C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL

  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

Good day all...i have a problem in my computer every time i restart...their is this Error Loading C:\Users\pcusers\AppData\Local\Temp\instal~1.DLL The specified module could not be found.

i run spybot, malwarebytes,combofix but nothing can put this away..
i need your help..because when i restart sometimes it just restart by it self of dumping something if i cant close that pop up.
Here is the HJT. Please find the error. :(


Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:47 AM, on 8/9/2012
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\SAMSUNG\Kies\KiesTrayAgent.exe
C:\Program Files\SAMSUNG\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files\SAMSUNG\Kies\Kies.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Users\pcuser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\pcuser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/etype/{15552144-9A28-4A41-9D1D-0520A91D107E}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED
O4 - HKCU\..\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
O4 - HKCU\..\Run: [KiesPDLR] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 - HKCU\..\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe /preload
O4 - HKCU\..\RunOnce: [!SearchquCRHP] C:\Windows\system32\RUNDLL32.EXE C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL,_SetChromeHP http://www.searchnu.com/406,
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8923 bytes
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Zealous
  • Guru
  • Guru
  • User avatar
  • Posts: 1244
  • Loc: Sydney

Post 3+ Months Ago

read over this, may help.

http://support.microsoft.com/kb/929135
  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

Zealous wrote:
read over this, may help.

http://support.microsoft.com/kb/929135

this seems don't work for me..i tried to uncheck all but their are three that i can't uncheck..it will automatically check once i hit the botton apply..

i have read on other post but they dont have the solution..but i think this is the cause i which i can't fix because it will appear on itself.

Quote:
O4 - HKCU\..\RunOnce: [!SearchquCRHP] C:\Windows\system32\RUNDLL32.EXE C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL,_SetChromeHP http://www.searchnu.com/406,


any other ideas on how to eliminate this?
  • Zealous
  • Guru
  • Guru
  • User avatar
  • Posts: 1244
  • Loc: Sydney

Post 3+ Months Ago

can you delete it in safe mode, boot up a linux stick or dvd and delete it using linux :P

i would check your host file also to see if that has been changed by that site also do you have spybot search and destroy, it is great for this kinda thing. also update first then immunize and then scan and fix. run that 2-3 times a month. it will save you from a lot of hassle if you immunize/block the spyware then clean up.
  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

Zealous wrote:
can you delete it in safe mode, boot up a linux stick or dvd and delete it using linux :P

i would check your host file also to see if that has been changed by that site also do you have spybot search and destroy, it is great for this kinda thing. also update first then immunize and then scan and fix. run that 2-3 times a month. it will save you from a lot of hassle if you immunize/block the spyware then clean up.


sorry for late reply.
i tried to delete it in safe mode and run spybot on safe mode but it still appears during startup. :cry:
  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

i made a temporary solution...i go to regedit and put 0 on its value data...and now it doesnt appear anymore..

if anyone have a solution to delete it please show me how.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

O4 - HKCU\..\RunOnce: [!SearchquCRHP] C:\Windows\system32\RUNDLL32.EXE C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL,_SetChromeHP http://www.searchnu.com/406, was indeed your problem. It was in a temporary directory and the file no longer exists but the registry setting to look for it did. Setting the registry value to 0 works, but you can also delete the registry key itself.

Most viruses / trojans "hide" in temp directories. If you clear out the files in temp directories, it removes the risk of the trojan, etc running, but it doesn't remove the registry settings. That's what's happening in your case.
  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

ATNO/TW wrote:
O4 - HKCU\..\RunOnce: [!SearchquCRHP] C:\Windows\system32\RUNDLL32.EXE C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL,_SetChromeHP http://www.searchnu.com/406, was indeed your problem. It was in a temporary directory and the file no longer exists but the registry setting to look for it did. Setting the registry value to 0 works, but you can also delete the registry key itself.

Most viruses / trojans "hide" in temp directories. If you clear out the files in temp directories, it removes the risk of the trojan, etc running, but it doesn't remove the registry settings. That's what's happening in your case.

i can't see this instal.dll in its location in temp folder (C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL)
and when i delete the regedit it will just going to go back again. thats why i just change it to zero.
i tried fixing O4 - HKCU\..\RunOnce: [!SearchquCRHP] C:\Windows\system32\RUNDLL32.EXE in hijackthis but it will still go back.
i dont know what to delete anymore..or can i delete all the files in my temp folder?
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

You should be able to safely delete everything in the temp folder.
  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

ATNO/TW wrote:
O4 - HKCU\..\RunOnce: [!SearchquCRHP] C:\Windows\system32\RUNDLL32.EXE C:\Users\pcuser\AppData\Local\Temp\INSTAL~1.DLL,_SetChromeHP http://www.searchnu.com/406, was indeed your problem. It was in a temporary directory and the file no longer exists but the registry setting to look for it did. Setting the registry value to 0 works, but you can also delete the registry key itself.

