Jump to content

nachum

Honorary Members
  • Posts

    24
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I solved the firewall issue by deleting the above regedit value, it was enforcing the firewall to be turned off. All's well now Thank you very much for your assistance!! Nachum
  2. Ran Fubar again, this is the report regarding Windows Firewall (no other findings): Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 Any action I should take?
  3. Marius, thank you. I have uninstalled combifix and run delfix (log below). The remaining issue is windows firewall - i cannot turn it on. Message center cannot turn it on, and when I try manually and click "use recommended settings" nothing happens and the firewall is not turned on. # DelFix v10.4 - Logfile created 21/09/2013 at 08:44:22 # Updated 19/07/2013 by Xplode # Username : Nachum - NACHUM-OFFICE # Operating System : Windows 7 Professional Service Pack 1 (64 bits) ~ Activating UAC ... OK ~ Removing disinfection tools ... Deleted : C:\FRST Deleted : C:\ComboFix.txt Deleted : C:\TDSSKiller.2.8.16.0_15.09.2013_22.18.57_log.txt Deleted : C:\Users\Nachum\Desktop\adwcleaner.exe Deleted : C:\Users\Nachum\Desktop\aswmbr.exe Deleted : C:\Users\Nachum\Desktop\aswMBR.txt Deleted : C:\Users\Nachum\Desktop\FSS.exe Deleted : C:\Users\Nachum\Desktop\FSS.txt Deleted : C:\Users\Nachum\Desktop\Log_combifix_script.txt Deleted : C:\Users\Nachum\Desktop\MBR.dat Deleted : C:\Users\Nachum\Desktop\SecurityCheck.exe Deleted : HKLM\SOFTWARE\AdwCleaner Deleted : HKLM\SOFTWARE\Swearware Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR ~ Creating registry backup ... OK ~ Cleaning system restore ... Deleted : RP #20 [ComboFix created restore point | 09/21/2013 12:40:35] New restore point created ! ~ Resetting system settings ... OK ########## - EOF - ##########
  4. Here are the results of the AdwCleaner, Security Check and Farbar. In addition I have decided to do a clean Windows 7 install on my wife's laptop - can you please send me instructions for a full format during installation from a Win 7 DVD? # AdwCleaner v3.004 - Report created 20/09/2013 at 10:26:55 # Updated 15/09/2013 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : Nachum - NACHUM-OFFICE # Running from : C:\Users\Nachum\Desktop\adwcleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16686 -\\ Mozilla Firefox v23.0.1 (en-US) [ File : C:\Users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\prefs.js ] ************************* AdwCleaner[R0].txt - [781 octets] - [20/09/2013 10:26:11] AdwCleaner[s0].txt - [703 octets] - [20/09/2013 10:26:55] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [762 octets] ########## Results of screen317's Security Check version 0.99.73 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Webroot SecureAnywhere Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Adobe Flash Player 11.8.800.168 Mozilla Firefox (23.0.1) Mozilla Thunderbird (17.0.8) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1% ````````````````````End of Log`````````````````````` Farbar Service Scanner Version: 13-09-2013 Ran by Nachum (administrator) on 20-09-2013 at 10:33:13 Running from "C:\Users\Nachum\Desktop" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= MpsSvc Service is not running. Checking service configuration: The start type of MpsSvc service is OK. The ImagePath of MpsSvc service is OK. The ServiceDll of MpsSvc service is OK. Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****
  5. Here are the results of the latest ESET scan C:\Qoobox\Quarantine\H\2c2c\g3d9f.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\H\2c2c\i31313.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\I\2c2c\g3d9f.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\I\2c2c\i31313.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\J\Install_files\epm.exe.vir Win32/OpenCandy application
  6. Just to let you know, ESET is still scanning but has already found 4 instances of JS/Kryptik.AKG.trojan on the C drive, and also 1 of Win32/OpenCandy application
  7. Forgot the ESET scan, will post as soon as ready
  8. MBAM found no malicious items (see below). One remaining issue is that I cannot turn Windows firewall on, need to go to "manual" and when I click "recommended settings" nothing happens. I have also activated the MBAM Pro version. In addition my wife's laptop is infected, same symptoms as I had (we shared one of the external hard drives). Do you want to have a go at it? If so, where should I start (KAV rescure disk?)? Alternatively, will a clean Windows install be effictive? Malwarebytes Anti-Malware (Trial) 1.75.0.1300 www.malwarebytes.org Database version: v2013.09.19.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16686 Nachum :: NACHUM-OFFICE [administrator] Protection: Enabled 9/19/2013 7:32:23 AM mbam-log-2013-09-19 (07-32-23).txt Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 2163977 Time elapsed: 3 hour(s), 12 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  9. Here is the combifix with script log: ComboFix 13-09-17.01 - Nachum 09/18/2013 8:19.5.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5887 [GMT -4:00] Running from: c:\users\Nachum\Desktop\nk.exe Command switches used :: c:\users\Nachum\Desktop\CFScript.txt AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401} SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . FILE :: "h:\2c2c\g3d9f.js" "h:\2c2c\i31313.js" "i:\2c2c\g3d9f.js" "i:\2c2c\i31313.js" "j:\install_files\epm.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . h:\2c2c\g3d9f.js h:\2c2c\i31313.js i:\2c2c\g3d9f.js i:\2c2c\i31313.js j:\install_files\epm.exe . . ((((((((((((((((((((((((( Files Created from 2013-08-18 to 2013-09-18 ))))))))))))))))))))))))))))))) . . 2013-09-18 12:24 . 2013-09-18 12:24 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST 2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware 2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore 2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET 2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe 2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS 2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys 2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft 2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd 2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7 2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers 2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe 2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe 2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys 2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll 2013-09-05 14:47 . 2013-09-17 20:42 -------- d-----w- C:\Temp 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype 2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE 2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt 2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer 2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software 2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft 2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll 2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet 2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared 2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG 2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll 2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard 2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll 2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll 2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll 2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll 2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll 2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP 2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS 2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel 2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight 2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO 2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud 2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS 2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther 2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys 2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help 2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache 2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed 2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET 2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe 2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot 2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData 2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat 2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui 2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll 2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT 2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll 2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec 2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll 2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll 2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys 2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll 2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll 2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll 2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll 2013-09-01 17:16 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll 2013-09-01 17:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe 2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe 2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe 2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe 2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll 2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl 2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe 2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys 2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL 2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL 2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808] "Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760] "Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoAutorun"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x] R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x] R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x] R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x] R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x] S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x] S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x] S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x] S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x] S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x] S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk] @="{3A87EE91-AED7-46E9-B8A3-5360628BA718}" [HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending] @="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}" [HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError] @="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}" [HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl] @="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}" [HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen] @="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}" [HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed] @="{1914B27A-33C8-46F8-A1C2-F993268D4564}" [HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow] @="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}" [HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2013-06-20 382248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024] "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\ FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) Notify-SDWinLogon - SDWinLogon.dll . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe c:\windows\SysWOW64\SAsrv.exe c:\progra~1\Lenovo\Zoom\TPSCREX.EXE c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe . ************************************************************************** . Completion time: 2013-09-18 08:30:52 - machine was rebooted ComboFix-quarantined-files.txt 2013-09-18 12:30 ComboFix2.txt 2013-09-17 16:47 ComboFix3.txt 2013-09-17 15:16 ComboFix4.txt 2013-09-16 15:08 ComboFix5.txt 2013-09-18 12:18 . Pre-Run: 98,760,097,792 bytes free Post-Run: 98,659,074,048 bytes free . - - End Of File - - B91DCACBEA7E3186BACBA284F2351FBC
  10. Here are the results: Combifix: ComboFix 13-09-17.01 - Nachum 09/17/2013 12:09:52.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5737 [GMT -4:00] Running from: c:\users\Nachum\Desktop\nk.exe Command switches used :: c:\users\Nachum\Desktop\CFScript.txt AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401} SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\2d9 c:\2d9\2828 c:\2d9\2c2c2 c:\2d9\3082 c:\2d9\3b873 c:\2d9\3b97 c:\program files\338 . . ((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 ))))))))))))))))))))))))))))))) . . 2013-09-17 16:14 . 2013-09-17 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST 2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware 2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore 2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET 2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe 2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS 2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys 2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft 2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd 2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7 2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers 2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe 2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe 2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys 2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll 2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype 2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE 2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt 2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer 2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software 2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft 2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll 2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet 2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared 2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG 2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll 2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard 2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll 2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll 2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll 2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll 2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll 2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP 2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS 2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel 2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight 2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO 2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud 2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS 2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther 2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys 2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help 2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache 2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed 2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET 2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe 2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot 2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData 2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat 2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui 2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll 2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT 2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll 2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec 2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll 2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll 2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys 2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll 2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll 2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll 2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll 2013-09-01 17:16 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll 2013-09-01 17:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe 2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe 2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe 2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe 2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll 2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl 2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe 2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys 2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL 2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL 2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808] "Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760] "Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoAutorun"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x] R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x] R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x] S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x] S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x] S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x] S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x] S2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x] S2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x] S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x] S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk] @="{3A87EE91-AED7-46E9-B8A3-5360628BA718}" [HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending] @="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}" [HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError] @="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}" [HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl] @="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}" [HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen] @="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}" [HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed] @="{1914B27A-33C8-46F8-A1C2-F993268D4564}" [HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow] @="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}" [HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2013-06-20 382248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024] "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\ FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) Notify-SDWinLogon - SDWinLogon.dll . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe c:\windows\SysWOW64\SAsrv.exe c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe c:\progra~1\Lenovo\Zoom\TPSCREX.EXE c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe . ************************************************************************** . Completion time: 2013-09-17 12:47:02 - machine was rebooted ComboFix-quarantined-files.txt 2013-09-17 16:47 ComboFix2.txt 2013-09-17 15:16 ComboFix3.txt 2013-09-16 15:08 ComboFix4.txt 2013-09-16 14:41 . Pre-Run: 98,892,083,200 bytes free Post-Run: 98,833,932,288 bytes free . - - End Of File - - 6D37093ECF421444409600BB70FA507C MBAM: Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.09.17.08 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 10.0.9200.16686 Nachum :: NACHUM-OFFICE [administrator] 9/17/2013 1:03:03 PM MBAM-log-2013-09-17 (16-38-02).txt Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 2162436 Time elapsed: 3 hour(s), 20 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) ESET: H:\2c2c\g3d9f.js JS/Kryptik.AKG trojan H:\2c2c\i31313.js JS/Kryptik.AKG trojan I:\2c2c\g3d9f.js JS/Kryptik.AKG trojan I:\2c2c\i31313.js JS/Kryptik.AKG trojan J:\Install_files\epm.exe Win32/OpenCandy application
  11. Thanks! Will do, currently in the middle of the MBAM scan, will have all the logs for you tomorrow morning (my time).
  12. Sorry, the ESET cyber security if for mac, I'll download NOD32 antivirus
  13. Will do. I don't have ESET, which version should I download, the cyber security pro free trial?
  14. Combifix done, it gave a message that Webroot secure anyware was active even though i had disabled the protection. Here is the log: ComboFix 13-09-14.01 - Nachum 09/17/2013 11:10:51.3.4 - x64 MINIMAL Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6715 [GMT -4:00] Running from: c:\users\Nachum\Desktop\nk.exe AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401} SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . E:\autorun.inf H:\Autorun.inf I:\install.exe . . ((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 ))))))))))))))))))))))))))))))) . . 2013-09-17 15:15 . 2013-09-17 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-16 15:01 . 2013-09-17 10:33 -------- d-sh--w- c:\program files\338 2013-09-16 15:01 . 2013-09-16 15:06 -------- d-----w- C:\2d9 2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST 2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware 2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore 2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET 2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe 2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS 2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys 2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft 2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd 2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7 2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers 2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe 2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe 2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys 2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll 2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype 2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE 2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt 2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer 2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software 2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft 2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll 2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet 2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared 2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG 2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll 2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard 2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll 2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll 2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll 2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll 2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll 2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP 2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS 2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel 2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight 2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO 2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud 2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS 2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther 2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys 2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help 2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache 2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed 2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET 2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe 2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot 2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData 2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat 2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui 2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll 2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT 2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll 2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec 2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll 2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll 2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys 2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll 2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll 2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll 2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe 2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe 2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe 2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe 2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll 2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl 2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe 2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys 2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL 2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL 2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808] "Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760] "Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "1"="c:\program files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" [2013-04-04 218184] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoAutorun"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x] R1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] R2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x] R2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x] R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x] R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x] R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x] R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x] R2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x] R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x] R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x] R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x] R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x] R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x] R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x] S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk] @="{3A87EE91-AED7-46E9-B8A3-5360628BA718}" [HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending] @="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}" [HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError] @="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}" [HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl] @="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}" [HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen] @="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}" [HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed] @="{1914B27A-33C8-46F8-A1C2-F993268D4564}" [HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow] @="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}" [HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2013-06-20 382248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024] "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\ FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) Notify-SDWinLogon - SDWinLogon.dll . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-09-17 11:16:36 ComboFix-quarantined-files.txt 2013-09-17 15:16 ComboFix2.txt 2013-09-16 15:08 ComboFix3.txt 2013-09-16 14:41 . Pre-Run: 98,988,253,184 bytes free Post-Run: 98,821,361,664 bytes free . - - End Of File - - 0F911C090FA6D98D593056DD53D4A03E
  15. quarantine successful except for one file: Trojan program Trojan.win E:/autorun.inf (not found), should I scan the external E drive again?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.