35 replies to this topic

[OCD]

Hi SusanT,
 

I saved the output from this on Notepad. Did you want to see it?

Yes, please.

Let's do a little more checking, but I don't believe your issues are primarily malware related. I think it is more of a technical issue between your computer, router and your ISP.

• Are your settings still being changed? (changed print settings, and changed home page)
• Can you list the problems you are having in order of severity?

ComboFix

Refer to the ComboFix User's Guide

• Download ComboFix from the following location:
  
  Link
  
  * IMPORTANT !!! Place ComboFix.exe on your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  You can get help on disabling your protection programs here
• Double click on ComboFix.exe & follow the prompts.
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  ---------------------------------------------------------------------------------------------
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  ---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  
  =========================
  
  In your next post please provide the following:
  • ComboFix.txt
  • Answers to my questions.

[SusanT]

OCD:  I completely missed this reply until now, Monday afternoon.  I'm nursing my husband after knee surgery, and apologize that things are moving more slowly.

 

Here's Output from cmd prompt ipconfig:

 

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Windows\system32>ipconfig /registerdns

Windows IP Configuration

Registration of the DNS resource records for all adapters of this computer has b
een initiated. Any errors will be reported in the Event Viewer in 15 minutes.

C:\Windows\system32>ipconfig /release

Windows IP Configuration

No operation can be performed on Local Area Connection while it has its media di
sconnected.

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2601:9:3980:34f:1928:79dc:3c42:5d90
   Temporary IPv6 Address. . . . . . : 2601:9:3980:34f:289d:d013:8f0:45a0
   Link-local IPv6 Address . . . . . : fe80::1928:79dc:3c42:5d90%11
   Default Gateway . . . . . . . . . : fe80::ea89:2cff:fe29:ac41%11

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.ca.comcast.net.

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 14:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:384f:1531:b3ea:9bac
   Link-local IPv6 Address . . . . . : fe80::384f:1531:b3ea:9bac%18
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.hsd1.ca.comcast.net.:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

C:\Windows\system32>ipconfig /renew

Windows IP Configuration

No operation can be performed on Local Area Connection while it has its media di
sconnected.

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : hsd1.ca.comcast.net.
   IPv6 Address. . . . . . . . . . . : 2601:9:3980:34f:1928:79dc:3c42:5d90
   Temporary IPv6 Address. . . . . . : 2601:9:3980:34f:289d:d013:8f0:45a0
   Link-local IPv6 Address . . . . . : fe80::1928:79dc:3c42:5d90%11
   IPv4 Address. . . . . . . . . . . : 10.0.0.8
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::ea89:2cff:fe29:ac41%11
                                       10.0.0.1

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.ca.comcast.net.

Tunnel adapter isatap.{F79330FB-977D-4E59-A1C1-A1EAFE327D6A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 14:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:34d7:16a0:f5ff:fff7
   Link-local IPv6 Address . . . . . : fe80::34d7:16a0:f5ff:fff7%18
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.hsd1.ca.comcast.net.:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

C:\Windows\system32>

 

=====================================

Are your settings still being changed? (changed print settings, and changed home page)

 

Yes. I just logged on to a "blank page" instead of "yahoo.com."

 

I must still run the programs you requested, and will post those later this afternoon / evening, but wanted to respond to you because I haven't been able to get to it.   I believe that most of the issues of malware have been cleared up, if not all. However, I am still running on a wireless connection and my goal is to be able to plug in to avoid some of the traffic.  As noted, when I plugged in before, I experienced more problems.  With your acknowledgement, I will plug in and test it.

 

Susan

[OCD]

Hi SusanT,

Yes, go ahead and plug in and see how the computer performs. Post the remainder of the logs when they are available.

[SusanT]

I plugged back into the network yesterday, and have been pretty happy with performance.  Which is to say, nothing weird seems to be happening apart from the reassignment of my home page from "yahoo" to "blank" that I mentioned in my last post.

 

Here is the ComboFix log.

