28 replies to this topic

[Tomk]

Actually... it's my fault for not having you remove them first.  Sorry about that.  However... it isn't a bad idea to check them.  And for the record... I have seen many pirated copies of videos downloaded from torrent sites and I do not recall ever seeing one that wasn't patched with a multitude of malware.  As far as I'm concerned, pirated movies are a guaranteed way to get an infection... often even rootkits that are game over situations.  (These are where the only course of action is a complete reformat and reinstall - keeping nothing but perhaps pictures).

[jeff matthews]

Pirated licensed movies for sure, but the stuff i download are more like unlicensed international fansub video's. (Japanese Animation Fan video's to be precise) if it scanned all my drives, it didn't find anything on my externals so i guess thats a good thing. I figured as much since its mostly just my data drives. I have done quite alot of scans on my media drives before in the past and never really found anything. But i hear what you are saying bout actual Pirated movies for sure, especially ones that are cam rips. I have seen alot of machines with pirates movies like that and lots of infections, like i said my sisters BF used to download stuff like that all the time. But im pretty sure i destroyed all remnants of that on their drive before backing up personal information to my drive.

 

Anyways it actually finished tonight surprisingly and here is the results all from the C drive. How the heck is cpu-z an infection? Some other things on here i just don't see how they could be threats, "FFsetup"(Format Factory) is a software i use to convert files into different formats. Everyone knows what "Camtasia.Studio" is so that is kind of strange. What is "open Candy Application" mean i see that alot with software i download like trial versions or freeware. Diamond Tools is something i ALWAYS see infected for some reason, another strange one. "Tversity" is a media server i used to use along time ago but i don't need it any more. Again though i don't see how that can be a threat, its a legitimate software for streaming to your tv, bluray or game systems, etc. These software should not be infected unless one infection spread to the others.

 

C:\Back up K drive\Backup kristi\Kristi Backup1.zip a variant of Win32/Soft32Downloader.C application

C:\Back up K drive\Backup kristi\Pictures\Kristi Back up\winrar setup.exe a variant of Win32/Soft32Downloader.C application

C:\Back up K drive\Dennis Backup\Documents\Programs\setup.exe a variant of Win32/CasOnline.I application

C:\Back up K drive\Dennis Backup\Documents\Virus Control Programs\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application

C:\Back up K drive\Laptop Back up\Programs\cpu-z_1.60.1-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask application

C:\Back up K drive\Laptop Back up\Programs\Nero Burning ROM 6.0.0.11.exe a variant of Win32/Keygen.CY application

C:\Back up K drive\Laptop Back up\Programs\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application

C:\Back up K drive\Laptop Back up\Programs\FFSetup296\FFSetup296.exe multiple threats

C:\ProgramData\Spybot - Search & Destroy\Recovery\myPCBackup.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO12.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\myPCBackup.zip Win32/Bagle.gen.zip worm

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO12.zip Win32/Bagle.gen.zip worm

C:\Users\Jeff\Desktop\usb back up\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application

C:\Users\Jeff\Desktop\usb back up\FFSetup296.zip multiple threats

C:\Users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com.rar BAT/HostsChanger.A application

C:\Users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\disable_activation.cmd BAT/HostsChanger.A application

C:\Users\Jeff\Documents\Software\Java.exe a variant of Win32/AirAdInstaller.A application

C:\Users\Jeff\Documents\Software\Nero Burning ROM 6.0.0.11.exe a variant of Win32/Keygen.CY application

C:\Users\Jeff\Documents\Video Editing Software\avc-free.exe Win32/OpenCandy application

C:\Users\Jeff\Documents\Video Editing Software\DAEMONToolsPro500316-0317.exe Win32/OpenCandy application

C:\Users\Jeff\Documents\Video Editing Software\FFSetup296.zip multiple threats

C:\Users\Jeff\Documents\Video Editing Software\free-video-cutter-joiner.exe Win32/Adware.RK.AP application

C:\Users\Jeff\Documents\Video Editing Software\FFSetup296\FFSetup296.exe multiple threats

C:\Users\Jeff\Documents\Virus Utulities\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application

C:\Users\Jeff\Documents\X\TVersitySetup_1_9_3.exe a variant of Win32/Toolbar.Conduit.B application

C:\Users\Jeff\Documents\X\Doujins\cnet_cpu-z_1_58-setup-en_exe.exe a variant of Win32/InstallCore.D application

C:\Users\Jeff\Documents\X\Doujins\cnet_DVDFabVirtualDrive1300_exe.exe a variant of Win32/InstallCore.D application

Edited by jeff matthews, 21 January 2014 - 08:47 PM.

[Tomk]

Many of the nefarious programs appear more than once on your system.  The program you want has been patched to install the bad guys when you install the program you wanted.  Only the bagle worm will spread from file (folder) to file (folder).
 
