How to remove thodjovc.exe?

liferockss · 05 Jun 2012

Hi Corrine,

Thanks a ton again, following is the log

NOTE:- My MacFee was expired and did not find any option to disable it, so I uninstalled it.
Also, I am in UK timezone, so kindly accept the dealy in my next response.
==========================
ComboFix 12-06-05.03 - lifeRockss 06/06/2012 0:54.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2980.1399 [GMT 1:00]
Running from: c:\users\lifeRockss\Desktop\ComboFix.exe
Command switches used :: c:\users\lifeRockss\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\lifeRockss\AppData\Local\lewqylml
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-05-06 to 2012-06-06 )))))))))))))))))))))))))))))))
.
.
2012-06-06 00:04 . 2012-06-06 00:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-05 21:19 . 2012-05-08 09:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E2507CD2-0679-40D2-BB42-53BC5CFFC495}\mpengine.dll
2012-06-04 12:31 . 2012-06-05 20:32 -------- d-----w- c:\programdata\boost_interprocess
2012-06-04 12:30 . 2012-06-04 12:30 -------- d-----w- c:\users\Guest
2012-06-04 09:23 . 2012-05-08 09:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-03 22:36 . 2012-06-03 22:36 -------- d-----w- c:\users\lifeRockss\AppData\Roaming\Malwarebytes
2012-06-03 22:33 . 2012-06-03 22:33 -------- d-----w- c:\programdata\Malwarebytes
2012-06-03 22:33 . 2012-06-03 22:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-03 22:33 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-03 08:49 . 2012-06-03 08:49 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{78FD9AC8-32CE-4832-BCAB-63B78579596C}\gapaengine.dll
2012-06-03 08:48 . 2012-06-03 08:48 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-06-03 08:48 . 2012-06-03 08:48 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-03 07:34 . 2012-06-03 07:34 -------- d-----w- c:\program files (x86)\ERUNT
2012-06-02 22:03 . 2012-06-03 07:18 -------- d-----w- C:\s&d
2012-06-02 21:55 . 2012-06-04 19:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-02 21:55 . 2012-06-02 21:55 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-06-02 20:07 . 2012-06-02 20:07 -------- d-----w- C:\Sharekhan
2012-06-02 15:42 . 2012-06-02 15:42 -------- d-----w- c:\users\lifeRockss\AppData\Roaming\Macrovision
2012-06-02 15:41 . 2012-06-02 15:41 -------- d-----w- c:\users\lifeRockss\AppData\Roaming\Roxio Burn
2012-05-29 17:49 . 2012-05-29 17:49 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-05-27 14:25 . 2012-05-27 14:25 -------- d-----w- c:\users\lifeRockss\AppData\Local\blekkotb
2012-05-27 13:30 . 2012-05-27 13:30 -------- d-----w- c:\users\lifeRockss\AppData\Roaming\Roxio Log Files
2012-05-15 02:00 . 2012-05-15 02:00 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-15 02:00 . 2012-05-15 02:00 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-14 18:25 . 2012-05-14 18:25 -------- d-----w- c:\programdata\InstallShield
2012-05-14 18:25 . 2012-05-14 18:25 -------- d-----w- c:\program files (x86)\NOW
2012-05-14 18:25 . 2004-04-16 10:24 61440 ----a-w- c:\windows\SysWow64\ISUSPM.cpl
2012-05-14 18:25 . 2004-04-17 11:40 385024 ----a-w- c:\program files (x86)\Common Files\InstallShield\UpdateService\_ispmres.dll
2012-05-14 18:25 . 2004-04-17 11:41 196608 ----a-w- c:\program files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
2012-05-14 18:25 . 2004-04-13 05:07 69632 ----a-w- c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe
2012-05-14 18:25 . 2004-04-13 05:06 368640 ----a-w- c:\program files (x86)\Common Files\InstallShield\UpdateService\_isusres.dll
2012-05-14 18:25 . 2004-04-23 18:03 446464 ----a-w- c:\program files (x86)\Common Files\InstallShield\UpdateService\agent.exe
2012-05-14 18:25 . 2004-04-13 05:03 204800 ----a-w- c:\program files (x86)\Common Files\InstallShield\UpdateService\ISDM.exe
2012-05-14 18:23 . 2004-04-18 22:40 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
2012-05-14 18:23 . 2004-04-18 22:39 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
2012-05-14 18:23 . 2004-04-18 22:39 172032 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
2012-05-14 18:23 . 2004-04-18 22:42 733184 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
2012-05-14 18:23 . 2004-04-18 22:39 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
2012-05-14 18:23 . 2012-05-14 18:23 303236 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll
2012-05-14 18:23 . 2012-05-14 18:23 180356 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
2012-05-11 17:02 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 17:02 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 17:02 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:02 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 17:02 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 17:02 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 17:02 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 17:02 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-11 17:02 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 17:02 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 17:02 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-11 17:02 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-11 17:01 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-24 11:48 . 2011-11-04 11:58 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-18 16:12 . 2012-04-18 16:12 0 ----a-w- c:\windows\SysWow64\shoFA1E.tmp
2012-03-20 19:44 . 2012-03-20 19:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 19:44 . 2012-03-20 19:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-04_02.11.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-05 20:32 . 2012-06-05 20:32 13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-06-04 00:46 . 2012-06-04 00:46 13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2010-11-21 03:09 . 2012-06-05 20:36 53944 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-05 20:36 44124 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-12-02 15:21 . 2012-06-05 20:36 15416 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3553815003-590717795-807720870-1000_UserData.bin