 

====================================================

ComboFix 14-11-17.01 - RevSusan 11/18/2014  12:25:03.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4092.2472 [GMT -8:00]
Running from: c:\users\RevSusan\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6426\AddOnDownloaded\c20a0fa8-50ad-45ec-b66b-89e3b80e5e9d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\c5fa7690-30ac-4cb7-b850-264da1f4f57d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\c74f120c-a2fd-45f4-8d64-4b4a27ede296.dll
c:\windows\msdownld.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-18 to 2014-11-18  )))))))))))))))))))))))))))))))
.
.
2014-11-18 20:34 . 2014-11-18 20:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2014-11-18 20:34 . 2014-11-18 20:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-12 09:15 . 2014-11-12 09:15 -------- d-sh--w- c:\users\RevSusan\AppData\Local\EmieBrowserModeList
2014-11-11 23:26 . 2014-10-18 02:05 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-11 23:26 . 2014-10-18 01:33 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-11-11 23:25 . 2014-11-05 17:56 304640 ----a-w- c:\windows\system32\generaltel.dll
2014-11-11 23:25 . 2014-11-05 17:56 228864 ----a-w- c:\windows\system32\aepdu.dll
2014-11-11 23:25 . 2014-11-05 17:52 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-11-11 23:25 . 2014-10-14 02:16 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-11-11 23:25 . 2014-10-14 02:13 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-11-11 23:25 . 2014-10-14 02:12 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-11-11 23:25 . 2014-10-14 02:09 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-11-11 23:25 . 2014-10-14 02:07 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-11-11 23:25 . 2014-10-14 01:50 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-11-11 23:25 . 2014-10-14 01:47 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-11-11 23:25 . 2014-10-14 01:46 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-11-11 23:25 . 2014-10-14 01:49 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-11-11 23:19 . 2014-08-21 06:43 1882624 ----a-w- c:\windows\system32\msxml3.dll
2014-11-11 23:19 . 2014-08-21 06:26 1237504 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-11-11 23:19 . 2014-08-21 06:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-11-11 23:19 . 2014-08-21 06:23 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-11-11 23:18 . 2014-08-12 02:02 878080 ----a-w- c:\windows\system32\IMJP10K.DLL
2014-11-11 23:18 . 2014-08-12 01:36 701440 ----a-w- c:\windows\SysWow64\IMJP10K.DLL
2014-11-11 23:18 . 2014-10-03 02:12 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-11-11 23:18 . 2014-10-03 02:11 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-11-11 23:18 . 2014-10-03 02:11 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-11-11 23:18 . 2014-10-03 02:11 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-11-11 23:18 . 2014-10-03 02:11 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-11-11 23:18 . 2014-10-03 01:44 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-11-11 23:18 . 2014-10-03 01:44 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-11-11 23:18 . 2014-10-03 01:44 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
2014-11-11 22:05 . 2014-11-11 22:05 -------- d-----w- c:\program files (x86)\ESET
2014-11-10 22:11 . 2014-11-10 22:11 -------- d-----w- c:\windows\ERUNT
2014-11-09 10:44 . 2014-11-09 18:31 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-11-07 21:36 . 2014-11-07 21:36 -------- d-----w- c:\users\RevSusan\AppData\Local\Citrix
2014-11-06 23:35 . 2014-11-11 00:19 -------- d-----w- C:\FRST
2014-11-04 20:01 . 2014-11-10 22:07 -------- d-----w- C:\AdwCleaner
2014-11-04 17:47 . 2014-11-13 09:46 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-04 17:46 . 2014-11-09 10:37 96472 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-04 17:46 . 2014-10-01 19:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-04 17:46 . 2014-10-01 19:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-04 17:46 . 2014-11-04 17:46 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-04 17:46 . 2014-11-04 17:46 -------- d-----w- c:\programdata\Malwarebytes
2014-10-28 23:28 . 2014-10-28 23:28 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-10-28 23:28 . 2014-10-28 23:28 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-28 23:28 . 2014-10-28 23:28 -------- d-----w- c:\program files (x86)\Java
2014-10-24 21:55 . 2014-10-24 21:55 -------- d-----w- c:\program files\iPod
2014-10-24 21:55 . 2014-10-24 21:56 -------- d-----w- c:\programdata\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-24 21:55 . 2014-10-24 21:56 -------- d-----w- c:\program files\iTunes
2014-10-24 21:55 . 2014-10-24 21:56 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-17 22:16 . 2012-04-08 21:37 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-17 22:16 . 2011-09-25 16:46 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-12 00:01 . 2010-01-17 01:28 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-09-29 22:45 . 2012-09-19 22:19 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-09-29 22:45 . 2012-09-19 22:18 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2014-09-29 22:45 . 2011-02-26 06:36 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2014-09-29 11:16 . 2012-09-19 22:19 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2014-09-28 11:14 . 2011-02-26 06:37 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-09-28 11:14 . 2011-02-26 06:36 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-09-26 11:52 . 2011-02-26 06:37 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2014-09-25 22:21 . 2012-09-19 22:18 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2014-09-25 02:08 . 2014-10-01 10:23 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 10:23 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-09 22:11 . 2014-09-24 10:33 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-24 10:33 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-04 05:23 . 2014-10-15 11:01 424448 ----a-w- c:\windows\system32\rastls.dll
2014-09-04 05:04 . 2014-10-15 11:01 372736 ----a-w- c:\windows\SysWow64\rastls.dll
2014-09-03 00:00 . 2010-06-24 19:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-23 02:07 . 2014-08-27 22:45 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-27 22:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-26 98304]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-26 537992]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-26 537992]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-09-27 271744]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-9-21 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 0146971416264200mcinstcleanup;McAfee Application Installer Cleanup (0146971416264200);c:\windows\TEMP\014697~1.EXE;c:\windows\TEMP\014697~1.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 FastLynx;FastLynx;c:\program files (x86)\FastLynx\FastLynx.sys;c:\program files (x86)\FastLynx\FastLynx.sys [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe;c:\program files\Dell\DellDock\DockLogin.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe;c:\program files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [x]
S2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5v64.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PCDSRVC{D3412D80-CF3B4A27-06020200}_0
*Deregistered* - PCDSRVC{D3412D80-CF3B4A27-06020200}_0
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
SafeBoot-rpcnet
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-18  12:38:06
ComboFix-quarantined-files.txt  2014-11-18 20:38
.
Pre-Run: 219,651,375,104 bytes free
Post-Run: 219,487,879,168 bytes free
.
- - End Of File - - 8321C3A1321387F737C3001D09371FB5
5C616939100B85E558DA92B899A0FC36
 

