dllhost.exe *32 COM Surrogate and Windows Update

View previous topic View next topic Go down

dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Mon 27 Jan 2014, 5:13 am

I was recently affected with a virus apparently. I have over 20 of this process running now, dllhost.exe *32 COM Surrogate. I also am unable to use the Windows Update function. I get an error when trying to do so. I will run the 3 logs shortly and post the results in the next 3 replies. Thanks for your help.

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

AdwCleaner Log

Post by thisdj1 on Mon 27 Jan 2014, 5:45 am

# AdwCleaner v3.017 - Report created 26/01/2014 at 12:38:07
# Updated 12/01/2014 by Xplode
# Operating System : Windows (TM) Vista Home Premium Service Pack 2 (64 bits)
# Username : Premiere Sound&Light - PREMIERESOUN-PC
# Running from : C:\Users\Premiere Sound&Light\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

[!] Folder Deleted : C:\ProgramData\Conduit
[!] Folder Deleted : C:\Program Files (x86)\Ask.com
[!] Folder Deleted : C:\Program Files (x86)\Conduit
[!] Folder Deleted : C:\Program Files (x86)\Free Offers from Freeze.com
[!] Folder Deleted : C:\Program Files (x86)\iMesh Applications
[!] Folder Deleted : C:\Program Files (x86)\sweetpacks bundle uninstaller
[!] Folder Deleted : C:\Program Files (x86)\vShare
[!] Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
[!] Folder Deleted : C:\Windows\SysWOW64\Searchprotect
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Conduit
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Local\iMesh
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Local\NativeMessaging
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Local\PackageAware
[!] Folder Deleted : C:\Users\PREMIE~1\AppData\Local\Temp\AskSearch
[!] Folder Deleted : C:\Users\PREMIE~1\AppData\Local\Temp\NativeMessaging
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\LocalLow\AskToolbar
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\LocalLow\Conduit
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\LocalLow\Dealio
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\LocalLow\imeshbandmltbpi
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\LocalLow\Search Settings
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\LocalLow\vShare
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Roaming\Searchprotect
[!] Folder Deleted : C:\Users\Premiere Sound&Light\Documents\iMesh
[!] Folder Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcajpdcjfekhfnapaiphaecoajeollnc
File Deleted : C:\END
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_facebook.conduitapps.com_0.localstorage
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_facebook.conduitapps.com_0.localstorage-journal
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_fastcontent.conduit.com_0.localstorage
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_fastcontent.conduit.com_0.localstorage-journal
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\user data\default\local storage\hxxp_pricegong.conduitapps.com_0.localstorage
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\user data\default\local storage\hxxp_pricegong.conduitapps.com_0.localstorage-journal
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage
File Deleted : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage-journal
File Deleted : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\pcajpdcjfekhfnapaiphaecoajeollnc
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pcajpdcjfekhfnapaiphaecoajeollnc
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Search Settings
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3299568
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{28387537-E3F9-4ED7-860C-11E69AF4A8A0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28387537-E3F9-4ED7-860C-11E69AF4A8A0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28387537-E3F9-4ED7-860C-11E69AF4A8A0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{28387537-E3F9-4ED7-860C-11E69AF4A8A0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{28387537-E3F9-4ED7-860C-11E69AF4A8A0}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\Imesh
Key Deleted : HKCU\Software\vShare
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\AskToolbarInfo
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Dealio
Key Deleted : HKCU\Software\AppDataLow\Software\mediabarim
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\Search Settings
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vShare
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\vShare
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16421

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Google Chrome v32.0.1700.76

[ File : C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [12295 octets] - [26/01/2014 12:14:45]
AdwCleaner[S0].txt - [11208 octets] - [26/01/2014 12:38:07]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [11269 octets] ##########

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Superdave on Mon 27 Jan 2014, 6:48 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
I'll wait until you post the other logs and we'll go from there.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Mon 27 Jan 2014, 2:42 pm

OK, so I ran an MBAM quick scan earlier today and it found multiple issues. I removed those issues and received a log of the action. Since I started this thread I have ran 2 full scans totalling around 7 hours and I am unable to get a log. The first time, it found several additional issues and I removed them. MBAM then froze and had to be restarted. When I got it back up the located issues were in quarantine so I deleted them. However, it didn't create a log for that scan. So I did another full scan. This time it just found 1 issue. It was as follows: PUP.Optional.Conduit.A the location of the file is C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568 . I will go ahead and post the log from the quick scan from earlier today in case it might help. Hopefully we can find a way to use it because I don't know what else to do. Here it is:

Malwarebytes Anti-Malware 1.75.0.1300
[You must be registered and logged in to see this link.]

Database version: v2014.01.26.05

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Premiere Sound&Light :: PREMIERESOUN-PC [administrator]

1/26/2014 11:13:24 AM
mbam-log-2014-01-26 (11-13-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229148
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Premiere Sound&Light\AppData\Local\DRMMobiledll32\CyberLink\pbpez.dll (Trojan.RedirRdll3.Gen) -> Delete on reboot.

Registry Keys Detected: 1
HKCU\Software\Datamngr (PUP.Optional.DataMngr.A) -> No action taken.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|14371 (Trojan.Agent) -> Data: c:\progra~3\msdonac.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sp (Trojan.Proxy) -> Data: C:\Windows\sysWOW64\rundll32.exe "C:\Users\Premiere Sound&Light\AppData\Roaming\Acer\sp.DLL",ServiceMain -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|CyberLink (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Users\Premiere Sound&Light\AppData\Local\DRMMobiledll32\CyberLink\pbpez.dll",CreateInstance -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit) -> Bad: (http://search.conduit.com?SearchSource=10&CUI=UN41135055223241728&UM=2&ctid=CT3299568&SSPV=&UP=SP239C66C8-F5FD-4A46-9F42-57E3E5849E95) Good: (http://www.google.com) -> No action taken.

Folders Detected: 6
C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy\0A87417F64C045839E998A9F0F51BBF3 (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy\CBDB59F6392B424086CFD3C8BEB3A2B3 (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568 (PUP.Optional.Conduit.A) -> No action taken.
C:\ProgramData\Conduit\IE (PUP.Optional.Conduit.A) -> No action taken.
C:\ProgramData\Conduit\IE\CT3299568 (PUP.Optional.Conduit.A) -> No action taken.