+ 2009-07-14 05:30 . 2012-06-05 20:31 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-04-10 15:05 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-12-02 15:23 . 2012-06-05 19:19 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-12-02 15:23 . 2012-06-04 00:53 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-12-02 15:23 . 2012-06-05 19:19 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-12-02 15:23 . 2012-06-04 00:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-05 19:19 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.d at
- 2009-07-14 04:54 . 2012-06-04 00:53 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.d at
+ 2009-07-14 04:46 . 2012-06-05 20:41 97232 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache \cache.dat
- 2012-06-04 00:52 . 2012-06-04 00:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-05 20:33 . 2012-06-05 20:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-04 00:52 . 2012-06-04 00:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-05 20:33 . 2012-06-05 20:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-04 23:00 . 2012-06-04 23:00 4286 c:\windows\Installer\{3EEF7896-1F47-4FB4-92A2-8F7AEBD4B239}\_DC2BE438A759D5BF5B2514.exe
+ 2012-06-04 23:00 . 2012-06-04 23:00 4286 c:\windows\Installer\{3EEF7896-1F47-4FB4-92A2-8F7AEBD4B239}\_853F67D554F05449430E7E.exe
+ 2012-06-04 23:00 . 2012-06-04 23:00 4286 c:\windows\Installer\{3EEF7896-1F47-4FB4-92A2-8F7AEBD4B239}\_360D766D8A6E068CBDFF8D.exe
+ 2012-06-04 23:00 . 2012-06-04 23:00 4062 c:\windows\Installer\{3EEF7896-1F47-4FB4-92A2-8F7AEBD4B239}\_2B361F48AB373E9E088EB4.exe
+ 2011-12-03 22:23 . 2012-06-05 17:09 253024 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 04:45 . 2012-06-04 23:02 469968 c:\windows\system32\FNTCACHE.DAT
- 2009-07-14 05:30 . 2012-04-10 15:05 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-06-05 20:31 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2011-11-04 13:10 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-06-05 20:31 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2012-05-07 10:54 . 2012-06-05 20:32 755208 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2012-06-05 20:32 429860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:36 . 2012-06-05 23:59 2827688 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-05 23:59 1225090 c:\windows\system32\perfc009.dat
+ 2009-07-14 04:45 . 2012-06-05 08:20 7298510 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\token s.dat
- 2009-07-14 04:45 . 2012-05-12 02:44 7298510 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\token s.dat
- 2011-12-05 14:11 . 2012-06-04 00:31 1874688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3553815003-590717795-807720870-1000-12288.dat
+ 2011-12-05 14:11 . 2012-06-04 19:03 1874688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3553815003-590717795-807720870-1000-12288.dat
+ 2009-07-14 02:34 . 2012-06-05 00:04 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-05-12 02:38 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-12-02 15:35 . 2012-06-05 00:03 26238372 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3553815003-590717795-807720870-1000-8192.dat
+ 2012-06-02 20:05 . 2012-06-02 20:05 21954560 c:\windows\Installer\bfe699.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-20 880496]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-05-03 17355912]
"SpybotSD TeaTimer"="c:\s&d\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2011-04-13 503942]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-01-12 283160]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"NeroLauncher"="c:\program files (x86)\Nero\SyncUP\NeroLauncher.exe" [2012-02-06 66872]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-04-29 885760]
"oc4j"="c:\obiee\oc4j_bi\bin\oc4j.cmd" [2011-12-03 4983]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
.
c:\users\lifeRockss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-27 116648]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-05-03 158856]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-27 116648]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-26 129976]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 Oracle BI Cluster Controller;Oracle BI Cluster Controller;c:\obiee\server\Bin\NQSClusterController.exe [2011-07-28 33792]
R3 Oracle BI Scheduler;Oracle BI Scheduler;c:\obiee\server\Bin\NQScheduler.exe [2011-07-28 122880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-01-12 13336]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 Oracle BI Server;Oracle BI Server;c:\obiee\server\Bin\NQSServer.exe [2011-07-28 49152]
S2 sawjavahostsvc;Oracle BI Java Host;c:\obiee\web\bin\sawjavahostsvc.exe [2011-07-28 94208]
S2 sawsvc;Oracle BI Presentation Server;c:\obiee\web\bin\sawserver.exe [2011-07-28 86016]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-07-08 1692480]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2011-12-02 2923392]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-27 14:46]
.
2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-27 14:46]
.
2012-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3553815003-590717795-807720870-1000Core.job
- c:\users\lifeRockss\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 15:05]
.
2012-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3553815003-590717795-807720870-1000UA.job
- c:\users\lifeRockss\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-10 15:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-30 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-30 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-30 418840]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-03-29 608112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-05-27 1128448]
"Stage Remote"="c:\program files (x86)\Dell\Stage Remote\StageRemote.exe" [2011-06-28 2022976]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-04-29 2055016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\lifeRockss\AppData\Roaming\Mozilla\Firefox\Profiles\ns61vjua.default\
FF - prefs.js: browser.search.selectedEngine - Blekko
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://blekko.com/?source=c3348dd4&tbp=url&toolbarid=blekkotb&u=___userid___&q=
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-06 01:21:37
ComboFix-quarantined-files.txt 2012-06-06 00:21
ComboFix2.txt 2012-06-05 21:13
ComboFix3.txt 2012-06-04 02:51
.
Pre-Run: 125,849,993,216 bytes free
Post-Run: 125,794,697,216 bytes free
.
- - End Of File - - 8A0B785BB88D0D91FA1FBA74F6908088