[OCD]

Hi SusanT ,

Reset Homepage in Browsers

Reset Homepage in Internet Explorer

Open Internet Explorer >Tools >Internet Option >General.



You have two options:

• One is to set homepage as a blank page.
• The other is to set a certain website as the homepage. ( www.yahoo.com)
• Then click OK to save the change.

=========================

Reset Firefox Homepage

• Click on the Firefox drop down arrow in the upper left corner of your browser.
• Select Options, the select Options again.
• On the General tab, locate the Home Page field.
• Enter the URL you would like to use as your home page (ie: http://www.yahoo.com), or select the Restore to Default button.
• Click OK

=========================

Reset / Change Homepage in Chrome

• Click the Chrome menu on the browser toolbar.
• Select Settings.
  • Add the home button to the browser toolbar
    Home page button is off by default. Select the "Show Home button" checkbox in the "Appearance" section to show it on the browser toolbar.
  • Set your home page
    When the "Show Home button" checkbox is selected, a web address appears below it.
    Click Change to enter a link (i.e. http://www.yahoo.com). You can also choose the New Tab page as your home page.

=========================

Reboot & Test

=========================

Report back with the results

[SusanT]

Hi OCD,

 

I know how to use IE Explorer Internet Tools / Options to change my home page. What I'm saying is that "something" keeps changing it from "yahoo" (where I want it) to "blank."

 

The only browser I am using is IE Explorer.

 

Have you had anytime to review my ComboFix output?  Not rushing you ...just wondering since you didn't mention it.  I'm wondering what I should do with ComboFix quarantined files.

 

Thanks for all your help.

SusanT

[OCD]

Hi SusanT,
 

What I'm saying is that "something" keeps changing it from "yahoo" (where I want it) to "blank.

Does this continue to happen?
 

Have you had anytime to review my ComboFix output? Not rushing you ...just wondering since you didn't mention it. I'm wondering what I should do with ComboFix quarantined files.

I have reviewed it. Let's try the script below and see if that eliminates the change. The quarantine files will be removed when we clean up at the end. Those files pose no threat to your system while in the quarantine folder.

=========================

ComboFix Script

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the code-box below into it:

DDS::
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank

Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt for further review.

=========================

Reboot & Test

=========================

In your next post please provide the following:

• ComboFix.txt

[SusanT]

Does this continue to happen?

 

Yes. Not every time, but often enough that it is irritating.

 

PLEASE NOTE:  Just now, as I am posting this report, I received a message from McAfee "Trojan detected. Please shut down now, so we can fix it."