Most viruses / trojans "hide" in temp directories. If you clear out the files in temp directories, it removes the risk of the trojan, etc running, but it doesn't remove the registry settings. That's what's happening in your case.

well i deleted files in the temp folder then deleted runonce>!SearchquCRHP in the regedit but it will just go back..i hate this..i cant delete it. :twisted:
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Have you tried running ComboFix?

http://www.bleepingcomputer.com/combofi ... e-combofix

That usually destroys anything and everything.
  • mad_a_22
  • Beginner
  • Beginner
  • mad_a_22
  • Posts: 37

Post 3+ Months Ago

grinch2171 wrote:
Have you tried running ComboFix?

http://www.bleepingcomputer.com/combofi ... e-combofix

That usually destroys anything and everything.

yes i tried it many times but when i restart my computer it goes back again...as advice by the link you give i will post the combofix log.txt
Hope you'll find the virus or whatever that is that will make it appear back again...

Quote:
ComboFix 12-08-30.05 - pcuser 08/31/2012 19:05:05.6.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.63.1033.18.2047.1318 [GMT 8:00]
Running from: c:\users\pcuser\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\pcuser\AppData\Local\temp\99cab429-f99d-4f69-9d04-113ad532bd0f\CliSecureRT.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-31 )))))))))))))))))))))))))))))))
.
.
2012-08-31 11:10 . 2012-08-31 11:12 -------- d-----w- c:\users\pcuser\AppData\Local\temp
2012-08-31 11:10 . 2012-08-31 11:10 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-31 11:10 . 2012-08-31 11:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-29 05:11 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{30436544-CFBE-4728-82A8-628A60730B78}\mpengine.dll
2012-08-19 11:19 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-19 11:19 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-19 11:19 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-19 11:19 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-19 11:19 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-19 11:19 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-19 11:18 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
2012-08-03 14:58 . 2012-08-03 14:58 -------- d-----w- C:\_OTL
2012-08-03 14:24 . 2012-08-03 14:24 -------- d-----w- c:\program files\Trend Micro
2012-08-02 05:22 . 2012-08-02 05:22 -------- d-----w- c:\users\pcuser\AppData\Local\FreeFixer
2012-08-02 01:01 . 2012-08-02 01:10 -------- d-----w- c:\users\pcuser\AppData\Roaming\FreeFixer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 10:05 . 2012-02-09 04:30 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-17 09:47 . 2012-07-17 09:46 32796 ----a-w- c:\windows\system32\cc_20120717_174640.reg
2012-06-26 07:02 . 2011-06-30 13:14 330240 ----a-w- c:\windows\MASetupCaller.dll
2012-06-26 07:02 . 2011-06-30 13:14 45320 ----a-w- c:\windows\system32\MAMACExtract.dll
2012-06-06 12:59 . 2012-06-06 12:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-06 05:05 . 2012-07-11 02:55 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-11 02:55 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-11 02:55 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-18 21:41 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-18 21:41 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-18 21:41 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-18 21:41 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-18 21:41 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-18 21:41 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-18 21:41 88576 ----a-w- c:\windows\system32\wudriver.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-07-16 975800]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-07-16 3524536]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-07-16 21432]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-06-13 880496]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^pcuser^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\pcuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-26 23:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-21 17:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 06:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 12:17 1174016 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 01:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
"Google Update"="c:\users\pcuser\AppData\Local\Google\Update\GoogleUpdate.exe" /c
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" -osboot
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\users\pcuser\Garena Plus\Room\safedrv.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 MP4ConverterAudio;MP4ConverterAudio;c:\windows\system32\drivers\MP4ConverterAudio.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 XDva397;XDva397;c:\windows\system32\XDva397.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-02-25 03:12 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-21 09:11]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-21 09:11]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3420659201-4155659908-755159272-1000Core.job
- c:\users\pcuser\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-12 10:43]
.
2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3420659201-4155659908-755159272-1000UA.job
- c:\users\pcuser\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-12 10:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\taskhost.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-08-31 19:15:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-31 11:15
.
Pre-Run: 155,041,648,640 bytes free
Post-Run: 154,710,786,048 bytes free
.
- - End Of File - - 982F6C5FF4E283723FAD9E4E169032EB

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 58 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.