Files Detected: 55
C:\Users\Premiere Sound&Light\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.3.8.windows.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy\0A87417F64C045839E998A9F0F51BBF3\mconduitinstaller.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Roaming\SearchProtect\Res\SPSetup.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\FreemakeVideoConverter_4.1.2.1.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\nslD491.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\nsm3617.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\nsn30BB.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\nst2E6A.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\nsx708B.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\SPStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\AU\SPSetup.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\chLogic.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\ctbe.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\ieLogic.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\spch.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\statisticsStub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\stub.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Windows\temp\nscC636.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Windows\temp\nsnD86E.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Windows\temp\nssCC11.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Windows\temp\nsx3687.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Windows\temp\des8A1D\update.desktop.exe (PUP.Optional.OutFoxTv) -> No action taken.
C:\Windows\temp\dts8A2D\update.service.exe (PUP.Optional.OutFoxTv) -> No action taken.
C:\Users\Premiere Sound&Light\Downloads\FreemakeVideoConverterSetup.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\Downloads\iLividSetup.exe (PUP.Optional.Bandoo) -> No action taken.
C:\Users\Premiere Sound&Light\Downloads\Video_Converter_TSV41CO8W.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage (PUP.Optional.Pricegong) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage-journal (PUP.Optional.Pricegong) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy\CBDB59F6392B424086CFD3C8BEB3A2B3\OutfoxTV_bg_silent_180.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Roaming\OpenCandy\CBDB59F6392B424086CFD3C8BEB3A2B3\OutFoxTV_p1v3.exe (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\chromeid.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\CT3299568.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\initdata.json (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\manifest.json (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Premiere Sound&Light\AppData\Local\temp\ct3299568\setup.ini.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\ProgramData\Conduit\IE\CT3299568\UninstallerUI.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\ProgramData\msdonac.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Roaming\Acer\sp.DLL (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\ProgramData\635X8ip4.exe (Spyware.Zbot.DGen) -> Quarantined and deleted successfully.
C:\ProgramData\635X8ip4.exe_ (Spyware.Zbot.DGen) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Roaming\verison.dll (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Roaming\Acer\sp.DLL_ (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpM3Util.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\0.32441757762549006 (Trojan.Happili) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\124kkk290347.exe (Spyware.Zbot.DGen) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\7398.tmp (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\F1AD.tmp (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\hiinokom.exe (Trojan.Downloader.ED) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\rad71527.tmp.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\UpdateFlashPlayer_6313dc7b.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\vxbnle.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\Local Settings\5d3077f6.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\5d3077f6.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\temp\0.600748031169933 (Exploit.Drop.9) -> Quarantined and deleted successfully.
C:\Users\Premiere Sound&Light\AppData\Local\DRMMobiledll32\CyberLink\pbpez.dll (Trojan.RedirRdll3.Gen) -> Delete on reboot.

(end)


thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Security Check Log

Post by thisdj1 on Mon 27 Jan 2014, 2:49 pm

I'm not sure how much info is going to be contained in this log. For the most part during the test it just said the system file cannot be found. But here are the results from the check.

Results of screen317's Security Check version 0.99.79
x64
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
AVG Anti-Virus Free Edition 2011
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java(TM) 6 Update 24
Java version out of Date!
Adobe Flash Player 11.9.900.170
Google Chrome 31.0.1650.63
Google Chrome 32.0.1700.76
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Superdave on Tue 28 Jan 2014, 5:33 am

You will need to run MBAM again, make sure that all infections are checked and click on "Remove Selected."

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Tue 28 Jan 2014, 4:12 pm

I have updated my Java to the current version and removed the old version. I also ran a full MBAM scan and no threats were found. What would you like me to do next? Thanks!

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Superdave on Wed 29 Jan 2014, 5:19 am

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.


Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Thu 30 Jan 2014, 1:08 am

Well Windows Update is now working again. However, I get a dialogue box that opens when I try to open Windows Security Center saying that it is unable to open. I'm also unable to open Windows Defender or Windows Firewall. I also tried removing my old version of AVG and it won't uninstall. Even using the AVG uninstall tool. I also get a box with RUNDLL at the top of it every time I start up the computer saying its unable to open a specified file. Its some sort of temporary file. The issue with the surrogate is still extremely bad. The computer is running at about 90% memory because of all of the processes that are running.

I've completed the steps from your last post and here is the log from that check.

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
[You must be registered and logged in to see this link.]

Database version: v2013.10.02.12

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Premiere Sound&Light :: PREMIERESOUN-PC [administrator]

1/28/2014 8:57:22 PM
mbar-log-2014-01-28 (20-57-22).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 291525
Time elapsed: 1 hour(s), 6 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume2\Users\PREMIE~1\AppData\Local\temp\sxpesis\sxcsuxh\wow.dll) Good: (SHELL32.dll) -> Replace on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Superdave on Thu 30 Jan 2014, 6:34 am

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Thu 30 Jan 2014, 1:40 pm

I was finally able to get Combofix to fully run and create a log. I should note that I have ran the Rootkit program 5 times and every time it continues to find this: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32)

That is even after running Combofix. I am also still getting the RUNDLL box upon startup where it says it can't find the temporary file I noted in an earlier post. On a brighter note, my Windows Security is finally working again where I can turn on Windows Defender and my Firewall. I have also been able to download approximately 180 Windows Updates as I was unable to do it the past couple of years.

AVG still won't uninstall and I still have 20-25 of the Com Surrogate processes running. Even though they are using less memory than they had before.

Here is the log from Combofix. I'm looking forward to what the next step is.