 

========================

 

ComboFix 14-11-18.01 - RevSusan 11/22/2014   0:19.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4092.2532 [GMT -8:00]
Running from: c:\users\RevSusan\Desktop\ComboFix.exe
Command switches used :: c:\users\RevSusan\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6426\AddOnDownloaded\c20a0fa8-50ad-45ec-b66b-89e3b80e5e9d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\c5fa7690-30ac-4cb7-b850-264da1f4f57d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\c74f120c-a2fd-45f4-8d64-4b4a27ede296.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d91042fc-efc1-4f0d-b42b-59310445b856.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-22 to 2014-11-22  )))))))))))))))))))))))))))))))
.
.
2014-11-22 08:28 . 2014-11-22 08:28 -------- d-----w- c:\users\Guest\AppData\Local\temp
2014-11-22 08:28 . 2014-11-22 08:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-19 21:19 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-19 21:19 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-19 21:19 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-19 21:19 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-12 09:15 . 2014-11-12 09:15 -------- d-sh--w- c:\users\RevSusan\AppData\Local\EmieBrowserModeList
2014-11-11 23:26 . 2014-10-18 02:05 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-11 23:26 . 2014-10-18 01:33 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-11-11 23:25 . 2014-11-05 17:56 304640 ----a-w- c:\windows\system32\generaltel.dll
2014-11-11 23:25 . 2014-11-05 17:56 228864 ----a-w- c:\windows\system32\aepdu.dll
2014-11-11 23:25 . 2014-11-05 17:52 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-11-11 23:25 . 2014-10-14 02:16 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-11-11 23:25 . 2014-10-14 02:13 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-11-11 23:25 . 2014-10-14 02:12 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-11-11 23:25 . 2014-10-14 02:09 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-11-11 23:25 . 2014-10-14 02:07 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-11-11 23:25 . 2014-10-14 01:50 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-11-11 23:25 . 2014-10-14 01:47 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-11-11 23:25 . 2014-10-14 01:46 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-11-11 23:25 . 2014-10-14 01:49 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-11-11 23:19 . 2014-08-21 06:43 1882624 ----a-w- c:\windows\system32\msxml3.dll
2014-11-11 23:19 . 2014-08-21 06:26 1237504 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-11-11 23:19 . 2014-08-21 06:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-11-11 23:19 . 2014-08-21 06:23 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-11-11 23:18 . 2014-08-12 02:02 878080 ----a-w- c:\windows\system32\IMJP10K.DLL
2014-11-11 23:18 . 2014-08-12 01:36 701440 ----a-w- c:\windows\SysWow64\IMJP10K.DLL
2014-11-11 23:18 . 2014-10-03 02:12 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-11-11 23:18 . 2014-10-03 02:11 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-11-11 23:18 . 2014-10-03 02:11 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-11-11 23:18 . 2014-10-03 02:11 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-11-11 23:18 . 2014-10-03 02:11 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-11-11 23:18 . 2014-10-03 01:44 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-11-11 23:18 . 2014-10-03 01:44 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-11-11 23:18 . 2014-10-03 01:44 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
2014-11-11 22:05 . 2014-11-11 22:05 -------- d-----w- c:\program files (x86)\ESET
2014-11-10 22:11 . 2014-11-10 22:11 -------- d-----w- c:\windows\ERUNT
2014-11-09 10:44 . 2014-11-09 18:31 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-11-07 21:36 . 2014-11-07 21:36 -------- d-----w- c:\users\RevSusan\AppData\Local\Citrix
2014-11-06 23:35 . 2014-11-11 00:19 -------- d-----w- C:\FRST
2014-11-04 20:01 . 2014-11-10 22:07 -------- d-----w- C:\AdwCleaner
2014-11-04 17:47 . 2014-11-20 18:52 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-04 17:46 . 2014-11-09 10:37 96472 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-04 17:46 . 2014-10-01 19:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-04 17:46 . 2014-10-01 19:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-04 17:46 . 2014-11-04 17:46 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-04 17:46 . 2014-11-04 17:46 -------- d-----w- c:\programdata\Malwarebytes
2014-10-28 23:28 . 2014-10-28 23:28 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-10-28 23:28 . 2014-10-28 23:28 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-28 23:28 . 2014-10-28 23:28 -------- d-----w- c:\program files (x86)\Java
2014-10-24 21:55 . 2014-10-24 21:55 -------- d-----w- c:\program files\iPod
2014-10-24 21:55 . 2014-10-24 21:56 -------- d-----w- c:\programdata\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-24 21:55 . 2014-10-24 21:56 -------- d-----w- c:\program files\iTunes
2014-10-24 21:55 . 2014-10-24 21:56 -------- d-----w- c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-17 22:16 . 2012-04-08 21:37 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-17 22:16 . 2011-09-25 16:46 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-12 00:01 . 2010-01-17 01:28 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-09-29 22:45 . 2012-09-19 22:19 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-09-29 22:45 . 2012-09-19 22:18 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2014-09-29 22:45 . 2011-02-26 06:36 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2014-09-29 11:16 . 2012-09-19 22:19 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2014-09-28 11:14 . 2011-02-26 06:37 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-09-28 11:14 . 2011-02-26 06:36 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-09-26 11:52 . 2011-02-26 06:37 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2014-09-25 22:21 . 2012-09-19 22:18 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2014-09-25 02:08 . 2014-10-01 10:23 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 10:23 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-09 22:11 . 2014-09-24 10:33 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-24 10:33 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-04 05:23 . 2014-10-15 11:01 424448 ----a-w- c:\windows\system32\rastls.dll
2014-09-04 05:04 . 2014-10-15 11:01 372736 ----a-w- c:\windows\SysWow64\rastls.dll
2014-09-03 00:00 . 2010-06-24 19:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-26 98304]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-26 537992]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2014-04-26 537992]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-09-27 271744]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-9-21 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 0146971416264200mcinstcleanup;McAfee Application Installer Cleanup (0146971416264200);c:\windows\TEMP\014697~1.EXE;c:\windows\TEMP\014697~1.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys;c:\windows\SYSNATIVE\DRIVERS\mfencrk.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe;c:\program files\Dell\DellDock\DockLogin.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe;c:\program files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [x]
S2 McAPExe;McAfee AP Service;c:\program files\McAfee\MSC\McAPExe.exe;c:\program files\McAfee\MSC\McAPExe.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 NitroReaderDriverReadSpool3;NitroPDFReaderDriverCreatorReadSpool3;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe;c:\program files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys;c:\windows\SYSNATIVE\DRIVERS\mfencbdc.sys [x]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5v64.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PCDSRVC{D3412D80-CF3B4A27-06020200}_0
*NewlyCreated* - WS2IFSL
*Deregistered* - PCDSRVC{D3412D80-CF3B4A27-06020200}_0
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
------- Supplementary Scan -------
.
uLocal Page = %SystemRoot%\system32\blank.htm
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-22  00:31:41
ComboFix-quarantined-files.txt  2014-11-22 08:31
ComboFix2.txt  2014-11-18 20:38
.
Pre-Run: 217,373,519,872 bytes free
Post-Run: 217,295,015,936 bytes free
.
- - End Of File - - 023E8F67EEC3FE144129B188ACC4B808
5C616939100B85E558DA92B899A0FC36
 

