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-08-16 22:48	32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-16 21:43	32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-16 21:43	32768  c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-16 22:48	32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-16 21:43	16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-16 22:48	16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2012-08-16 22:49	32716 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-04-19 02:37 . 2012-08-16 22:05	16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-04-19 02:37 . 2012-08-17 17:20	16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-09 18:19 . 2012-08-17 17:20	16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-09 18:19 . 2012-08-16 22:05	16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-17 17:19 . 2012-08-17 17:19	2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-16 22:04 . 2012-08-16 22:04	2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-16 22:04 . 2012-08-16 22:04	2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-17 17:19 . 2012-08-17 17:19	2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-16 22:58 . 2012-08-16 22:48	262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-12-09 17:44 . 2012-08-17 12:11	337246 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-07-14 05:01 . 2012-08-16 22:03	309324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-17 17:17	309324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-04-20 05:05 . 2012-08-16 22:03	1538924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-906736673-1750738731-1279657910-1000-8192.dat
+ 2012-04-20 05:05 . 2012-08-17 17:18	1538924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-906736673-1750738731-1279657910-1000-8192.dat
+ 2009-07-14 02:34 . 2012-08-17 05:22	10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-08-16 21:59	10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-08-02 5661056]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-05-03 17355912]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-04 1353080]
"WhatPulse"="c:\program files (x86)\WhatPulse\WhatPulse.exe" [2011-11-15 3990528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-12 244480]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-18 98304]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-29 1987976]
"Aeria Ignite"="c:\program files (x86)\Aeria Games\Ignite\aeriaignite.exe" [2012-07-20 1403032]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2012-8-12 666992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DefaultTabSearch;DefaultTabSearch;c:\program files (x86)\DefaultTab\DefaultTabSearch.exe [2012-05-18 563200]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 250056]
R3 cxpl_mhd;CX23885/7 PCI-E AvStream Video Capture (PalomarMHD);c:\windows\system32\drivers\y_cx88x.sys [2009-06-22 714752]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 PCDSRVC{FCB8192B-340B18D0-06020101}_0;PCDSRVC{FCB8192B-340B18D0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\users\gateway\appdata\local\temp\9xgmq9v6heqc\pcdrdiag\bin\pcdsrvc_x64.pkms [x]
R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\DRIVERS\RTL85n64.sys [2009-07-03 452128]
R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-19 1255736]
S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2012-02-13 108304]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-18 202752]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-01-10 231280]
S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2012-02-13 2122000]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2011-01-10 109936]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-02-29 2343816]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [2009-10-05 20992]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [2009-10-05 81920]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 489840]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]
S3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-15 393216]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 19:55]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-906736673-1750738731-1279657910-1000Core.job
- c:\users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-19 03:55]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-906736673-1750738731-1279657910-1000UA.job
- c:\users\Gateway\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-19 03:55]
.
2012-08-17 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 1d0b0e93-2507-453c-bfa8-379645e4128e.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2012-08-17 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 20b8a137-78c3-402f-bf94-8f372a6a81ae.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-06-16 7883296]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-06-16 1833504]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Gateway\AppData\Roaming\Mozilla\Firefox\Profiles\cx0dosbn.default\
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{FCB8192B-340B18D0-06020101}_0]
"ImagePath"="\??\c:\users\gateway\appdata\local\temp\9xgmq9v6heqc\pcdrdiag\bin\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
.
**************************************************************************
.
Completion time: 2012-08-17 10:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-17 17:37
ComboFix2.txt 2012-08-16 22:21
.
Pre-Run: 802,051,375,104 bytes free
Post-Run: 804,301,828,096 bytes free
.
- - End Of File - - 5506DA370DC82E5D333423055059E18D


----------



## jeffce (May 10, 2011)

Hi,

*Malwarebytes*

I see that you have *Malwarebytes* already on your computer. Please open Malwarebytes, update it and then run a_ Quick Scan_. Save the log that is created for your next reply.
----------

Please run a free online scan with the *ESET Online Scanner*
*Note*_: You will need to use Internet Explorer for this scan_
Tick the box next to *YES, I accept the Terms of Use*
Click *Start*
When asked, allow the ActiveX control to install
Click *Start*
Make sure that the options *Remove found threats* is _NOT_ selected and the option *Scan unwanted applications* is selected.
Click *Scan* (This scan can take several hours, so please be patient)
If there are threats that are found, please press *List of found threats* and then in the next window that opens press *Export to text file...*
Copy and paste/or attach that log as a reply to this topic
**Note** If no threats are found there will not be a log created.
----------


----------



## bsacco (Jun 12, 2003)

Hi Jeff-

Sorry for the delay..just got back in town...

here is the Malwarebytes log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.17.07

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Gateway :: GATEWAY-PC [administrator]

8/17/2012 11:55:20 AM
mbam-log-2012-08-17 (13-00-18).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 555972
Time elapsed: 1 hour(s), 3 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Qoobox\Quarantine\C\Program Files (x86)\Vid-Saver\Uninstall.exe.vir (Adware.GamePlayLabs) -> No action taken.

(end)

--------------------------------------------------
EST log file

E:\Documents and Settings\Heather.DELLXPS400TOWER\Desktop\SA.exe	multiple threats


----------



## bsacco (Jun 12, 2003)

Hi Jeff,

Also just ran a SuperAntiSpyware scan and found a trojan called:

Trojan.Agent/Gen-FakeDoc


----------



## jeffce (May 10, 2011)

Hi,

Run Malwarebytes again and be sure to remove anything found.
-------

First open an elevated command prompt > Click *Start* and type *cmd* in Start Search.
When cmd.exe populates above, *right click it* and select *Run as Administrator* to open an elevated command prompt.