ComboFix 14-01-29.01 - Premiere Sound&Light 01/29/2014  19:30:03.5.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3996.1524 [GMT -6:00]
Running from: c:\users\Premiere Sound&Light\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\635X8ip4.exe.b
c:\programdata\635X8ip4.exe_.b
c:\users\PREMIE~1\AppData\Local\Temp\RtkBtMnt.exe
c:\users\Premiere Sound&Light\AppData\Local\temp\RtkBtMnt.exe
D:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-28 to 2014-01-30  )))))))))))))))))))))))))))))))
.
.
2014-01-30 01:47 . 2014-01-30 01:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-01-30 01:47 . 2014-01-30 01:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-30 00:55 . 2013-12-16 07:54 10315576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4984D58C-B6E5-4FBC-B1E3-D98415F732C2}\mpengine.dll
2014-01-29 23:04 . 2014-01-29 23:04 -------- d-----w- c:\windows\Migration
2014-01-29 04:25 . 2014-01-29 04:25 -------- d-----w- c:\users\Premiere Sound&Light\AppData\Local\Avg2013
2014-01-29 03:06 . 2014-01-29 03:06 -------- d-----w- c:\users\Premiere Sound&Light\AppData\Local\Avg2014
2014-01-29 02:57 . 2014-01-29 23:58 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-29 02:57 . 2014-01-29 23:05 119000 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-29 02:56 . 2014-01-29 04:16 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-28 05:59 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2014-01-28 05:59 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2014-01-28 05:59 . 2009-07-14 12:19 20480 ----a-w- c:\windows\system32\winusb.dll
2014-01-28 05:59 . 2009-07-14 12:12 16896 ----a-w- c:\windows\SysWow64\winusb.dll
2014-01-28 05:58 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2014-01-28 05:58 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2014-01-28 05:58 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2014-01-28 05:58 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2014-01-28 05:58 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2014-01-28 05:58 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2014-01-28 05:56 . 2013-11-15 01:37 2334720 ----a-w- c:\windows\system32\jscript9.dll
2014-01-28 05:44 . 2009-10-09 21:56 2048 ----a-w- c:\windows\SysWow64\winrsmgr.dll
2014-01-28 05:43 . 2009-08-01 06:27 201184 ----a-w- c:\windows\SysWow64\winrm.vbs
2014-01-28 05:30 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2014-01-28 05:30 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2014-01-28 05:30 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2014-01-28 05:19 . 2014-01-28 05:21 -------- d-----w- c:\windows\system32\MRT
2014-01-28 05:03 . 2014-01-28 05:03 -------- d-----w- c:\users\Premiere Sound&Light\AppData\Roaming\Oracle
2014-01-28 04:58 . 2014-01-28 04:58 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-01-28 04:56 . 2014-01-28 04:55 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-01-28 03:14 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2014-01-28 03:14 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2014-01-28 03:14 . 2011-03-02 16:12 221696 ----a-w- c:\windows\system32\dnsapi.dll
2014-01-28 03:14 . 2011-03-02 16:12 117760 ----a-w- c:\windows\system32\dnsrslvr.dll
2014-01-28 03:14 . 2009-05-04 10:21 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2014-01-28 03:14 . 2009-05-04 09:59 25088 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
2014-01-28 03:14 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2014-01-28 03:14 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2014-01-28 03:14 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2014-01-28 03:11 . 2012-09-25 16:31 91648 ----a-w- c:\windows\system32\synceng.dll
2014-01-28 03:11 . 2012-09-25 16:19 75776 ----a-w- c:\windows\SysWow64\synceng.dll
2014-01-28 03:11 . 2011-12-14 16:38 621056 ----a-w- c:\windows\system32\msvcrt.dll
2014-01-28 03:11 . 2011-12-14 16:17 680448 ----a-w- c:\windows\SysWow64\msvcrt.dll
2014-01-28 03:11 . 2013-03-03 19:13 1513320 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-01-28 03:11 . 2011-02-18 14:18 450560 ----a-w- c:\windows\system32\drivers\srv.sys
2014-01-28 03:07 . 2013-08-01 04:10 901568 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-01-28 03:07 . 2013-08-01 03:37 47104 ----a-w- c:\windows\system32\cdd.dll
2014-01-28 03:07 . 2012-03-01 11:01 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2014-01-28 03:07 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2014-01-28 03:07 . 2013-06-15 13:27 20480 ----a-w- c:\windows\system32\icaapi.dll
2014-01-28 03:07 . 2013-06-15 11:38 29184 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2014-01-28 03:07 . 2013-04-24 02:10 1078272 ----a-w- c:\windows\system32\certutil.exe
2014-01-28 03:07 . 2013-04-24 01:46 812544 ----a-w- c:\windows\SysWow64\certutil.exe
2014-01-28 03:07 . 2013-04-24 04:09 50688 ----a-w- c:\windows\system32\certenc.dll
2014-01-28 03:07 . 2013-04-24 04:00 41984 ----a-w- c:\windows\SysWow64\certenc.dll
2014-01-28 03:06 . 2013-06-01 04:19 619008 ----a-w- c:\windows\system32\qedit.dll
2014-01-28 03:06 . 2013-06-01 04:06 505344 ----a-w- c:\windows\SysWow64\qedit.dll
2014-01-28 03:04 . 2012-09-28 16:34 1210368 ----a-w- c:\windows\system32\kernel32.dll
2014-01-28 03:04 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2014-01-28 03:04 . 2013-04-17 12:30 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2014-01-28 03:03 . 2013-07-10 09:42 1303552 ----a-w- c:\windows\system32\rpcrt4.dll
2014-01-28 03:03 . 2013-07-10 09:47 677888 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2014-01-28 03:01 . 2011-06-15 16:16 180736 ----a-w- c:\windows\system32\xmllite.dll
2014-01-28 03:01 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2014-01-28 03:01 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2014-01-28 03:01 . 2011-11-16 16:43 442368 ----a-w- c:\windows\system32\winhttp.dll
2014-01-28 03:01 . 2011-11-16 16:23 377344 ----a-w- c:\windows\SysWow64\winhttp.dll
2014-01-28 03:01 . 2011-10-14 17:31 211968 ----a-w- c:\windows\system32\winmm.dll
2014-01-28 03:01 . 2011-10-14 17:27 48128 ----a-w- c:\windows\system32\mcicda.dll
2014-01-28 03:01 . 2011-10-14 17:27 28672 ----a-w- c:\windows\system32\mciwave.dll
2014-01-28 03:01 . 2011-10-14 17:27 28160 ----a-w- c:\windows\system32\mciseq.dll
2014-01-28 03:01 . 2011-10-14 16:03 189952 ----a-w- c:\windows\SysWow64\winmm.dll
2014-01-28 03:01 . 2011-10-14 16:00 23552 ----a-w- c:\windows\SysWow64\mciseq.dll
2014-01-28 03:00 . 2013-10-03 15:02 1278976 ----a-w- c:\windows\system32\crypt32.dll
2014-01-28 03:00 . 2013-10-03 12:45 993792 ----a-w- c:\windows\SysWow64\crypt32.dll
2014-01-28 03:00 . 2011-07-06 15:49 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2014-01-28 03:00 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2014-01-28 03:00 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2014-01-28 02:58 . 2013-07-03 02:22 31616 ----a-w- c:\windows\system32\drivers\hidparse.sys
2014-01-28 02:58 . 2012-08-21 11:50 267648 ----a-w- c:\windows\system32\drivers\volsnap.sys
2014-01-28 02:56 . 2013-07-05 04:45 1423808 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-01-28 02:50 . 2011-02-24 16:38 991104 ----a-w- c:\windows\system32\winresume.efi
2014-01-28 02:50 . 2011-02-24 16:38 979840 ----a-w- c:\windows\system32\winresume.exe
2014-01-28 02:50 . 2011-02-24 16:37 1076608 ----a-w- c:\windows\system32\winload.efi
2014-01-28 02:50 . 2011-02-24 16:37 1063296 ----a-w- c:\windows\system32\winload.exe
2014-01-28 02:50 . 2011-02-24 16:37 20864 ----a-w- c:\windows\system32\kdusb.dll
2014-01-28 02:50 . 2011-02-24 16:37 18816 ----a-w- c:\windows\system32\kd1394.dll
2014-01-28 02:50 . 2011-02-24 16:37 17792 ----a-w- c:\windows\system32\kdcom.dll
2014-01-28 02:50 . 2013-07-16 09:25 689152 ----a-w- c:\windows\system32\themeui.dll
2014-01-28 02:50 . 2013-07-16 04:35 615936 ----a-w- c:\windows\SysWow64\themeui.dll
2014-01-28 02:49 . 2013-02-12 02:18 19456 ----a-w- c:\windows\system32\drivers\usb8023.sys
2014-01-28 02:49 . 2010-12-17 15:41 731136 ----a-w- c:\windows\system32\mstsc.exe
2014-01-28 02:49 . 2010-12-17 13:54 677888 ----a-w- c:\windows\SysWow64\mstsc.exe
2014-01-28 02:49 . 2009-07-10 11:51 302080 ----a-w- c:\windows\system32\shsvcs.dll
2014-01-28 02:47 . 2013-07-20 10:45 124112 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-01-28 02:47 . 2013-07-20 10:44 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-01-28 02:47 . 2011-09-30 16:16 893440 ----a-w- c:\program files\Common Files\System\wab32.dll
2014-01-28 02:47 . 2011-09-30 15:57 707584 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2014-01-28 02:47 . 2011-09-30 16:16 50688 ----a-w- c:\program files\Windows Mail\wabimp.dll
2014-01-28 02:47 . 2013-10-03 15:03 389632 ----a-w- c:\windows\system32\gdi32.dll
2014-01-28 02:47 . 2013-10-03 12:46 304128 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-01-28 02:47 . 2012-11-02 10:47 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-01-28 02:47 . 2012-11-02 10:47 1794560 ----a-w- c:\windows\system32\msxml6.dll
2014-01-28 02:46 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\SysWow64\msxml6.dll
2014-01-28 02:46 . 2012-11-02 10:19 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-01-28 02:46 . 2011-03-12 22:52 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2014-01-28 02:46 . 2011-03-12 21:55 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2014-01-28 02:46 . 2011-04-14 15:14 97792 ----a-w- c:\windows\system32\drivers\dfsc.sys
2014-01-28 02:46 . 2013-07-08 04:20 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2014-01-28 02:46 . 2013-07-08 04:16 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2014-01-28 02:46 . 2013-07-08 04:16 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2014-01-28 02:46 . 2013-07-08 04:15 218624 ----a-w- c:\windows\system32\wintrust.dll
2014-01-28 02:46 . 2013-07-08 04:12 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2014-01-28 02:46 . 2013-07-08 04:12 132096 ----a-w- c:\windows\system32\cryptnet.dll
2014-01-28 02:46 . 2013-07-04 04:13 633856 ----a-w- c:\windows\system32\comctl32.dll
2014-01-28 02:44 . 2011-03-03 15:59 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2014-01-28 02:44 . 2011-03-03 15:40 28672 ----a-w- c:\windows\SysWow64\Apphlpdm.dll
2014-01-28 02:44 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\SysWow64\GameUXLegacyGDFs.dll
2014-01-28 02:44 . 2011-03-03 14:00 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2014-01-28 02:44 . 2013-07-17 20:01 2048 ----a-w- c:\windows\system32\tzres.dll
2014-01-28 02:44 . 2013-07-17 19:41 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-01-28 02:43 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
2014-01-28 02:43 . 2013-03-08 04:18 451072 ----a-w- c:\windows\system32\winsrv.dll
2014-01-28 02:43 . 2012-11-08 04:26 1570816 ----a-w- c:\windows\system32\quartz.dll
2014-01-28 02:43 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\SysWow64\quartz.dll
2014-01-28 02:42 . 2011-11-18 18:07 76800 ----a-w- c:\windows\system32\packager.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-16 15:59 . 2010-04-21 23:56 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-06 22:20 . 2006-11-02 12:35 86054176 ----a-w- c:\windows\system32\mrt.exe
2013-12-20 01:09 . 2013-12-17 04:36 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-20 01:09 . 2012-01-11 04:16 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-12 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-12 781824]
"BkupTray"="c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"LManager"="c:\progra~2\LAUNCH~1\QtZgAcer.EXE" [2008-06-04 817672]
"Acer Assist Launcher"="c:\program files (x86)\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files (x86)\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2011-01-07 2747744]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [You must be registered and logged in to see this link.] [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 324320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 00:12 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-17 01:09]
.
2014-01-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-592603330-180509026-2455858920-1000Core.job
- c:\users\Premiere Sound&Light\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 18:08]
.
2014-01-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-592603330-180509026-2455858920-1000UA.job
- c:\users\Premiere Sound&Light\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 18:08]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-17 07:52]
.
2014-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-17 07:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:53 50736 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-11-28 488448]
"eDataSecurity Loader"="c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe" [2008-07-30 561200]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 209432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 181784]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1237288]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uLocal Page = c:\windows\system32\blank.htm
mStart Page = [You must be registered and logged in to see this link.]
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-OutfoxTV - c:\program files\OutfoxTV\OutfoxTV\DesktopContainer.exe
Wow6432Node-HKLM-Run- - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
Toolbar-10 - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
  00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-01-29  19:52:58
ComboFix-quarantined-files.txt  2014-01-30 01:52
ComboFix2.txt  2011-01-21 02:21
.
Pre-Run: 72,206,311,424 bytes free
Post-Run: 88,242,249,728 bytes free
.
- - End Of File - - 8DB691E7807D0BCE2A0DAFF1EF4DA038
BB9D3A6A13C5010348DA7C900BB6AF50

