Jump to content

roofcom

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

Reputation

0 Neutral
  1. roofcom
    DONE!!! Thank you so much for all your help. I will let you know if anything pops up. Already made the PayPal donation a few days ago. As I said before, you ROCK.
  2. roofcom
    I have reset Firefox. Usage has not been extensive but I have not had any re-direct issues since doing the reset. Thanks.
  3. roofcom
    Hi!!! I'm back - sorry to have been gone - end of year stuff taking too much time. I have removed some of the suggested startup items. Thanks. I have also run the ESET online scan. Of the 16 threats found, 14 are related to puppy.exe in an old unneeded backup folder and I can delete this folder w/o any problems. Results are: C:\Qoobox\Quarantine\C\Users\C8PK9R1\AppData\Roaming\pscov.dll.vir a variant of Win32/Medfos.HK trojan C:\Qoobox\Quarantine\C\Users\C8PK9R1\AppData\Roaming\shnsr.dll.vir a variant of Win32/Medfos.HK trojan C:\Users\C8PK9R1\Documents\Nightly backup copies done 9-4-2010\Tuesday\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\1 Monday\Monday Night Backup\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\1 Monday\Monday Night Backup\MF\S\Randy Temp\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\2 Tuesday\Tuesday Night Backup.0\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\2 Tuesday\Tuesday Night Backup.0\MF\S\Randy Temp\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\3 Wednesday\Wednesday Night Backup\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\3 Wednesday\Wednesday Night Backup\MF\S\Randy Temp\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\4 Thursday\Thursday Night Backup\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\4 Thursday\Thursday Night Backup\MF\S\Randy Temp\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\5 Friday\Friday Night Backup\MF\C\Documents and Settings\admin.D22NPQ91\My Documents\Nightly backup copies done 9-4-2010\Tuesday\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\5 Friday\Friday Night Backup\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\5 Friday\Friday Night Backup\MF\S\Randy Temp\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\6 Saturday\Saturday Night Backup\MF\S\Datafiles - Restricted\RANDY\General\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application C:\Users\C8PK9R1\Documents\Temp files\old GenieSoft Backup Manager\6 Saturday\Saturday Night Backup\MF\S\Randy Temp\Puppy.exe a variant of Win32/Joke.ScreenMate.AA application One thing that does seem to be happening is maybe once a day when I Google something and then click on one of the results, I am re-directed to a different site that usually in some way relates to shopping for what I googled. If I close the tab, and re-click on the same link on the original search results page, I am taken to where I want to go. This is certainly not a consistent phenomenom. Again, thanks for your help. Randy
  4. roofcom
    No problems with these procedures. Computer is on a network, and one program in particular is not working right, and other computers are having some printing problems. I hope this is not spreading to those. Log file from MBAM: Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2012.12.29.01 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Randy Roof :: C8PK9R1-FL [administrator] 12/28/2012 6:47:05 PM mbam-log-2012-12-28 (18-47-05).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 494630 Time elapsed: 1 hour(s), 5 minute(s), 34 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Log file from HiJackThis: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:30:00 PM, on 12/28/2012 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16457) Boot mode: Normal Running processes: C:\Program Files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Users\C8PK9R1\Downloads\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll (file missing) O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" O4 - HKLM\..\Run: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [GBMPro8Agent] C:\Program Files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O18 - Protocol: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll (file missing) O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: DYMO PnP Service (DymoPnpService) - Sanford, L.P. - C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Intel® Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: QBIDPService (QBVSS) - Unknown owner - C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe O23 - Service: NTRU TSS v1.2.1.34 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: Icon Time Systems USB/Serial Web Proxy Server (WebProxyService) - Icon Time Systems - C:\Program Files (x86)\Icon Time Systems\Driver CD\ColoradoCommunicationsService.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 13469 bytes