[OCD]

Hi SusanT,
 

PLEASE NOTE: Just now, as I am posting this report, I received a message from McAfee "Trojan detected. Please shut down now, so we can fix it."

It might be a "false positive", do you have any additional information as to what program and/or file was being flagged?

=========================

This is different from the previous step in IE we took to address this.

Reset Internet Explorer

Go to the Start menu > Control Panel > Look in the upper right hand corner and make sure the "Category" drop down menu says Small

or Large Icons
Locate Internet Options > Advanced tab > Reset button at the bottom of the menu.



Next you will be presented with the following window. Please read what changes will take place if you choose to reset. If you would like to remove all personal settings tick the small box before clicking Reset. Otherwise, leave unchecked.



Click OK to complete

=========================

Reboot & Test

[SusanT]

OCD:  I reset IE Explorer.  I seem to have lost my Favorites and the bar across the top with my most used sites.  The computer is a bit slow, but I'm going to venture a guess that that's because everything has been flushed. Also, I have unplugged the home network connection and am running on the WI-FI connection again. I don't have time to do a complete test since I'm leaving town, and will be traveling for the next few hours, but will take this beast with me and do more testing this evening.

 

SusanT

[OCD]

[OCD]

Hi SusanT,

Just checking in to see if you still need help?

[SusanT]

Hi OCD.

 

I apologize for not getting back to you sooner.  I will be traveling back home today -- driving about 6 hours -- and will be "back at it" after that.  I have not used my computer at all on this very quick and long driving trip.  I still have not had time to explore how to set up my favorites and the top bar with quick access links on IE Explorer. I did not delete personal settings, so I know they are there. I just haven't had time to play with it. I am on a local wireless network as a guest in my host's home, and it seems to be working. Albeit, a little slow.  Again there are many wireless networks in this immediate vicinity, just like there are in my own home. 

 

Thanks so much for your patience, understanding, and help!

 

SusanT

[OCD]

Hi SusanT,

 

No problem, just post an update when you can.

[SusanT]

Hi OCD.  I have been using my computer and have IE set up the way I like it with my personal bar and favorites.  So far everything seems to be great!  I'm plugged in to the internet, so the speed seems to be better, and so far I have no more messages.  I am not feeling overly confident that this will continue to be the case, but so far, so good. 

 

Grateful today for you and all the techies who spend their time helping all of us!

 

SusanT