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Thu 30 Jan 2014, 4:28 pm

Windows Defender is now finding this and after following the instructions for removal it remains.Virus:DOS/Rovnix.W

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Superdave on Fri 31 Jan 2014, 6:00 am

You say you're trying to uninstall AVG. I noticed that it's disabled. You will need to download and install another AV program from the list below.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) MicroSoft Security Essentials All versions and all languages.
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
*********************************************
Please make sure your new AV is installed before doing this next step. It should remove AVG from your computer.

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    SecCenter::
    {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

    Rootkit::

    Folder::
    c:\program files (x86)\AVG\AVG10

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

**********************************************
Please run both versions of MBAM again and post the logs.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by thisdj1 on Fri 31 Jan 2014, 2:00 pm

OK. I think we're making some good progress here. I did all of the things from the last post and will be posting the logs. AVG was successfully removed and neither MBAM search found anything. All of the issues seem to be fixed other than just a couple. Windows Security Essentials continues to find 2 files that it is labeling as malicious. Upon removing them it states that I need to download Windows Defender Offline and boot to it from a flash drive. I have done that several times and it finds the files offline and I remove them as requested and upon running another scan they are right back there. WSE is the only program that has found these files. There was no sign of them on any of the other scans we have done. The 2 files that continue to be found are Virus:DOS/Rovnix.W and Virus:Win64/Rovnix.gen!C

The other thing that I have noticed is that my physical memory is running at about 46% with just one browser open. It appears the majority of that, 391,000k, is an svchost.exe. I looked at the services for the exe in task manager and they all have a PID of 592. There's about a dozen different things running under that process. It just seems to put a drain on the computer.

But all of the other issues have been fixed!

Do you have any ideas for what is left? Here are the logs from tonight as well.