Corrine · 05 Jun 2012

Hi, liferockss.

Most likely the source of infection had nothing to do with the outdated Adobe software but more likely it was either the expired McAfee or uTorrent downloads.

I meant to ask you before but forgot -- why did you rename ComboFix?

The script is shown as having run from c:\users\lifeRockss\Desktop\cleanup adware\CFScript.txt but no changes were made. In checking the code, there was a extra space that didn't belong. That may have been the reason. Sorry, it was probably carried over in copy/pasting the files for removal.

Please copy the edited script from hereto your desktop (not in the cleanup folder) and run it again.

liferockss · 05 Jun 2012

Hi Corrine,

I have updated my previous reply with latest logs.

The reason I renamed ComboFix cause yesterday it was either getting delted while download or was not executing, I guess the malware was still active, so i tried to run it by renaming and it worked.

Today I downloaded it again in desktop\folder but it was giving warning Do not run ComboFix in compatable mode ..... so I ran yesterdays file in desktop.

is there a difference if file is on desktop and if its in folder?

Cheers

Corrine · 05 Jun 2012

Thanks for the explanation, liferockss. That run took care of the file I was concerned about. It must have been the strange space turned up that caused the problem.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector or, alternatively, visit Free Online Computer Scan - Online Software Inspector (OSI) - Secunia . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

Detects insecure versions of applications installed
Verifies that all Microsoft patches are applied
Assists you in updating your system and applications

You may want to install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: SpywareBlaster® Download

My favorite security software is WinPatrol which includes the features described at WinPatrol Features. If you have questions about WinPatrol, we have a forum at LzD: WinPatrol Help & Information.

Please let us know if you have any questions.

Corrine · 05 Jun 2012

One more thing, liferockss, Jacee suggested that it is advisable to uninstall Google and all extentions/apps, then re-install them.

liferockss · 06 Jun 2012

Thanks Corrine and Jacee , have done all of above, will surly donate to Combofix.

Thanks a ton for your help, it was unique experience for me.

Cheers

Corrine · 07 Jun 2012

You're welcome. I'm glad all is well now.