Copy the contents of the code box > right click in the command window and select paste >> Press *Enter* (do one line at a time if there are more than one)

```
del "E:\Documents and Settings\Heather.DELLXPS400TOWER\Desktop\SA.exe"
```
Close the Command Prompt box.
--------

In your next reply please post the new Malwarebytes log and let me know how your system is running.


----------



## bsacco (Jun 12, 2003)

Hi Jeff-

I was unsure the order in which you wanted the two tasks.

Malwarebytes scan first then elevated command prompt?

Or the other way around?

Anyhow, I did the elevated prompt first then the malware scan...

below is Malwarebyte scan:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.19.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Gateway :: GATEWAY-PC [administrator]

8/19/2012 9:49:17 AM
mbam-log-2012-08-19 (10-58-25).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 557319
Time elapsed: 1 hour(s), 1 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Qoobox\Quarantine\C\Program Files (x86)\Vid-Saver\Uninstall.exe.vir (Adware.GamePlayLabs) -> No action taken.

(end)


----------



## bsacco (Jun 12, 2003)

Hi Jeff,

Just ran SuperAntiSpyware and found the following:

Trojan.Agent/Gen-FraudPack
C:\USERS\GATEWAY\APPDATA\LOCAL\TEMP\~NSU.TMP\AU_.EXE
C:\Windows\Prefetch\AU_.EXE-F6DE49AC.pf

Please advise.

-bob


----------



## jeffce (May 10, 2011)

The entry found by Malwarebytes is already quarantined by one of our tools and it will be removed later. Sorry I didn't notice that earlier. 

As for the entries that SuperAntiSpyware found you can remove those as well. How is your system running?


----------



## bsacco (Jun 12, 2003)

seems to run a little faster but have further questions.

1) Just ran ESET a second time and it found the following threats:
a) HTML/Scrinject.B.Gen virus

Also, my system restore is currently off. SHould I turn it back on? If so, what setting should I use?


----------



## jeffce (May 10, 2011)

> Just ran ESET a second time and it found the following threats:
> a) HTML/Scrinject.B.Gen virus


Could you post the log so I can look it over?


----------



## bsacco (Jun 12, 2003)

hi jeff-

ESET also found PHP/Obfuscated.F application

please advise

------------------------------------
eset log below

C:\Users\Gateway\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000092	HTML/ScrInject.B.Gen virus
E:\Documents and Settings\Heather.DELLXPS400TOWER\My Documents\JacksonPTOWebsite\Joomla Modules\com_rsform_pro1.0.0-Tryout.zip	PHP/Obfuscated.F application


----------



## bsacco (Jun 12, 2003)

Hi Jeff,

Good morning...should I run ESET a final time and mark REMOVE THREATS?

Please advise.

bob


----------



## jeffce (May 10, 2011)

Good morning. Yes go ahead and do that and then let me know how your system is running as well.


----------



## bsacco (Jun 12, 2003)

thank you .... job well done... i sent donation


----------



## jeffce (May 10, 2011)

> i sent donation


Thank you! 
---------

Providing there are no other malware related problems...

*IT APPEARS THAT YOUR LOGS ARE NOW CLEAN*  SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! 

*This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.*
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Click *Start* >* Run* and copy/paste the following text into the Run box as shown and click OK.
*Combofix /Uninstall*
(Note: There is a space between the ..X and the /U that needs to be there.)









----------

*Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
If you didn't already have it I would keep Malwarebytes AntiMalware though.*

*Here are some tips to reduce the potential for spyware infection in the future:*

*1.* *Internet Explorer. Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure* - This can be done by following these simple instructions:

From within Internet Explorer click on the *Tools* menu and then click on *Options*.
Click once on the *Security* tab
Click once on the *Internet* icon so it becomes highlighted.
Click once on the *Custom Level* button.
Change the *Download signed ActiveX controls* to *Prompt*
Change the *Download unsigned ActiveX controls* to *Disable*
Change the *Initialize and script ActiveX controls not marked as safe* to *Disable*
Change the *Installation of desktop items* to *Prompt*
Change the *Launching programs and files in an IFRAME* to *Prompt*
Change the *Navigate sub-frames across different domains* to *Prompt*
When all these settings have been made, click on the *OK* button.
If it prompts you as to whether or not you want to save the settings, press the *Yes* button.
Next press the *Apply* button and then the *OK* to exit the Internet Properties page.
*2.* Enable *Protected Mode* in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open *Internet Explorer*
Click on *Tools > Internet Options*
Press *Security* tab
Select *Internet* zone then place check next to _Enable Protected Mode_ if not already done
Do the same for *Local Intranet, Trusted Sites* and *Restricted Sites* and then press *Apply*
Restart Internet Explorer and in the bottom right corner of your screen you will see _Protected Mode: On_ showing you it is enabled.
*3.* *Use and update an anti-virus software* - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

*4.* *Firewall*
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

*5.* *Make sure you keep your Windows OS current*. _*Windows XP*_ users can visit *Windows update*  regularly to download and install any critical updates and service packs. _*Windows Vista/7*_ users can open the *Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane)* to update these systems. Without these you are leaving the back door open.

*6.*   *WOT*   (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

*7.*Finally, I strongly recommend that you read TonyKlein's good advice *So how did I get infected in the first place? *

*Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.*


----------