ComboFix 14-01-29.01 - Premiere Sound&Light 01/30/2014 18:25:52.6.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3996.1864 [GMT -6:00]
Running from: c:\users\Premiere Sound&Light\Desktop\ComboFix.exe
Command switches used :: c:\users\Premiere Sound&Light\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\AVG\AVG10
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\ace.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\arabica.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\boost.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\bsdiff.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\bzip.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\carp.html
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\cryptopp.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\curl.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\dazukofs.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\expat.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\imagemagick.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\infozip.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\lua.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\md4_md5_license.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\milter.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\minizip.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\openssl_license.html
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\sasl.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\tinyxml.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\unrar.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\untar.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\xalan_xerces.txt
c:\program files (x86)\AVG\AVG10\3rd_party\licenses\zlib.txt
c:\program files (x86)\AVG\AVG10\3rd_party\readme.txt
c:\program files (x86)\AVG\AVG10\avg.snu
c:\program files (x86)\AVG\AVG10\avg_us.chm
c:\program files (x86)\AVG\AVG10\avg_us.lng
c:\program files (x86)\AVG\AVG10\avgabout.dll
c:\program files (x86)\AVG\AVG10\avgamnot.dll
c:\program files (x86)\AVG\AVG10\avgapia.dll
c:\program files (x86)\AVG\AVG10\avgapix.dll
c:\program files (x86)\AVG\AVG10\avgar_us.chm
c:\program files (x86)\AVG\AVG10\avgatend.stp
c:\program files (x86)\AVG\AVG10\avgatupd.stp
c:\program files (x86)\AVG\AVG10\avgcclia.dll
c:\program files (x86)\AVG\AVG10\avgcclia.dll.old
c:\program files (x86)\AVG\AVG10\avgcclix.dll
c:\program files (x86)\AVG\AVG10\avgcerta.dll
c:\program files (x86)\AVG\AVG10\avgcerta.dll.old
c:\program files (x86)\AVG\AVG10\avgcertx.dll
c:\program files (x86)\AVG\AVG10\avgcfga.dll
c:\program files (x86)\AVG\AVG10\avgcfgex.exe
c:\program files (x86)\AVG\AVG10\avgcfgx.dll
c:\program files (x86)\AVG\AVG10\avgcfgx.dll.old
c:\program files (x86)\AVG\AVG10\avgchcla.dll
c:\program files (x86)\AVG\AVG10\avgchcla.dll.old
c:\program files (x86)\AVG\AVG10\avgchclx.dll
c:\program files (x86)\AVG\AVG10\avgchjwa.dll
c:\program files (x86)\AVG\AVG10\avgchjwa.dll.old
c:\program files (x86)\AVG\AVG10\avgchsva.exe
c:\program files (x86)\AVG\AVG10\avgchsva.exe.old
c:\program files (x86)\AVG\AVG10\avgclita.dll
c:\program files (x86)\AVG\AVG10\avgclita.dll.old
c:\program files (x86)\AVG\AVG10\avgclitx.dll
c:\program files (x86)\AVG\AVG10\avgcmgr.exe
c:\program files (x86)\AVG\AVG10\avgcorea.dll
c:\program files (x86)\AVG\AVG10\avgcorea.dll.old
c:\program files (x86)\AVG\AVG10\avgcorex.dll
c:\program files (x86)\AVG\AVG10\avgcrema.exe
c:\program files (x86)\AVG\AVG10\avgcsla.dll
c:\program files (x86)\AVG\AVG10\avgcslx.dll
c:\program files (x86)\AVG\AVG10\avgcslx.dll.old
c:\program files (x86)\AVG\AVG10\avgcsrva.exe
c:\program files (x86)\AVG\AVG10\avgcsrva.exe.old
c:\program files (x86)\AVG\AVG10\avgcsrvx.exe
c:\program files (x86)\AVG\AVG10\avgdg_us.chm
c:\program files (x86)\AVG\AVG10\avgdiagex.exe
c:\program files (x86)\AVG\AVG10\avgdumpa.exe
c:\program files (x86)\AVG\AVG10\avgdumpx.exe
c:\program files (x86)\AVG\AVG10\avgemca.exe
c:\program files (x86)\AVG\AVG10\avgf_us.chm
c:\program files (x86)\AVG\AVG10\avgfree_us.mht
c:\program files (x86)\AVG\AVG10\avgidp_us.chm
c:\program files (x86)\AVG\AVG10\avgidpsdkx.dll
c:\program files (x86)\AVG\AVG10\avgidpsdkx.dll.old
c:\program files (x86)\AVG\AVG10\avglnga.dll
c:\program files (x86)\AVG\AVG10\avglngx.dll
c:\program files (x86)\AVG\AVG10\avgloga.dll
c:\program files (x86)\AVG\AVG10\avgloga.dll.old
c:\program files (x86)\AVG\AVG10\avglogx.dll
c:\program files (x86)\AVG\AVG10\avglogx.dll.old
c:\program files (x86)\AVG\AVG10\avgls_us.chm
c:\program files (x86)\AVG\AVG10\avglscanx.exe
c:\program files (x86)\AVG\AVG10\avgmfapx.exe
c:\program files (x86)\AVG\AVG10\avgmfapx.exe.old
c:\program files (x86)\AVG\AVG10\avgmfarx.dll
c:\program files (x86)\AVG\AVG10\avgmfarx.dll.old
c:\program files (x86)\AVG\AVG10\avgmtrapx.dll
c:\program files (x86)\AVG\AVG10\avgmvfla.dll
c:\program files (x86)\AVG\AVG10\avgmvflx.dll
c:\program files (x86)\AVG\AVG10\avgmwdef_us.mht
c:\program files (x86)\AVG\AVG10\avgnsa.exe
c:\program files (x86)\AVG\AVG10\avgntdumpa.exe
c:\program files (x86)\AVG\AVG10\avgntdumpx.exe
c:\program files (x86)\AVG\AVG10\avgoutlooka.dll
c:\program files (x86)\AVG\AVG10\avgoutlookx.dll
c:\program files (x86)\AVG\AVG10\avgpostinstx.dll
c:\program files (x86)\AVG\AVG10\avgpp.dll
c:\program files (x86)\AVG\AVG10\avgppa.dll
c:\program files (x86)\AVG\AVG10\avgresf.dll
c:\program files (x86)\AVG\AVG10\avgrkta.dll
c:\program files (x86)\AVG\AVG10\avgrsa.exe
c:\program files (x86)\AVG\AVG10\avgrsa.exe.old
c:\program files (x86)\AVG\AVG10\avgsals_us.mht
c:\program files (x86)\AVG\AVG10\avgsbfree_us.mht
c:\program files (x86)\AVG\AVG10\avgsbga.dll
c:\program files (x86)\AVG\AVG10\avgscana.dll
c:\program files (x86)\AVG\AVG10\avgscana.exe
c:\program files (x86)\AVG\AVG10\avgscanx.dll
c:\program files (x86)\AVG\AVG10\avgscanx.exe
c:\program files (x86)\AVG\AVG10\avgsched.dll
c:\program files (x86)\AVG\AVG10\avgse.dll
c:\program files (x86)\AVG\AVG10\avgsea.dll
c:\program files (x86)\AVG\AVG10\avgsrma.dll
c:\program files (x86)\AVG\AVG10\avgsrmaa.exe
c:\program files (x86)\AVG\AVG10\avgsrmax.exe
c:\program files (x86)\AVG\AVG10\avgsrmx.dll
c:\program files (x86)\AVG\AVG10\avgssie.dll
c:\program files (x86)\AVG\AVG10\avgssiea.dll
c:\program files (x86)\AVG\AVG10\avgtray.exe
c:\program files (x86)\AVG\AVG10\avgtrial_us.mht
c:\program files (x86)\AVG\AVG10\avgui.exe
c:\program files (x86)\AVG\AVG10\avguiadv.dll
c:\program files (x86)\AVG\AVG10\avguires.dll
c:\program files (x86)\AVG\AVG10\avgupd.sig
c:\program files (x86)\AVG\AVG10\avgupdx.dll
c:\program files (x86)\AVG\AVG10\avgvva.dll
c:\program files (x86)\AVG\AVG10\avgvvx.dll
c:\program files (x86)\AVG\AVG10\avgwd.dll
c:\program files (x86)\AVG\AVG10\avgwd.dll.old
c:\program files (x86)\AVG\AVG10\avgwdsvc.exe
c:\program files (x86)\AVG\AVG10\avgwdsvc.exe.old
c:\program files (x86)\AVG\AVG10\avgwdwsc.dll
c:\program files (x86)\AVG\AVG10\avgwdwsc.dll.old
c:\program files (x86)\AVG\AVG10\avgwebui.dll
c:\program files (x86)\AVG\AVG10\avgwsc.exe
c:\program files (x86)\AVG\AVG10\avgxpl.dll
c:\program files (x86)\AVG\AVG10\avgxpla.dll
c:\program files (x86)\AVG\AVG10\axioo.dll
c:\program files (x86)\AVG\AVG10\cf.dat
c:\program files (x86)\AVG\AVG10\Chrome\safesearch.crx
c:\program files (x86)\AVG\AVG10\contacts_us.html
c:\program files (x86)\AVG\AVG10\dfncfg.dat
c:\program files (x86)\AVG\AVG10\Drivers\avgld.cat
c:\program files (x86)\AVG\AVG10\Drivers\avgld.inf
c:\program files (x86)\AVG\AVG10\Drivers\avgldx64.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgldx86.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgmf.cat
c:\program files (x86)\AVG\AVG10\Drivers\avgmf.inf
c:\program files (x86)\AVG\AVG10\Drivers\avgmfx64.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgmfx86.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgrk.cat
c:\program files (x86)\AVG\AVG10\Drivers\avgrk.inf
c:\program files (x86)\AVG\AVG10\Drivers\avgrkx64.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgrkx86.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgtdi.cat
c:\program files (x86)\AVG\AVG10\Drivers\avgtdi.inf
c:\program files (x86)\AVG\AVG10\Drivers\avgtdia.sys
c:\program files (x86)\AVG\AVG10\Drivers\avgtdix.sys
c:\program files (x86)\AVG\AVG10\Drivers\ErHrVx64\AVGIDSEH.cat
c:\program files (x86)\AVG\AVG10\Drivers\ErHrVx64\AVGIDSEH.inf
c:\program files (x86)\AVG\AVG10\Drivers\ErHrVx64\AVGIDSEH.sys
c:\program files (x86)\AVG\AVG10\Drivers\Vista\AVGIDSDriver.cat
c:\program files (x86)\AVG\AVG10\Drivers\Vista\AVGIDSDriver.inf
c:\program files (x86)\AVG\AVG10\Drivers\Vista\AVGIDSDriver.sys
c:\program files (x86)\AVG\AVG10\Drivers\Vista\AVGIDSFilter.cat
c:\program files (x86)\AVG\AVG10\Drivers\Vista\AVGIDSFilter.inf
c:\program files (x86)\AVG\AVG10\Drivers\Vista\AVGIDSFilter.sys
c:\program files (x86)\AVG\AVG10\Firefox\Chrome\searchshield.jar
c:\program files (x86)\AVG\AVG10\Firefox4\chrome.manifest
c:\program files (x86)\AVG\AVG10\Firefox4\Chrome\searchshield.jar
c:\program files (x86)\AVG\AVG10\Firefox4\Components\avgssff4.dll
c:\program files (x86)\AVG\AVG10\Firefox4\Components\ISearchShield4.xpt
c:\program files (x86)\AVG\AVG10\Firefox4\install.rdf
c:\program files (x86)\AVG\AVG10\fixcfg.exe