  5. roofcom
    Problem? running Combofix. I didn't realize MSE was back on. I turned it off between the window that said to turn it off and the window that said combofix would run at my own peril. Actually had to hunt to find MSE - it wasn't showing up in the lower left corner where I always find it. Computer seems to be doing fine as far as I can tell. Log from Combofix is: ComboFix 12-12-28.02 - Randy Roof 12/28/2012 12:34:49.2.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3993.2532 [GMT -6:00] Running from: c:\users\C8PK9R1\Desktop\ComboFix.exe Command switches used :: c:\users\C8PK9R1\Desktop\CFScript.txt AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 ))))))))))))))))))))))))))))))) . . 2012-12-28 18:38 . 2012-12-28 18:38 -------- d-----w- c:\users\Randy F. Roof DVM\AppData\Local\temp 2012-12-28 18:38 . 2012-12-28 18:38 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp 2012-12-28 18:38 . 2012-12-28 18:38 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-12-28 03:41 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2EAC4406-FDA8-4337-A505-9DA988FF2E78}\mpengine.dll 2012-12-26 20:38 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-12-24 20:58 . 2012-12-24 20:58 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-12-24 20:58 . 2012-12-24 20:58 95184 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2012-12-24 20:57 . 2012-12-24 20:57 -------- d-----w- c:\program files (x86)\Java 2012-12-24 20:51 . 2012-12-24 20:51 -------- d-----w- c:\program files\Microsoft Silverlight 2012-12-24 20:51 . 2012-12-24 20:51 -------- d-----w- c:\program files (x86)\Microsoft Silverlight 2012-12-24 20:48 . 2012-12-24 20:48 -------- d-----w- c:\windows\system32\appmgmt 2012-12-24 20:35 . 2012-12-24 20:48 -------- d-----w- c:\programdata\HitmanPro 2012-12-22 01:04 . 2012-12-22 01:04 -------- d-----w- c:\users\C8PK9R1\AppData\Roaming\Malwarebytes 2012-12-22 01:04 . 2012-12-22 01:04 -------- d-----w- c:\programdata\Malwarebytes 2012-12-22 01:04 . 2012-12-22 01:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-12-22 01:04 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-22 00:47 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-22 00:47 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-22 00:47 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-22 00:47 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll 2012-12-15 00:15 . 2012-12-15 00:15 -------- d-----w- c:\windows\SysWow64\Antech Requisitions 2012-12-13 20:32 . 2012-12-13 20:32 -------- d-----w- c:\program files (x86)\SystemRequirementsLab 2012-12-13 20:32 . 2012-12-13 20:32 -------- d-----w- c:\users\C8PK9R1\AppData\Roaming\SystemRequirementsLab 2012-12-13 20:31 . 2012-12-13 20:31 -------- d-----w- c:\windows\Sun 2012-12-13 20:30 . 2012-12-24 20:57 859072 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-12-13 20:30 . 2012-12-24 20:57 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-12-13 20:29 . 2012-12-13 20:29 -------- d-----w- c:\programdata\McAfee 2012-12-12 21:51 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll 2012-12-12 00:19 . 2012-12-12 00:19 16363960 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-12-06 01:41 . 2012-12-06 15:53 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2012-12-04 01:47 . 2012-12-04 01:47 45056 ----a-r- c:\users\C8PK9R1\AppData\Roaming\Microsoft\Installer\{4A2AE55C-91C0-48E7-94BC-D13952407687}\NewShortcut1_4A2AE55C91C048E794BCD13952407687.exe 2012-12-04 01:47 . 2012-12-04 01:47 -------- d-----w- c:\program files (x86)\Icon Time Systems 2012-11-29 02:29 . 2012-11-29 02:28 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01CCF63F-C442-4514-8D92-ABA831666866}\gapaengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-15 00:15 . 2012-12-15 00:15 945 ----a-w- c:\windows\SysWow64\6446.zip 2012-12-12 00:19 . 2012-05-23 17:00 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-12-12 00:19 . 2012-05-23 17:00 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-11-28 21:58 . 2012-07-30 17:36 67413224 ----a-w- c:\windows\system32\MRT.exe 2012-11-10 21:40 . 2012-07-31 19:12 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-11-10 21:40 . 2012-07-31 19:12 35240 ----a-w- c:\windows\system32\LMIport.dll 2012-11-10 21:40 . 2012-07-31 19:12 83880 ----a-w- c:\windows\system32\LMIinit.dll 2012-10-16 08:38 . 2012-11-28 09:41 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 08:38 . 2012-11-28 09:41 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 07:39 . 2012-11-28 09:41 561664 ----a-w- c:\windows\apppatch\AcLayers.dll 2012-10-09 18:17 . 2012-11-15 11:41 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll 2012-10-09 18:17 . 2012-11-15 11:41 226816 ----a-w- c:\windows\system32\dhcpcore6.dll 2012-10-09 17:40 . 2012-11-15 11:41 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll 2012-10-09 17:40 . 2012-11-15 11:41 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll 2012-10-04 16:40 . 2012-12-12 21:51 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2012-10-03 17:56 . 2012-11-15 11:41 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys 2012-10-03 17:44 . 2012-11-15 11:41 70656 ----a-w- c:\windows\system32\nlaapi.dll 2012-10-03 17:44 . 2012-11-15 11:41 303104 ----a-w- c:\windows\system32\nlasvc.dll 2012-10-03 17:44 . 2012-11-15 11:41 246272 ----a-w- c:\windows\system32\netcorehc.dll 2012-10-03 17:44 . 2012-11-15 11:41 18944 ----a-w- c:\windows\system32\netevent.dll 2012-10-03 17:44 . 2012-11-15 11:41 216576 ----a-w- c:\windows\system32\ncsi.dll 2012-10-03 17:42 . 2012-11-15 11:41 569344 ----a-w- c:\windows\system32\iphlpsvc.dll 2012-10-03 16:42 . 2012-11-15 11:41 18944 ----a-w- c:\windows\SysWow64\netevent.dll 2012-10-03 16:42 . 2012-11-15 11:41 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll 2012-10-03 16:42 . 2012-11-15 11:41 156672 ----a-w- c:\windows\SysWow64\ncsi.dll 2012-10-03 16:07 . 2012-11-15 11:41 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys 2012-10-03 02:12 . 2012-10-03 02:13 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GBMPro8Agent"="c:\program files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336] "PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-08 2643320] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-07-27 36800] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-07-27 823224] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2012-10-15 6153080] QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-10-24 1157008] QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE [2012-10-24 1179024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [2012-01-30 32336] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-06-07 191752] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-07-31 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-05-12 249648] S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-09-28 212944] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-11-10 375728] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2012-06-08 15928] S2 MSSQL$CDRDICOM;SQL Server (CDRDICOM);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408] S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2010-12-02 1251840] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-01-19 2594584] S2 WebProxyService;Icon Time Systems USB/Serial Web Proxy Server;c:\program files (x86)\Icon Time Systems\Driver CD\ColoradoCommunicationsService.exe [2007-11-20 24464] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] . . Contents of the 'Scheduled Tasks' folder . 2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 00:19] . 2012-12-25 c:\windows\Tasks\GBM - 1 Monday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-26 c:\windows\Tasks\GBM - 2 Tuesday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-27 c:\windows\Tasks\GBM - 3 Wednesday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-28 c:\windows\Tasks\GBM - 4 Thursday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-22 c:\windows\Tasks\GBM - 5 Friday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-16 c:\windows\Tasks\GBM - 6 Saturday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-21 17:08] . 2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-21 17:08] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-28 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-28 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-28 416024] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704] "DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328] "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2012-06-08 57928] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 FF - ProfilePath - c:\users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - ExtSQL: 2012-12-27 20:53; {916413cd-c5e2-48b8-a1e5-0388b59ba7f5}; c:\users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\extensions\{916413cd-c5e2-48b8-a1e5-0388b59ba7f5}.xpi . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-12-28 12:39:39 ComboFix-quarantined-files.txt 2012-12-28 18:39 ComboFix2.txt 2012-12-28 03:32 . Pre-Run: 114,092,773,376 bytes free Post-Run: 114,033,856,512 bytes free . - - End Of File - - 33C3A855BEF317C9D63C87284CAC9C72
  6. roofcom
    Gringo, No problems running Combofix - here are the results: ComboFix 12-12-27.03 - Randy Roof 12/27/2012 21:20:10.1.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3993.2506 [GMT -6:00] Running from: c:\users\C8PK9R1\Downloads\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C} SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Images C:\Install.exe c:\users\C8PK9R1\AppData\Local\assembly\tmp c:\users\C8PK9R1\AppData\Local\Microsoft\Windows\Temporary Internet Files\{072B93EC-3938-4F48-AB3D-3695912CB299}.xps c:\users\C8PK9R1\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0F3D6FC0-36AB-4C40-AA31-15961B73C1CD}.xps c:\users\C8PK9R1\AppData\Local\Microsoft\Windows\Temporary Internet Files\{72AE90C8-C424-447C-89DB-40D1A7EFEEAE}.xps c:\users\C8PK9R1\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FFDBABD8-D910-4B27-80A4-1D2620A34D91}.xps c:\users\C8PK9R1\AppData\Roaming\pscov.dll c:\users\C8PK9R1\AppData\Roaming\shnsr.dll c:\windows\SysWow64\.txt . . ((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-28 ))))))))))))))))))))))))))))))) . . 2012-12-28 03:24 . 2012-12-28 03:24 -------- d-----w- c:\users\Randy F. Roof DVM\AppData\Local\temp 2012-12-27 20:39 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6EC51966-8ADA-4E8B-B27B-DA8063514F01}\mpengine.dll 2012-12-26 20:38 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-12-24 20:58 . 2012-12-24 20:58 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-12-24 20:58 . 2012-12-24 20:58 95184 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2012-12-24 20:57 . 2012-12-24 20:57 -------- d-----w- c:\program files (x86)\Java 2012-12-24 20:51 . 2012-12-24 20:51 -------- d-----w- c:\program files\Microsoft Silverlight 2012-12-24 20:51 . 2012-12-24 20:51 -------- d-----w- c:\program files (x86)\Microsoft Silverlight 2012-12-24 20:48 . 2012-12-24 20:48 -------- d-----w- c:\windows\system32\appmgmt 2012-12-24 20:35 . 2012-12-24 20:48 -------- d-----w- c:\programdata\HitmanPro 2012-12-22 01:04 . 2012-12-22 01:04 -------- d-----w- c:\users\C8PK9R1\AppData\Roaming\Malwarebytes 2012-12-22 01:04 . 2012-12-22 01:04 -------- d-----w- c:\programdata\Malwarebytes 2012-12-22 01:04 . 2012-12-22 01:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-12-22 01:04 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-22 00:47 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll 2012-12-22 00:47 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll 2012-12-22 00:47 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll 2012-12-22 00:47 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll 2012-12-15 00:15 . 2012-12-15 00:15 -------- d-----w- c:\windows\SysWow64\Antech Requisitions 2012-12-13 20:32 . 2012-12-13 20:32 -------- d-----w- c:\program files (x86)\SystemRequirementsLab 2012-12-13 20:32 . 2012-12-13 20:32 -------- d-----w- c:\users\C8PK9R1\AppData\Roaming\SystemRequirementsLab 2012-12-13 20:31 . 2012-12-13 20:31 -------- d-----w- c:\windows\Sun 2012-12-13 20:30 . 2012-12-24 20:57 859072 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-12-13 20:30 . 2012-12-24 20:57 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-12-13 20:29 . 2012-12-13 20:29 -------- d-----w- c:\programdata\McAfee 2012-12-12 21:51 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll 2012-12-12 00:19 . 2012-12-12 00:19 16363960 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2012-12-06 01:41 . 2012-12-06 15:53 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2012-12-04 01:47 . 2012-12-04 01:47 45056 ----a-r- c:\users\C8PK9R1\AppData\Roaming\Microsoft\Installer\{4A2AE55C-91C0-48E7-94BC-D13952407687}\NewShortcut1_4A2AE55C91C048E794BCD13952407687.exe 2012-12-04 01:47 . 2012-12-04 01:47 -------- d-----w- c:\program files (x86)\Icon Time Systems 2012-11-29 02:29 . 2012-11-29 02:28 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01CCF63F-C442-4514-8D92-ABA831666866}\gapaengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-15 00:15 . 2012-12-15 00:15 945 ----a-w- c:\windows\SysWow64\6446.zip 2012-12-12 00:19 . 2012-05-23 17:00 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-12-12 00:19 . 2012-05-23 17:00 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-11-28 21:58 . 2012-07-30 17:36 67413224 ----a-w- c:\windows\system32\MRT.exe 2012-11-10 21:40 . 2012-07-31 19:12 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-11-10 21:40 . 2012-07-31 19:12 35240 ----a-w- c:\windows\system32\LMIport.dll 2012-11-10 21:40 . 2012-07-31 19:12 83880 ----a-w- c:\windows\system32\LMIinit.dll 2012-10-16 08:38 . 2012-11-28 09:41 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 08:38 . 2012-11-28 09:41 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 07:39 . 2012-11-28 09:41 561664 ----a-w- c:\windows\apppatch\AcLayers.dll 2012-10-09 18:17 . 2012-11-15 11:41 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll 2012-10-09 18:17 . 2012-11-15 11:41 226816 ----a-w- c:\windows\system32\dhcpcore6.dll 2012-10-09 17:40 . 2012-11-15 11:41 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll 2012-10-09 17:40 . 2012-11-15 11:41 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll 2012-10-04 16:40 . 2012-12-12 21:51 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2012-10-03 17:56 . 2012-11-15 11:41 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys 2012-10-03 17:44 . 2012-11-15 11:41 70656 ----a-w- c:\windows\system32\nlaapi.dll 2012-10-03 17:44 . 2012-11-15 11:41 303104 ----a-w- c:\windows\system32\nlasvc.dll 2012-10-03 17:44 . 2012-11-15 11:41 246272 ----a-w- c:\windows\system32\netcorehc.dll 2012-10-03 17:44 . 2012-11-15 11:41 18944 ----a-w- c:\windows\system32\netevent.dll 2012-10-03 17:44 . 2012-11-15 11:41 216576 ----a-w- c:\windows\system32\ncsi.dll 2012-10-03 17:42 . 2012-11-15 11:41 569344 ----a-w- c:\windows\system32\iphlpsvc.dll 2012-10-03 16:42 . 2012-11-15 11:41 18944 ----a-w- c:\windows\SysWow64\netevent.dll 2012-10-03 16:42 . 2012-11-15 11:41 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll 2012-10-03 16:42 . 2012-11-15 11:41 156672 ----a-w- c:\windows\SysWow64\ncsi.dll 2012-10-03 16:07 . 2012-11-15 11:41 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys 2012-10-03 02:12 . 2012-10-03 02:13 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GBMPro8Agent"="c:\program files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336] "PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-17 50472] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-10-08 2643320] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-07-27 36800] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-07-27 823224] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2012-10-15 6153080] QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-10-24 1157008] QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2011\QBW32.EXE [2012-10-24 1179024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [2012-01-30 32336] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-06-07 191752] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-21 168448] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-21 22528] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-07-31 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856] S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-05-12 249648] S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-09-28 212944] S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-11-10 375728] S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2012-06-08 15928] S2 MSSQL$CDRDICOM;SQL Server (CDRDICOM);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408] S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2010-12-02 1251840] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-01-19 2594584] S2 WebProxyService;Icon Time Systems USB/Serial Web Proxy Server;c:\program files (x86)\Icon Time Systems\Driver CD\ColoradoCommunicationsService.exe [2007-11-20 24464] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 317440] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-23 00:19] . 2012-12-25 c:\windows\Tasks\GBM - 1 Monday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-26 c:\windows\Tasks\GBM - 2 Tuesday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-27 c:\windows\Tasks\GBM - 3 Wednesday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-21 c:\windows\Tasks\GBM - 4 Thursday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-22 c:\windows\Tasks\GBM - 5 Friday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-16 c:\windows\Tasks\GBM - 6 Saturday-Full.job - c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2012-08-02 14:11] . 2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-21 17:08] . 2012-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-21 17:08] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-28 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-28 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-28 416024] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704] "DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328] "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2012-06-08 57928] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 FF - ProfilePath - c:\users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox FF - ExtSQL: 2012-12-27 20:53; {916413cd-c5e2-48b8-a1e5-0388b59ba7f5}; c:\users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\extensions\{916413cd-c5e2-48b8-a1e5-0388b59ba7f5}.xpi . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) Wow6432Node-HKLM-Run-DLSService - c:\program files (x86)\DYMO\DYMO Label Software\DLSService.exe Toolbar-Locked - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe . ************************************************************************** . Completion time: 2012-12-27 21:32:27 - machine was rebooted ComboFix-quarantined-files.txt 2012-12-28 03:32 . Pre-Run: 114,485,317,632 bytes free Post-Run: 114,055,290,880 bytes free . - - End Of File - - B2B5CE54EFF3A806DF01DBA49B30E437 I have done some web browsing and opened a couple of programs that were acting goofy, and everything seems to be back to normal. MS Security Essentials is no longer popping up and quarantining anything. You ROCK!!! I will letyou know if anything acts up in the next day or two. Thanks so much for your help.
  7. roofcom
    Thanks for responding so quickly. I have followed your instructions. The results of SecurityCheck are: Results of screen317's Security Check version 0.99.56 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 Java 7 Update 10 Java version out of Date! Adobe Flash Player 11.5.502.135 Mozilla Firefox (17.0.1) Mozilla Thunderbird (17.0.) Google Chrome 21.0.1180.89 Google Chrome 22.0.1229.79 Google Chrome 22.0.1229.92 Google Chrome 22.0.1229.94 Google Chrome 23.0.1271.64 Google Chrome 23.0.1271.91 Google Chrome 23.0.1271.95 Google Chrome 23.0.1271.97 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log`````````````````````` The results of AdwCleaner are: # AdwCleaner v2.103 - Logfile created 12/27/2012 at 20:44:15 # Updated 25/12/2012 by Xplode # Operating system : Windows 7 Professional Service Pack 1 (64 bits) # User : Randy Roof - C8PK9R1-FL # Boot Mode : Normal # Running from : C:\Users\C8PK9R1\Downloads\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** File Deleted : C:\Users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\searchplugins\Askcom.xml ***** [Registry] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E} ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16457 [OK] Registry is clean. -\\ Mozilla Firefox v17.0.1 (en-US) File : C:\Users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\prefs.js [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\prefs.js [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\prefs.js [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\prefs.js [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Roaming\Mozilla\Firefox\Profiles\so379unj.default\prefs.js [OK] File is clean. -\\ Google Chrome v23.0.1271.97 File : C:\Users\C8PK9R1\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. File : C:\Users\C8PK9R1\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[s1].txt - [1952 octets] - [27/12/2012 20:44:15] ########## EOF - C:\AdwCleaner[s1].txt - [2012 octets] ########## The results of RogueKiller are: RogueKiller V8.4.1 [Dec 27 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Randy Roof [Admin rights] Mode : Scan -- Date : 12/27/2012 20:55:44 ¤¤¤ Bad processes : 4 ¤¤¤ [DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\C8PK9R1\AppData\Roaming\pscov.dll -> KILLED [TermProc] [DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\C8PK9R1\AppData\Roaming\shnsr.dll -> KILLED [TermProc] [DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\C8PK9R1\AppData\Roaming\pscov.dll -> KILLED [TermProc] [DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\C8PK9R1\AppData\Roaming\shnsr.dll -> KILLED [TermProc] ¤¤¤ Registry Entries : 11 ¤¤¤ [RUN][sUSP PATH] HKCU\[...]\Run : tuwfkqce ("C:\Users\C8PK9R1\AppData\Local\wgrpdsvc.exe") -> FOUND [RUN][sUSP PATH] HKLM\[...]\Run : pscov ("C:\Windows\System32\rundll32.exe" "C:\Users\C8PK9R1\AppData\Roaming\pscov.dll",Proxy_Type) -> FOUND [RUN][sUSP PATH] HKLM\[...]\Run : shnsr ("C:\Windows\System32\rundll32.exe" "C:\Users\C8PK9R1\AppData\Roaming\shnsr.dll",AnyFileExFlags) -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-794461432-2167349186-2453485352-1000[...]\Run : tuwfkqce ("C:\Users\C8PK9R1\AppData\Local\wgrpdsvc.exe") -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST3320413AS ATA Device +++++ --- User --- [MBR] 9761ac08feb2e2482d9e7c28eac483db [bSP] 064ab5eb65afd75a9a780dc5406ed3ea : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 16540 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33955840 | Size: 288664 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: HP Photosmart 8100 USB Device +++++ Error reading User MBR! User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[2]_S_12272012_02d2055.txt >> RKreport[1]_S_12242012_02d1422.txt ; RKreport[2]_S_12272012_02d2055.txt Back to you.
  8. roofcom
    I have been unable to remove JS/Medfos.B from my computer. MS Security Essentials keeps quarantining it but has not been able to remove it. I have attached the dds.txt and attach.txt files. Thank you for your assistance. attach.txt dds.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.