Here is a quick synopsis of most of them:
Win32/Soft32Downloader.C   specifically attacks internet explorer, weakens security  and allows adware onto your system
Win32/CasOnline.I   adware - typically for betting sites.
Win32/Bundled.Toolbar.Ask   surreptitiously installs the ask toolbar and adware
Win32/Bagle.gen.zip worm  This is a real bad one.  Can trash the whole system (and any other computers on the network).  Luckily spybot has already quarantined it.  However it does contain a backdoor rootkit component so I recommend that any system that gets infected with this be immediately reformatted and a new installation be performed.  There is just no way to be 100% sure that it is all gone.
BAT/HostsChanger.A   This will modify your host file to reroute websites.  It will block your security - maybe only partially but often shut it down completely.
Win32/OpenCandy  adware
Win32/Toolbar.Conduit.B  adware
Win32/InstallCore.D  adware
 
Perhaps the most important thing is these are pirated copies of the programs:

• Nero Burning ROM 6.0.0.11.exe
• Camtasia.Studio.v8.0.4.1060.mundomanuales.com

As I said earlier... you cannot expect pirated programs to be infection free.
 
DVDFabVirtualDrive appears to have been hacked which doesn't seem to make sense to me as I think it's a free program isn't it?
 
Anyhow... let's clean them up:
 
COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  
  C:\Back up K drive\Backup kristi\Kristi Backup1.zip
  
  C:\Back up K drive\Backup kristi\Pictures\Kristi Back up\winrar setup.exe
  
  C:\Back up K drive\Dennis Backup\Documents\Programs\setup.exe
  
  C:\Back up K drive\Dennis Backup\Documents\Virus Control Programs\disk-defrag-setup.exe
  
  C:\Back up K drive\Laptop Back up\Programs\cpu-z_1.60.1-setup-en.exe
  
  C:\Back up K drive\Laptop Back up\Programs\Nero Burning ROM 6.0.0.11.exe
  
  C:\Back up K drive\Laptop Back up\Programs\Nero-9.4.12.3d_free.exe
  
  C:\Back up K drive\Laptop Back up\Programs\FFSetup296\FFSetup296.exe
  
  C:\Users\Jeff\Desktop\usb back up\disk-defrag-setup.exe
  
  C:\Users\Jeff\Desktop\usb back up\FFSetup296.zip
  
  C:\Users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com.rar
  
  C:\Users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\disable_activation.cmd
  
  C:\Users\Jeff\Documents\Software\Java.exe
  
  C:\Users\Jeff\Documents\Software\Nero Burning ROM 6.0.0.11.exe
  
  C:\Users\Jeff\Documents\Video Editing Software\avc-free.exe
  
  C:\Users\Jeff\Documents\Video Editing Software\DAEMONToolsPro500316-0317.exe
  
  C:\Users\Jeff\Documents\Video Editing Software\FFSetup296.zip
  
  C:\Users\Jeff\Documents\Video Editing Software\free-video-cutter-joiner.exe
  
  C:\Users\Jeff\Documents\Video Editing Software\FFSetup296\FFSetup296.exe
  
  C:\Users\Jeff\Documents\Virus Utulities\disk-defrag-setup.exe
  
  C:\Users\Jeff\Documents\X\TVersitySetup_1_9_3.exe
  
  C:\Users\Jeff\Documents\X\Doujins\cnet_cpu-z_1_58-setup-en_exe.exe
  
  C:\Users\Jeff\Documents\X\Doujins\cnet_DVDFabVirtualDrive1300_exe.exe
  
  
  
  

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[jeff matthews]

Alright here is the combo fix log, hopefully it got rid of all the infections. As far as the Bagel, i have seen that resurface quite a few times, thanks for the info on that. I am going to have to really check into that and find out where it originated from, probably from another machine, and i always end up with it cause my machines are hooked up to a network and you said that it can actually travel across your network huh? Wow that is certainly something that is pretty dangerous.

 

ComboFix 14-01-22.01 - Jeff 01/22/2014   9:50.2.4 - x64

Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16375.10316 [GMT -8:00]

Running from: c:\users\Jeff\Desktop\ComboFix.exe

Command switches used :: c:\users\Jeff\Desktop\CFScript.txt

AV: avast! Internet Security *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}

FW: avast! Internet Security *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

SP: avast! Internet Security *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\back up k drive\Backup kristi\Kristi Backup1.zip"

"c:\back up k drive\Backup kristi\Pictures\Kristi Back up\winrar setup.exe"

"c:\back up k drive\Dennis Backup\Documents\Programs\setup.exe"

"c:\back up k drive\Dennis Backup\Documents\Virus Control Programs\disk-defrag-setup.exe"

"c:\back up k drive\Laptop Back up\Programs\cpu-z_1.60.1-setup-en.exe"

"c:\back up k drive\Laptop Back up\Programs\FFSetup296\FFSetup296.exe"

"c:\back up k drive\Laptop Back up\Programs\Nero-9.4.12.3d_free.exe"

"c:\back up k drive\Laptop Back up\Programs\Nero Burning ROM 6.0.0.11.exe"

"c:\users\Jeff\Desktop\usb back up\disk-defrag-setup.exe"

"c:\users\Jeff\Desktop\usb back up\FFSetup296.zip"

"c:\users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com.rar"

"c:\users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\disable_activation.cmd"