c:\program files (x86)\AVG\AVG10\HtmLayout.dll
c:\program files (x86)\AVG\AVG10\HtmLayout.dll.old
c:\program files (x86)\AVG\AVG10\Icons\alert_mask.png
c:\program files (x86)\AVG\AVG10\Icons\background_middle_gray.gif
c:\program files (x86)\AVG\AVG10\Icons\background_middle_green.gif
c:\program files (x86)\AVG\AVG10\Icons\background_middle_orange.gif
c:\program files (x86)\AVG\AVG10\Icons\background_middle_red.gif
c:\program files (x86)\AVG\AVG10\Icons\background_middle_yellow.gif
c:\program files (x86)\AVG\AVG10\Icons\background_top_gray.gif
c:\program files (x86)\AVG\AVG10\Icons\background_top_green.gif
c:\program files (x86)\AVG\AVG10\Icons\background_top_orange.gif
c:\program files (x86)\AVG\AVG10\Icons\background_top_red.gif
c:\program files (x86)\AVG\AVG10\Icons\background_top_yellow.gif
c:\program files (x86)\AVG\AVG10\Icons\block-doc.gif
c:\program files (x86)\AVG\AVG10\Icons\blocked.gif
c:\program files (x86)\AVG\AVG10\Icons\blocked12.png
c:\program files (x86)\AVG\AVG10\Icons\border_bottom_gray.gif
c:\program files (x86)\AVG\AVG10\Icons\border_bottom_green.gif
c:\program files (x86)\AVG\AVG10\Icons\border_bottom_orange.gif
c:\program files (x86)\AVG\AVG10\Icons\border_bottom_red.gif
c:\program files (x86)\AVG\AVG10\Icons\border_bottom_yellow.gif
c:\program files (x86)\AVG\AVG10\Icons\border_top_gray.gif
c:\program files (x86)\AVG\AVG10\Icons\border_top_green.gif
c:\program files (x86)\AVG\AVG10\Icons\border_top_orange.gif
c:\program files (x86)\AVG\AVG10\Icons\border_top_red.gif
c:\program files (x86)\AVG\AVG10\Icons\border_top_yellow.gif
c:\program files (x86)\AVG\AVG10\Icons\box_bottom_red.gif
c:\program files (x86)\AVG\AVG10\Icons\box_top_red.gif
c:\program files (x86)\AVG\AVG10\Icons\caution.gif
c:\program files (x86)\AVG\AVG10\Icons\caution12.png
c:\program files (x86)\AVG\AVG10\Icons\click_here_gray.gif
c:\program files (x86)\AVG\AVG10\Icons\click_here_green.gif
c:\program files (x86)\AVG\AVG10\Icons\click_here_orange.gif
c:\program files (x86)\AVG\AVG10\Icons\click_here_red.gif
c:\program files (x86)\AVG\AVG10\Icons\click_here_yellow.gif
c:\program files (x86)\AVG\AVG10\Icons\clock.gif
c:\program files (x86)\AVG\AVG10\Icons\clock12.png
c:\program files (x86)\AVG\AVG10\Icons\close.gif
c:\program files (x86)\AVG\AVG10\Icons\icons_blocked.gif
c:\program files (x86)\AVG\AVG10\Icons\icons_caution.gif
c:\program files (x86)\AVG\AVG10\Icons\icons_close.gif
c:\program files (x86)\AVG\AVG10\Icons\icons_safe.gif
c:\program files (x86)\AVG\AVG10\Icons\icons_unknown.gif
c:\program files (x86)\AVG\AVG10\Icons\icons_warning.gif
c:\program files (x86)\AVG\AVG10\Icons\LS_Logo_Results.gif
c:\program files (x86)\AVG\AVG10\Icons\safe.gif
c:\program files (x86)\AVG\AVG10\Icons\safe12.png
c:\program files (x86)\AVG\AVG10\Icons\unknown.gif
c:\program files (x86)\AVG\AVG10\Icons\vrsn-secured-lsfo.gif
c:\program files (x86)\AVG\AVG10\Icons\warning.gif
c:\program files (x86)\AVG\AVG10\Icons\warning12.png
c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\avgcslex.dll
c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\driver\platform_VISTA\UniversalDD.sys
c:\program files (x86)\AVG\AVG10\imsdk64.dll
c:\program files (x86)\AVG\AVG10\js.dat
c:\program files (x86)\AVG\AVG10\license_us.htm
c:\program files (x86)\AVG\AVG10\mfaus.lns
c:\program files (x86)\AVG\AVG10\mfavera.txt
c:\program files (x86)\AVG\AVG10\mfaverx.txt
c:\program files (x86)\AVG\AVG10\mwbsr_e_free_us.mht
c:\program files (x86)\AVG\AVG10\mwbsr_f_free_us.mht
c:\program files (x86)\AVG\AVG10\PCTuneup\AxBrowsers.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\DiskCleanerHelper.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\DiskDefragHelper.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\helper.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\localizer.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\MicroScanner.exe
c:\program files (x86)\AVG\AVG10\PCTuneup\PerlRegExp.bpl
c:\program files (x86)\AVG\AVG10\PCTuneup\RegistryCleanerHelper.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\RescueCenterHelper.dll
c:\program files (x86)\AVG\AVG10\PCTuneup\rtl120.bpl
c:\program files (x86)\AVG\AVG10\PCTuneup\vcl120.bpl
c:\program files (x86)\AVG\AVG10\ph.dat
c:\program files (x86)\AVG\AVG10\sb.dat
c:\program files (x86)\AVG\AVG10\sb.dat.xcd
c:\program files (x86)\AVG\AVG10\sb2.dat
c:\program files (x86)\AVG\AVG10\sc.dat
c:\program files (x86)\AVG\AVG10\sc.dat.xcd
c:\program files (x86)\AVG\AVG10\SearchProvider.exe
c:\program files (x86)\AVG\AVG10\updatecomps.bak
c:\users\PREMIE~1\AppData\Local\Temp\RtkBtMnt.exe
c:\users\Premiere Sound&Light\AppData\Local\Temp\RtkBtMnt.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-12-28 to 2014-01-31 )))))))))))))))))))))))))))))))
.
.
2014-01-31 00:34 . 2014-01-31 00:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-01-31 00:34 . 2014-01-31 00:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-30 05:44 . 2014-01-30 06:51 -------- d-----w- c:\windows\Microsoft Antimalware
2014-01-30 02:54 . 2013-10-28 05:41 965000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C7BABD61-F8F7-4BAE-BAC2-AFFC395F80D5}\gapaengine.dll
2014-01-30 02:53 . 2013-12-16 07:54 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4199604-979D-4DEE-9ACB-55DE6997C576}\mpengine.dll
2014-01-30 02:47 . 2014-01-30 02:47 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2014-01-30 02:47 . 2014-01-30 02:47 -------- d-----w- c:\program files\Microsoft Security Client
2014-01-30 02:46 . 2010-04-06 08:34 345984 ----a-w- c:\windows\system32\drivers\netio.sys
2014-01-30 00:55 . 2013-12-16 07:54 10315576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4984D58C-B6E5-4FBC-B1E3-D98415F732C2}\mpengine.dll
2014-01-29 23:04 . 2014-01-29 23:04 -------- d-----w- c:\windows\Migration
2014-01-29 04:25 . 2014-01-29 04:25 -------- d-----w- c:\users\Premiere Sound&Light\AppData\Local\Avg2013
2014-01-29 03:06 . 2014-01-29 03:06 -------- d-----w- c:\users\Premiere Sound&Light\AppData\Local\Avg2014
2014-01-29 02:57 . 2014-01-30 02:34 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-29 02:57 . 2014-01-30 02:11 119000 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-29 02:56 . 2014-01-29 04:16 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-01-28 05:59 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2014-01-28 05:59 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2014-01-28 05:59 . 2009-07-14 12:19 20480 ----a-w- c:\windows\system32\winusb.dll
2014-01-28 05:59 . 2009-07-14 12:12 16896 ----a-w- c:\windows\SysWow64\winusb.dll
2014-01-28 05:58 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2014-01-28 05:58 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2014-01-28 05:58 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2014-01-28 05:58 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2014-01-28 05:58 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2014-01-28 05:58 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2014-01-28 05:56 . 2013-11-15 01:37 2334720 ----a-w- c:\windows\system32\jscript9.dll
2014-01-28 05:44 . 2009-10-09 21:56 2048 ----a-w- c:\windows\SysWow64\winrsmgr.dll
2014-01-28 05:43 . 2009-08-01 06:27 201184 ----a-w- c:\windows\SysWow64\winrm.vbs
2014-01-28 05:30 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2014-01-28 05:30 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2014-01-28 05:30 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2014-01-28 05:19 . 2014-01-28 05:21 -------- d-----w- c:\windows\system32\MRT
2014-01-28 05:03 . 2014-01-28 05:03 -------- d-----w- c:\users\Premiere Sound&Light\AppData\Roaming\Oracle
2014-01-28 04:58 . 2014-01-28 04:58 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-01-28 04:56 . 2014-01-28 04:55 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-01-28 03:14 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2014-01-28 03:14 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2014-01-28 03:14 . 2011-03-02 16:12 221696 ----a-w- c:\windows\system32\dnsapi.dll
2014-01-28 03:14 . 2011-03-02 16:12 117760 ----a-w- c:\windows\system32\dnsrslvr.dll
2014-01-28 03:14 . 2009-05-04 10:21 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2014-01-28 03:14 . 2009-05-04 09:59 25088 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
2014-01-28 03:14 . 2013-05-02 04:16 686080 ----a-w- c:\windows\system32\win32spl.dll
2014-01-28 03:14 . 2013-05-02 04:04 443904 ----a-w- c:\windows\SysWow64\win32spl.dll
2014-01-28 03:14 . 2013-05-02 04:03 37376 ----a-w- c:\windows\SysWow64\printcom.dll
2014-01-28 03:11 . 2012-09-25 16:31 91648 ----a-w- c:\windows\system32\synceng.dll
2014-01-28 03:11 . 2012-09-25 16:19 75776 ----a-w- c:\windows\SysWow64\synceng.dll
2014-01-28 03:11 . 2011-12-14 16:38 621056 ----a-w- c:\windows\system32\msvcrt.dll
2014-01-28 03:11 . 2011-12-14 16:17 680448 ----a-w- c:\windows\SysWow64\msvcrt.dll
2014-01-28 03:11 . 2013-03-03 19:13 1513320 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-01-28 03:11 . 2011-02-18 14:18 450560 ----a-w- c:\windows\system32\drivers\srv.sys
2014-01-28 03:07 . 2013-08-01 04:10 901568 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-01-28 03:07 . 2013-08-01 03:37 47104 ----a-w- c:\windows\system32\cdd.dll
2014-01-28 03:07 . 2012-03-01 11:01 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2014-01-28 03:07 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2014-01-28 03:07 . 2013-06-15 13:27 20480 ----a-w- c:\windows\system32\icaapi.dll
2014-01-28 03:07 . 2013-06-15 11:38 29184 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2014-01-28 03:07 . 2013-04-24 02:10 1078272 ----a-w- c:\windows\system32\certutil.exe
2014-01-28 03:07 . 2013-04-24 01:46 812544 ----a-w- c:\windows\SysWow64\certutil.exe
2014-01-28 03:07 . 2013-04-24 04:09 50688 ----a-w- c:\windows\system32\certenc.dll
2014-01-28 03:07 . 2013-04-24 04:00 41984 ----a-w- c:\windows\SysWow64\certenc.dll
2014-01-28 03:06 . 2013-06-01 04:19 619008 ----a-w- c:\windows\system32\qedit.dll
2014-01-28 03:06 . 2013-06-01 04:06 505344 ----a-w- c:\windows\SysWow64\qedit.dll
2014-01-28 03:04 . 2012-09-28 16:34 1210368 ----a-w- c:\windows\system32\kernel32.dll
2014-01-28 03:04 . 2013-04-17 13:04 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2014-01-28 03:04 . 2013-04-17 12:30 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
2014-01-28 03:03 . 2013-07-10 09:42 1303552 ----a-w- c:\windows\system32\rpcrt4.dll
2014-01-28 03:03 . 2013-07-10 09:47 677888 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2014-01-28 03:01 . 2011-06-15 16:16 180736 ----a-w- c:\windows\system32\xmllite.dll
2014-01-28 03:01 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2014-01-28 03:01 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2014-01-28 03:01 . 2011-11-16 16:43 442368 ----a-w- c:\windows\system32\winhttp.dll
2014-01-28 03:01 . 2011-11-16 16:23 377344 ----a-w- c:\windows\SysWow64\winhttp.dll
2014-01-28 03:01 . 2011-10-14 17:31 211968 ----a-w- c:\windows\system32\winmm.dll
2014-01-28 03:01 . 2011-10-14 17:27 48128 ----a-w- c:\windows\system32\mcicda.dll
2014-01-28 03:01 . 2011-10-14 17:27 28672 ----a-w- c:\windows\system32\mciwave.dll
2014-01-28 03:01 . 2011-10-14 17:27 28160 ----a-w- c:\windows\system32\mciseq.dll
2014-01-28 03:01 . 2011-10-14 16:03 189952 ----a-w- c:\windows\SysWow64\winmm.dll
2014-01-28 03:01 . 2011-10-14 16:00 23552 ----a-w- c:\windows\SysWow64\mciseq.dll
2014-01-28 03:00 . 2013-10-03 15:02 1278976 ----a-w- c:\windows\system32\crypt32.dll
2014-01-28 03:00 . 2013-10-03 12:45 993792 ----a-w- c:\windows\SysWow64\crypt32.dll
2014-01-28 03:00 . 2011-07-06 15:49 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2014-01-28 03:00 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2014-01-28 03:00 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2014-01-28 02:58 . 2013-07-03 02:22 31616 ----a-w- c:\windows\system32\drivers\hidparse.sys
2014-01-28 02:58 . 2012-08-21 11:50 267648 ----a-w- c:\windows\system32\drivers\volsnap.sys
2014-01-28 02:56 . 2013-07-05 03:58 1417664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-01-28 02:56 . 2013-07-05 02:15 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2014-01-28 02:50 . 2011-02-24 16:38 991104 ----a-w- c:\windows\system32\winresume.efi
2014-01-28 02:50 . 2011-02-24 16:38 979840 ----a-w- c:\windows\system32\winresume.exe
2014-01-28 02:50 . 2011-02-24 16:37 1076608 ----a-w- c:\windows\system32\winload.efi
2014-01-28 02:50 . 2011-02-24 16:37 1063296 ----a-w- c:\windows\system32\winload.exe
2014-01-28 02:50 . 2011-02-24 16:37 20864 ----a-w- c:\windows\system32\kdusb.dll
2014-01-28 02:50 . 2011-02-24 16:37 18816 ----a-w- c:\windows\system32\kd1394.dll
2014-01-28 02:50 . 2011-02-24 16:37 17792 ----a-w- c:\windows\system32\kdcom.dll
2014-01-28 02:50 . 2013-07-16 09:25 689152 ----a-w- c:\windows\system32\themeui.dll
2014-01-28 02:50 . 2013-07-16 04:35 615936 ----a-w- c:\windows\SysWow64\themeui.dll
2014-01-28 02:49 . 2013-02-12 02:18 19456 ----a-w- c:\windows\system32\drivers\usb8023.sys
2014-01-28 02:49 . 2010-12-17 15:41 731136 ----a-w- c:\windows\system32\mstsc.exe
2014-01-28 02:49 . 2010-12-17 13:54 677888 ----a-w- c:\windows\SysWow64\mstsc.exe
2014-01-28 02:49 . 2009-07-10 11:51 302080 ----a-w- c:\windows\system32\shsvcs.dll
2014-01-28 02:47 . 2013-07-20 10:45 124112 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-01-28 02:47 . 2013-07-20 10:44 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-01-28 02:47 . 2011-09-30 16:16 893440 ----a-w- c:\program files\Common Files\System\wab32.dll
2014-01-28 02:47 . 2011-09-30 15:57 707584 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2014-01-28 02:47 . 2011-09-30 16:16 50688 ----a-w- c:\program files\Windows Mail\wabimp.dll
2014-01-28 02:47 . 2013-10-03 15:03 389632 ----a-w- c:\windows\system32\gdi32.dll
2014-01-28 02:47 . 2013-10-03 12:46 304128 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-01-28 02:47 . 2012-11-02 10:47 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-01-28 02:47 . 2012-11-02 10:47 1794560 ----a-w- c:\windows\system32\msxml6.dll
2014-01-28 02:46 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\SysWow64\msxml6.dll
2014-01-28 02:46 . 2012-11-02 10:19 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-01-28 02:46 . 2011-03-12 22:52 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2014-01-28 02:46 . 2011-03-12 21:55 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2014-01-28 02:46 . 2011-04-14 15:14 97792 ----a-w- c:\windows\system32\drivers\dfsc.sys
2014-01-28 02:46 . 2013-07-08 04:20 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2014-01-28 02:46 . 2013-07-08 04:16 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2014-01-28 02:46 . 2013-07-08 04:16 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2014-01-28 02:46 . 2013-07-08 04:15 218624 ----a-w- c:\windows\system32\wintrust.dll
2014-01-28 02:46 . 2013-07-08 04:12 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2014-01-28 02:46 . 2013-07-08 04:12 132096 ----a-w- c:\windows\system32\cryptnet.dll
2014-01-28 02:46 . 2013-07-04 04:13 633856 ----a-w- c:\windows\system32\comctl32.dll
2014-01-28 02:44 . 2011-03-03 15:59 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2014-01-28 02:44 . 2011-03-03 15:40 28672 ----a-w- c:\windows\SysWow64\Apphlpdm.dll
2014-01-28 02:44 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\SysWow64\GameUXLegacyGDFs.dll
2014-01-28 02:44 . 2011-03-03 14:00 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-16 15:59 . 2010-04-21 23:56 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-06 22:20 . 2006-11-02 12:35 86054176 ----a-w- c:\windows\system32\mrt.exe
2013-12-20 01:09 . 2013-12-17 04:36 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-20 01:09 . 2012-01-11 04:16 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-12 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-12 781824]
"BkupTray"="c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"LManager"="c:\progra~2\LAUNCH~1\QtZgAcer.EXE" [2008-06-04 817672]
"Acer Assist Launcher"="c:\program files (x86)\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files (x86)\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [You must be registered and logged in to see this link.] [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 324320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 00:12 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-17 01:09]
.
2014-01-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-592603330-180509026-2455858920-1000Core.job
- c:\users\Premiere Sound&Light\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 18:08]
.
2014-01-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-592603330-180509026-2455858920-1000UA.job
- c:\users\Premiere Sound&Light\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-26 18:08]
.
2014-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-17 07:52]
.
2014-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-17 07:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:53 50736 ----a-w- c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-11-28 488448]
"eDataSecurity Loader"="c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe" [2008-07-30 561200]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 209432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 181784]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1237288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 1266912]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uLocal Page = c:\windows\system32\blank.htm
mStart Page = [You must be registered and logged in to see this link.]
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run- - (no file)
Wow6432Node-HKLM-Run-AVG_TRAY - c:\program files (x86)\AVG\AVG10\avgtray.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
c:\program files (x86)\Cyberlink\Shared files\RichVideo.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Launch Manager\QtZgAcer.EXE
c:\program files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSMSNLoader32.exe
.
**************************************************************************
.
Completion time: 2014-01-30 18:44:41 - machine was rebooted
ComboFix-quarantined-files.txt 2014-01-31 00:44
ComboFix2.txt 2014-01-30 01:52
ComboFix3.txt 2011-01-21 02:21
.
Pre-Run: 87,507,361,792 bytes free
Post-Run: 87,795,212,288 bytes free
.
- - End Of File - - A66D834F1463E5C48278D41ABB97D8D7
BB9D3A6A13C5010348DA7C900BB6AF50