"c:\users\Jeff\Documents\Software\Java.exe"

"c:\users\Jeff\Documents\Software\Nero Burning ROM 6.0.0.11.exe"

"c:\users\Jeff\Documents\Video Editing Software\avc-free.exe"

"c:\users\Jeff\Documents\Video Editing Software\DAEMONToolsPro500316-0317.exe"

"c:\users\Jeff\Documents\Video Editing Software\FFSetup296.zip"

"c:\users\Jeff\Documents\Video Editing Software\FFSetup296\FFSetup296.exe"

"c:\users\Jeff\Documents\Video Editing Software\free-video-cutter-joiner.exe"

"c:\users\Jeff\Documents\Virus Utulities\disk-defrag-setup.exe"

"c:\users\Jeff\Documents\X\Doujins\cnet_cpu-z_1_58-setup-en_exe.exe"

"c:\users\Jeff\Documents\X\Doujins\cnet_DVDFabVirtualDrive1300_exe.exe"

"c:\users\Jeff\Documents\X\TVersitySetup_1_9_3.exe"

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\back up k drive\Backup kristi\Kristi Backup1.zip

c:\back up k drive\Backup kristi\Pictures\Kristi Back up\winrar setup.exe

c:\back up k drive\Dennis Backup\Documents\Programs\setup.exe

c:\back up k drive\Dennis Backup\Documents\Virus Control Programs\disk-defrag-setup.exe

c:\back up k drive\Laptop Back up\Programs\cpu-z_1.60.1-setup-en.exe

c:\back up k drive\Laptop Back up\Programs\FFSetup296\FFSetup296.exe

c:\back up k drive\Laptop Back up\Programs\Nero-9.4.12.3d_free.exe

c:\back up k drive\Laptop Back up\Programs\Nero Burning ROM 6.0.0.11.exe

c:\users\Jeff\Desktop\usb back up\disk-defrag-setup.exe

c:\users\Jeff\Desktop\usb back up\FFSetup296.zip

c:\users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com.rar

c:\users\Jeff\Documents\Game Directory\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\Camtasia.Studio.v8.0.4.1060.mundomanuales.com\disable_activation.cmd

c:\users\Jeff\Documents\Software\Java.exe

c:\users\Jeff\Documents\Software\Nero Burning ROM 6.0.0.11.exe

c:\users\Jeff\Documents\Video Editing Software\avc-free.exe

c:\users\Jeff\Documents\Video Editing Software\DAEMONToolsPro500316-0317.exe

c:\users\Jeff\Documents\Video Editing Software\FFSetup296.zip

c:\users\Jeff\Documents\Video Editing Software\FFSetup296\FFSetup296.exe

c:\users\Jeff\Documents\Video Editing Software\free-video-cutter-joiner.exe

c:\users\Jeff\Documents\Virus Utulities\disk-defrag-setup.exe

c:\users\Jeff\Documents\X\Doujins\cnet_cpu-z_1_58-setup-en_exe.exe

c:\users\Jeff\Documents\X\Doujins\cnet_DVDFabVirtualDrive1300_exe.exe

c:\users\Jeff\Documents\X\TVersitySetup_1_9_3.exe

.

.

(((((((((((((((((((((((((   Files Created from 2013-12-22 to 2014-01-22  )))))))))))))))))))))))))))))))

.

.

2014-01-22 17:56 . 2014-01-22 17:56 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2014-01-22 17:56 . 2014-01-22 17:56 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-01-20 22:02 . 2014-01-20 22:17 -------- d-----w- C:\AdwCleaner

2014-01-20 21:50 . 2014-01-20 21:50 -------- d-----w- c:\windows\ERUNT

2014-01-17 22:37 . 2014-01-17 22:37 -------- d-----w- c:\program files\Sony

2014-01-17 22:37 . 2014-01-17 22:37 -------- d-----w- c:\program files (x86)\Sony

2014-01-17 21:32 . 2014-01-17 21:32 -------- d-----w- C:\E655_A74

2014-01-17 21:21 . 2014-01-17 21:21 -------- d-----w- c:\users\Jeff\AppData\Local\ElevatedDiagnostics

2014-01-17 11:47 . 2013-12-04 03:28 10315576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6F332AE1-BF5C-4C6F-9C1F-9250A7979C2D}\mpengine.dll

2014-01-15 06:18 . 2013-11-27 01:41 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

2014-01-15 06:18 . 2013-11-27 01:41 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2014-01-15 06:18 . 2013-11-27 01:41 53248 ----a-w- c:\windows\system32\drivers\usbehci.sys

2014-01-15 06:18 . 2013-11-27 01:41 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

2014-01-15 06:18 . 2013-11-27 01:41 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

2014-01-15 06:18 . 2013-11-27 01:41 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2014-01-15 06:18 . 2013-11-27 01:41 7808 ----a-w- c:\windows\system32\drivers\usbd.sys

2014-01-15 06:18 . 2013-11-26 10:32 3156480 ----a-w- c:\windows\system32\win32k.sys

2014-01-15 06:18 . 2013-11-26 11:40 376768 ----a-w- c:\windows\system32\drivers\netio.sys

2014-01-08 23:59 . 2014-01-08 23:59 -------- d-----w- c:\program files\Canon

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-01-15 11:01 . 2012-10-30 16:47 86054176 ----a-w- c:\windows\system32\MRT.exe

2014-01-08 22:39 . 2013-04-16 18:53 439648 ----a-w- c:\windows\system32\drivers\aswndisflt.sys

2013-12-20 22:39 . 2013-12-18 22:38 79672 ----a-w- c:\windows\system32\drivers\aswstm.sys

2013-12-18 22:38 . 2013-04-16 18:53 207904 ----a-w- c:\windows\system32\drivers\aswVmm.sys

2013-12-18 22:38 . 2013-04-16 18:53 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-12-18 22:38 . 2012-10-29 23:48 422216 ----a-w- c:\windows\system32\drivers\aswSP.sys

2013-12-18 22:38 . 2012-10-29 23:47 92544 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2013-12-18 22:38 . 2012-10-29 23:47 1034464 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-12-18 22:38 . 2012-10-29 23:47 78648 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-12-18 22:38 . 2012-10-29 23:47 334136 ----a-w- c:\windows\system32\aswBoot.exe

2013-12-18 22:38 . 2012-10-29 23:46 43152 ----a-w- c:\windows\avastSS.scr

2013-12-18 22:38 . 2012-10-29 23:47 28184 ----a-w- c:\windows\system32\drivers\aswKbd.sys

2013-12-11 01:27 . 2012-12-18 19:43 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-12-11 01:27 . 2012-12-18 19:43 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-12-11 01:27 . 2013-12-11 01:27 9293192 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2013-11-26 11:54 . 2013-12-12 11:02 23183360 ----a-w- c:\windows\system32\mshtml.dll

2013-11-26 10:19 . 2013-12-12 11:02 2724864 ----a-w- c:\windows\system32\mshtml.tlb

2013-11-26 10:18 . 2013-12-12 11:02 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll

2013-11-26 09:48 . 2013-12-12 11:02 66048 ----a-w- c:\windows\system32\iesetup.dll

2013-11-26 09:46 . 2013-12-12 11:02 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll

2013-11-26 09:41 . 2013-12-12 11:02 2764288 ----a-w- c:\windows\system32\iertutil.dll

2013-11-26 09:29 . 2013-12-12 11:02 53760 ----a-w- c:\windows\system32\jsproxy.dll

2013-11-26 09:27 . 2013-12-12 11:02 33792 ----a-w- c:\windows\system32\iernonce.dll

2013-11-26 09:23 . 2013-12-12 11:02 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb

2013-11-26 09:21 . 2013-12-12 11:02 574976 ----a-w- c:\windows\system32\ieui.dll

2013-11-26 09:18 . 2013-12-12 11:02 139264 ----a-w- c:\windows\system32\ieUnatt.exe

2013-11-26 09:18 . 2013-12-12 11:02 111616 ----a-w- c:\windows\system32\ieetwcollector.exe

2013-11-26 09:16 . 2013-12-12 11:02 708608 ----a-w- c:\windows\system32\jscript9diag.dll

2013-11-26 08:57 . 2013-12-12 11:02 218624 ----a-w- c:\windows\system32\ie4uinit.exe

2013-11-26 08:35 . 2013-12-12 11:02 5769216 ----a-w- c:\windows\system32\jscript9.dll

2013-11-26 08:28 . 2013-12-12 11:02 553472 ----a-w- c:\windows\SysWow64\jscript9diag.dll

2013-11-26 08:16 . 2013-12-12 11:02 4243968 ----a-w- c:\windows\SysWow64\jscript9.dll

2013-11-26 08:02 . 2013-12-12 11:02 1995264 ----a-w- c:\windows\system32\inetcpl.cpl

2013-11-26 07:48 . 2013-12-12 11:02 12996608 ----a-w- c:\windows\system32\ieframe.dll

2013-11-26 07:32 . 2013-12-12 11:02 1928192 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2013-11-26 07:07 . 2013-12-12 11:02 2334208 ----a-w- c:\windows\system32\wininet.dll

2013-11-26 06:40 . 2013-12-12 11:02 1395200 ----a-w- c:\windows\system32\urlmon.dll

2013-11-26 06:34 . 2013-12-12 11:02 817664 ----a-w- c:\windows\system32\ieapfltr.dll

2013-11-26 06:33 . 2013-12-12 11:02 1820160 ----a-w- c:\windows\SysWow64\wininet.dll

2013-11-23 18:26 . 2013-12-12 07:36 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll

2013-11-23 17:47 . 2013-12-12 07:36 465920 ----a-w- c:\windows\system32\WMPhoto.dll

2013-11-20 11:04 . 2013-11-20 11:04 194048 ----a-w- c:\windows\SysWow64\elshyph.dll

2013-11-20 11:04 . 2013-11-20 11:04 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2013-11-20 11:04 . 2013-11-20 11:04 942592 ----a-w- c:\windows\system32\jsIntl.dll

2013-11-20 11:04 . 2013-11-20 11:04 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2013-11-20 11:04 . 2013-11-20 11:04 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll

2013-11-20 11:04 . 2013-11-20 11:04 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2013-11-20 11:04 . 2013-11-20 11:04 84992 ----a-w- c:\windows\system32\mshtmled.dll

2013-11-20 11:04 . 2013-11-20 11:04 83968 ----a-w- c:\windows\system32\MshtmlDac.dll

2013-11-20 11:04 . 2013-11-20 11:04 81408 ----a-w- c:\windows\system32\icardie.dll

2013-11-20 11:04 . 2013-11-20 11:04 774144 ----a-w- c:\windows\system32\jscript.dll

2013-11-20 11:04 . 2013-11-20 11:04 77312 ----a-w- c:\windows\system32\tdc.ocx

2013-11-20 11:04 . 2013-11-20 11:04 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2013-11-20 11:04 . 2013-11-20 11:04 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

2013-11-20 11:04 . 2013-11-20 11:04 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll

2013-11-20 11:04 . 2013-11-20 11:04 626176 ----a-w- c:\windows\system32\msfeeds.dll

2013-11-20 11:04 . 2013-11-20 11:04 62464 ----a-w- c:\windows\SysWow64\tdc.ocx

2013-11-20 11:04 . 2013-11-20 11:04 62464 ----a-w- c:\windows\system32\pngfilt.dll

2013-11-20 11:04 . 2013-11-20 11:04 61952 ----a-w- c:\windows\SysWow64\MshtmlDac.dll

2013-11-20 11:04 . 2013-11-20 11:04 61952 ----a-w- c:\windows\SysWow64\iesetup.dll

2013-11-20 11:04 . 2013-11-20 11:04 616104 ----a-w- c:\windows\system32\ieapfltr.dat

2013-11-20 11:04 . 2013-11-20 11:04 548352 ----a-w- c:\windows\system32\vbscript.dll

2013-11-20 11:04 . 2013-11-20 11:04 52224 ----a-w- c:\windows\system32\msfeedsbs.dll

2013-11-20 11:04 . 2013-11-20 11:04 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll

2013-11-20 11:04 . 2013-11-20 11:04 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2013-11-20 11:04 . 2013-11-20 11:04 48640 ----a-w- c:\windows\system32\mshtmler.dll

2013-11-20 11:04 . 2013-11-20 11:04 48128 ----a-w- c:\windows\system32\imgutil.dll

2013-11-20 11:04 . 2013-11-20 11:04 454656 ----a-w- c:\windows\SysWow64\vbscript.dll

2013-11-20 11:04 . 2013-11-20 11:04 453120 ----a-w- c:\windows\system32\dxtmsft.dll

2013-11-20 11:04 . 2013-11-20 11:04 413696 ----a-w- c:\windows\system32\html.iec

2013-11-20 11:04 . 2013-11-20 11:04 40448 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll

2013-11-20 11:04 . 2013-11-20 11:04 36352 ----a-w- c:\windows\SysWow64\imgutil.dll

2013-11-20 11:04 . 2013-11-20 11:04 34816 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll

2013-11-20 11:04 . 2013-11-20 11:04 337408 ----a-w- c:\windows\SysWow64\html.iec

2013-11-20 11:04 . 2013-11-20 11:04 30208 ----a-w- c:\windows\system32\licmgr10.dll

2013-11-20 11:04 . 2013-11-20 11:04 296960 ----a-w- c:\windows\system32\dxtrans.dll

2013-11-20 11:04 . 2013-11-20 11:04 263376 ----a-w- c:\windows\system32\iedkcs32.dll

2013-11-20 11:04 . 2013-11-20 11:04 247808 ----a-w- c:\windows\system32\msls31.dll

2013-11-20 11:04 . 2013-11-20 11:04 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll

2013-11-20 11:04 . 2013-11-20 11:04 243200 ----a-w- c:\windows\system32\webcheck.dll

2013-11-20 11:04 . 2013-11-20 11:04 235520 ----a-w- c:\windows\system32\url.dll

2013-11-20 11:04 . 2013-11-20 11:04 235008 ----a-w- c:\windows\system32\elshyph.dll

2013-11-20 11:04 . 2013-11-20 11:04 195584 ----a-w- c:\windows\system32\msrating.dll

2013-11-20 11:04 . 2013-11-20 11:04 182272 ----a-w- c:\windows\SysWow64\msls31.dll

2013-11-20 11:04 . 2013-11-20 11:04 167424 ----a-w- c:\windows\system32\iexpress.exe

2013-11-20 11:04 . 2013-11-20 11:04 151552 ----a-w- c:\windows\SysWow64\iexpress.exe

2013-11-20 11:04 . 2013-11-20 11:04 147968 ----a-w- c:\windows\system32\occache.dll

2013-11-20 11:04 . 2013-11-20 11:04 143872 ----a-w- c:\windows\system32\wextract.exe

2013-11-20 11:04 . 2013-11-20 11:04 139264 ----a-w- c:\windows\SysWow64\wextract.exe

2013-11-20 11:04 . 2013-11-20 11:04 13824 ----a-w- c:\windows\system32\mshta.exe

2013-11-20 11:04 . 2013-11-20 11:04 135680 ----a-w- c:\windows\system32\iepeers.dll

2013-11-20 11:04 . 2013-11-20 11:04 13312 ----a-w- c:\windows\SysWow64\mshta.exe

2013-11-20 11:04 . 2013-11-20 11:04 13312 ----a-w- c:\windows\system32\msfeedssync.exe

2013-11-20 11:04 . 2013-11-20 11:04 131072 ----a-w- c:\windows\system32\IEAdvpack.dll

2013-11-20 11:04 . 2013-11-20 11:04 1228800 ----a-w- c:\windows\system32\mshtmlmedia.dll

2013-11-20 11:04 . 2013-11-20 11:04 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2013-11-20 11:04 . 2013-11-20 11:04 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2013-11-20 11:04 . 2013-11-20 11:04 105984 ----a-w- c:\windows\system32\iesysprep.dll

2013-11-20 11:04 . 2013-11-20 11:04 1051136 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll

2013-11-20 11:04 . 2013-11-20 11:04 101376 ----a-w- c:\windows\system32\inseng.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\users\Jeff\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-10-02 20472992]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2010-07-09 1548288]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-01-05 413696]

"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-01-03 36760]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-01-03 815512]

"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-12-18 3764024]

"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-09-27 439440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]

R3 H5xUSB;Roxio GameCAP HD PRO;c:\windows\system32\Drivers\uth5x64.sys;c:\windows\SYSNATIVE\Drivers\uth5x64.sys [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 MSICDSetup;MSICDSetup;e:\cdriver64.sys;e:\CDriver64.sys [x]

R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

S0 aswRvrt;avast! Revert; [x]

S0 aswVmm;avast! VM Monitor; [x]

S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys;c:\windows\SYSNATIVE\DRIVERS\mv61xx.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]

S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]

S1 aswNdisFlt;Avast! Firewall Driver;c:\windows\system32\DRIVERS\aswNdisFlt.sys;c:\windows\SYSNATIVE\DRIVERS\aswNdisFlt.sys [x]

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]

S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]

S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe;c:\program files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]

S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe;c:\program files\AVAST Software\Avast\afwServ.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

S3 ElgatoGC658Y;Elgato Game Capture;c:\windows\system32\Drivers\ElgatoGC658.sys;c:\windows\SYSNATIVE\Drivers\ElgatoGC658.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-01-16 05:25 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-18 01:27]

.

2014-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29 22:24]

.

2014-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29 22:24]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1036AD63-AEAC-460B-9060-C96005D4DC86}]

2012-08-08 06:08 105472 ----a-w- c:\program files\PrivacySafeGuard\PrivacySafeGuard-x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2013-12-18 22:38 287280 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2013-12-06 23:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2013-12-06 23:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2013-12-06 23:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2013-12-06 23:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2013-12-06 23:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2013-12-06 23:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-07 7940128]

"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-07-07 1833504]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2780776]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1 205.171.2.65

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-01-22  09:58:34

ComboFix-quarantined-files.txt  2014-01-22 17:58

ComboFix2.txt  2014-01-21 06:49

.

Pre-Run: 106,536,759,296 bytes free

Post-Run: 106,313,334,784 bytes free

.

- - End Of File - - 95561E6394A7785B26EB8B52AB98D20B

BC50EE3CDA45BDC16DCA3DC7C3AAAB81

Edited by jeff matthews, 22 January 2014 - 04:18 PM.

[jeff matthews]

So from a little research, the bagle is a Worm that is sent via email and download as an .exe extension which then executes some sort of software called "calc.exe" which can then spread the infection to every other client or emails contacts on your machine. It also states that it downloads a "Backdoor-CBJ." trojan virus. Now as far as the infection on my machine is their any way to find out if its currently active on my machine or if how much damage its doing, etc. Their is multiple stages to it from what i understand and from what i read, it certainly can cause alot of damage since it can replicate itself and infect other files and programs. It can also corrupt or delete data, erase your hard drive which is absolutely terrible, i do not want that to happen. you said it was quarantined? So its like dormant right now or something. 

 

Incidentally i have noticed i have been receiving some fake emails.

 

 

This one quite frequently and I do not think its a legitimate google email.

 

 

 

Hi Jeff, 

Someone recently used your password to try to sign in to your Google Account rcmatthews8@gmail.com. This person was using an application such as an email client or mobile device. 

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt: 

  Wednesday, January 22, 2014 6:16:32 AM UTC 
IP Address: 189.222.55.80 (189.222.55.80.dsl.dyn.telnor.net.) 
Location: Mexicali, Baja California, Mexico  

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. 

 

 

These emails are coming from several different area's every time i get one. I also do not have a RcmatthewsGmail account, so thats kind of strange. My rcmatthews is my msn account. I have also ran into a few issues with some files on my HD not working correctly, but that could just be corruption and its very likely to happen when write and copy to disks alot. I remember a while back i did BSOD screens quite frequently, i have not since then i am wondering if that could possibly be the bagle virus. The screens that i would get, look like this.

 

http://didierstevens...p0x0000007b.GIF

 

This was an on going disaster last year. The only way i was able to fix it was to reformat. But like you said, this Worm attaches to lots of different files and stuff, so when i reformat and back up sensitive data, im basically putting that worm right back into my machine and on my network again. It has me a little concerned. Getting rid of that infection is going to be a really tough process because we have so many files that i just can't afford to delete them. I guess the only plausible way to find out is to back up all of the data you need on an external drive or something and then scan them to see if it has remnants of the bagle infection on their.

Edited by jeff matthews, 22 January 2014 - 04:58 PM.

[Tomk]

The picture that you attached is the classic "Blue Screen of Death" (BSOD) that you have surely read about.  The BSOD is not a virus.  It is a safegaurd built into windows to "save" your computer from "dangerous" code execution.  That can be a variety of things.  Yes it can be cause by malware.  It could be an incorrect or corrupt driver.  Perhaps even a failing hard drive.  You would get one if your system overheated.  Basically it is telling you that something is wrong in the machines environment.  The numbers at the bottom of the screen are the key to why the BSOD occurred.  I believe that an overcrowded hard drive can also increase your chance of corrupting a file you have edited, thus causing a BSOD.

 

Back to bagle.  It is indeed a scary infection.  Yes it does spread and replicate.  The only place found on your system currently was on some files that had already been quarantined by Spybot.  There is no way for me to tell for sure that it does not exist somewhere else on your system.  I'm not seeing anything active, but that is no guarantee that it isn't dormant somewhere - and will become active when the infected file is executed.  This is why the only sure fire way of ridding yourself of the problem is to reformat and reinstall.  There is only a small risk of cross contamination from data files.  Bagle (and other file replicators) typically will only attach to executable files.  These, of course are the actual programs that run.  They are files that have extentions of .exe, .com, .bat, .scr, .pif, etc.  Data files - such as word docs, excel files, pictures, .pdf files, etc.  typically are not infected because they do not execute any code.  Audio files, in theory, are data files but I have heard of them being infected and I have seen video files that were infected - though not by replicators like bagle.  They were torrent downloads and had been patched with malware.

 

Bagle  has nothing to do with the emails you've been getting (though it is true that you may have gotten it from an email).  The emails you are describing are phishing attempts or just random emails that may carry a dangerous payload.  This is why you should never open email that you do not know who it is from and what it should contain.  Most contaminated email will have an attachment (some will just have a link).  When you open the attachment (or follow the link) you will download and possibly execute the malicious code. 

 

OK.  At this point I'm not seeing anything specific in your log.

 

How do things seem to be running?

[jeff matthews]

Oh yeah, its alot faster now. pages load on the fly just like it supposed to. Applications load much quicker, no more stalls and freezes on the machine from i can see so far. I just wish my machine can stay like this, but unfortunately i always come back for some reason and end up being infected in some way, even when i don't even use this computer that much and i mostly use my laptop, i still have issues, its just strange how i keep getting reinfected.

 

Oh yeah im aware of the BSOD and i know it does not pertain to any type of infections, its basically a security to prevent damage to your machine. I have had them for various different reasons, but i had it really bad before and the bagle worm might of been the culprit, but no way of knowing for sure i guess. Usually if its a driver malfunction, it will tell you and it will list it, like ive had a BSOD crashes because of my video driver one time and had to replace my graphics card.

 

 

A few things i need to ask though, the software that was infected, are they going to work or they going to be corrupted and ill have to re install them? Also i noticed after running combo fix that it deleted all of my extensions, i do like to use WOT and also addblock. Is their any potential security risk with add block. It helps me to block all those annoying adds on websites and i really don't even like surfing the web with out it. Those two extensions are pretty much the ONLY ones i use aside from adobe flash player which is built into Chrome. Also i got an immediate update on my java so i just did that, anything else that probably needs updating. I guess ill have to go through and check into that.

 

 

Now as far as USB connections, i seem to be still having that issue, it takes bout 2 min or so before im able to even use my keyboard or mouse upon boot up and also some times my devices will just not function and stop running. Since we have taken care of the infections on the machine and also updated drivers, i really do think its hardware issue with a USB controller. That is mainly the only bothersome thing that is going on with my computer right now. 

 

Besides those issues, its running pretty smoothly from what i can tell. I'll definitely have to run these same procedures on our other computer cause right now its very slow and really messed up, even worse then this one was.

Edited by jeff matthews, 22 January 2014 - 06:50 PM.

[Tomk]

In most cases, it is the installer program that is patched.  When you run it, the program you want is installed but so is the garbage.  If the installer is deleted... it does not effect the program.  If the program itself is infected and deleted... then obviously it won't run any more.

 

I have never had CF delete WOT or AdBlock.  In fact, I don't see in the logs where it did.  Are you sure they are gone?

 

I know you end up here alot with infected machines.  I've helped you before.  Quite frankly there isn't any magic to it.  My belief is you are not practicing safe computing.  You appear to visit questionable sites, you do alot of downloading (perhaps even of questionable programs), and you open email from sources that might not be trusted.  I use the term "you" generically because I don't know if it is actually yourself that does this or some other user of the computer.  No security program can protect you from yourself.  There is some "luck" involved in this day and age on the world weird web, but I may spend as much time on the computer as you do and I never get infected... ever.  Up until I started working on the forums here (about 6 years or so ago) I never even installed an anti-virus on my system (not a good idea, by the way, but I didn't know any better).  Doing what I do, I sometimes "do things" or visit sites that are not the safest... yet I still remain uninfected to this day.  I don't download torrents, I don't download shared files, I don't mess with anything that is "questionable" in it's legitimacy, I don't open email without giving serious consideration to the sender and what should be there (I immediately delete any email with no subject and/or that doesn't come from someone I know).  I don't really do anything special other than being aware of my "surroundings".

 

I think that seeking help from the Tech Team is a great idea.  Odds are that they can help you "tweak" things and perhaps even determine what is happening with your USB.  If you post there, it would be a good idea to post a link back to this thread so that they will have access to the information provided in the logs you posted here.

 

Before doing any of that though... let's cleanup:

 

• Click START then RUN
•  
• Now type ComboFix /Uninstall in the runbox  and click OK.
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

 

 

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Please re-enable any security that was disabled.

 

 

If you have any tools or logs left on your system after taking the above steps... just go ahead and delete them.

 

The following is my standard advice for the future.  Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing.  Very important information for your consideration is contained therein.

 

Here is an even better safe computing guide by Digerati - Practicing Safe Computing

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware" 
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions.  Otherwise, this thread will be closed Resolved. 
 

[jeff matthews]

Yeah something deleted WOT or AdBlock through the the whole process some where. It does not matter though, i just re downloaded them. I refuse to surf the internet with out them and im pretty sure they probably mention that in some of those articles you got there.

 

Hmm yeah. Well i use the pc for a variety of things, i do alot of photoshop and video editing work, i also try and download alot of safe applications that enable you to convert file formats and stuff like that but for the most part i think most of those freeware are supposed to be safe and some of it is actually bought software that i use for extensive work that i use from college and also my business. I mean with the work i do, i can't just get away with not downloading any third party software. Their is literally third party apps in everything you do. 

 

One more question, since this site has had a major overhaul, can you explain to me how to locate your topics once they are locked and unavailable. I some times like to refer back to my topics for information.

 

Anyways thanks alot for helping me fix my machine, i will probably end up starting another topic for the other machine that is not used by me but other users and its most likely more infected because my sister does not know safe computing by any means. She goes to sites like third party gaming sites all the time and chat sites, music download sites and video streaming sites which have all kinds of adware/spyware usually. It is just her thing, what she likes to do.

 

I am thinking bout installing comodo security on that machine because its really not user friendly and it has annoying pop ups but it does protect you and warns you if your entering a potentially malicious site or just a questionable site. When i create a new topic ill probably take few steps ahead so they can work faster, i might just do the usually DDS log, a malewarebytes scan and probably CNET scan. That why i can just skip that and they will have enough logs to really look into it and proceed right to cleaning up the machine. 

 

I was thinking bout upgrading to windows 8, i kind of wanted to ask someone personally what they think about that and how they compare and contrast windows 8 to windows 7. But i saw alot of terrible reviews and ratings on amazon and other places bout that OS so i was against it.

 

 

I will definitely take a look at those topics and i will look into the tech team and see if they can sort out the reason behind my faulty USB hubs or controllers.

 

Again thank you very much, you were very informative in the whole process and i even learned a few things and you'll probably see me again in the future lol. But at least for now my machine is clean.  

Edited by jeff matthews, 22 January 2014 - 08:22 PM.

[Tomk]

To find old topics... I believe the easiest way is to click on your name at the upper right of the page and then click on My Content.  This should give you a list of all of your topics.

 

Personally, I only have access to xp machines.  My son, my daughter (neither live at home) and a nephew all have windows 7.  I do have a windows 8 phone and I have a sister in law,  a cousin and another nephew with windows 8.  Seeing as how I'm the family "go to guy" for all computer issues... I have interacted with their systems on occasion.  In my opinion... both are extremely stable systems.  Specifically with the cousin and the two nephews... I will say that I have been called upon to "fix" things for them much less often since they upgraded to the newer operating systems.  I know what you're talking about with all the disparaging comments online in regards to Windows 8, but I kind of like it.  I think its just different enough that people are not used to it and (especially on the internet) people feel compelled to "trash" that which they don't understand.  I don't think it's a flop like vista was and windows me was.  I think it's a good system.  If you post in the tech forums... I imagine that the members of the tech team will have opinions based on more hands on experience than I have.

 

I don't know what Cnet scan is so I can't recommend you run it.

 

Any more questions?

[jeff matthews]

My mistake, i meant "ESET Online Scanner"

 

No further questions, thanks for your time. I will deffintly check out the tech team for support on my other hardware related issues.

[Tomk]

Aw... OK.  I understand now.

 

Good luck and be well!

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.