Malwarebytes Anti-Malware 1.75.0.1300
[You must be registered and logged in to see this link.]

Database version: v2014.01.26.05

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Premiere Sound&Light :: PREMIERESOUN-PC [administrator]

1/30/2014 7:02:10 PM
mbam-log-2014-01-30 (19-02-10).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 433144
Time elapsed: 1 hour(s), 9 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Malwarebytes Anti-Rootkit BETA 1.07.0.1009
[You must be registered and logged in to see this link.]

Database version: v2013.10.02.12

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Premiere Sound&Light :: PREMIERESOUN-PC [administrator]

1/30/2014 8:13:12 PM
mbar-log-2014-01-30 (20-13-12).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 230582
Time elapsed: 13 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

thisdj1

Rookie Surfer
Rookie Surfer

Posts : 56
Joined : 2009-01-10
Operating System : Windows XP

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Superdave on Sat 01 Feb 2014, 6:11 am

It appears the majority of that, 391,000k, is an svchost.exe. I looked at the services for the exe in task manager and they all have a PID of 592. There's about a dozen different things running under that process. It just seems to put a drain on the computer.
You can end each of those processes one at a time and see what happens. I did some more checking about those viruses and [URL=Win64/Rovnix.gen!C]this[/URL] is what I found. If you use your computer for financial or other personal business you may want to consider wiping your hard drive and doing a fresh installation. That is the only way your computer will be considered safe again.
According to this MS site, MSE is supposed to clean this infection. I have no idea why it's not doing it but you can always check out the link to the MicroSoft virus and malware community for more insight.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: dllhost.exe *32 COM Surrogate and Windows Update

Post by Sponsored content Today at 4:35 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum